Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I5vhb7vJPS.exe

Overview

General Information

Sample name:I5vhb7vJPS.exe
renamed because original name is a hash value
Original sample name:b2de784471ee083a4a7e2d6f3057e00c.exe
Analysis ID:1457406
MD5:b2de784471ee083a4a7e2d6f3057e00c
SHA1:03e5e0fd35a1eba05ddb6d0c4f4a9d8c8d4c67a3
SHA256:a58c26dd8d015d4e3b081b09c3b21f1cff71e42abe545d90872c2eef003d51c9
Tags:32exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • I5vhb7vJPS.exe (PID: 2060 cmdline: "C:\Users\user\Desktop\I5vhb7vJPS.exe" MD5: B2DE784471EE083A4A7E2D6F3057E00C)
    • cmd.exe (PID: 7132 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjcfhqgg\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7188 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wzsddmnn.exe" C:\Windows\SysWOW64\jjcfhqgg\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7248 cmdline: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7316 cmdline: "C:\Windows\System32\sc.exe" description jjcfhqgg "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 7372 cmdline: "C:\Windows\System32\sc.exe" start jjcfhqgg MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 7448 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7556 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1028 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • wzsddmnn.exe (PID: 7424 cmdline: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d"C:\Users\user\Desktop\I5vhb7vJPS.exe" MD5: 7A52D04B959713B97D2AED6162857A7F)
    • svchost.exe (PID: 7612 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 7648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 584 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 7456 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7536 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2060 -ip 2060 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7620 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7424 -ip 7424 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.I5vhb7vJPS.exe.20b0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.I5vhb7vJPS.exe.20b0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      11.3.wzsddmnn.exe.d90000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      11.3.wzsddmnn.exe.d90000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      11.2.wzsddmnn.exe.630e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 39 entries

      System Summary

      barindex
      Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d"C:\Users\user\Desktop\I5vhb7vJPS.exe", ParentImage: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe, ParentProcessId: 7424, ParentProcessName: wzsddmnn.exe, ProcessCommandLine: svchost.exe, ProcessId: 7612, ProcessName: svchost.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\I5vhb7vJPS.exe", ParentImage: C:\Users\user\Desktop\I5vhb7vJPS.exe, ParentProcessId: 2060, ParentProcessName: I5vhb7vJPS.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7248, ProcessName: sc.exe
      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.47.54.36, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7612, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49732
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d"C:\Users\user\Desktop\I5vhb7vJPS.exe", ParentImage: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe, ParentProcessId: 7424, ParentProcessName: wzsddmnn.exe, ProcessCommandLine: svchost.exe, ProcessId: 7612, ProcessName: svchost.exe
      Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7612, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\jjcfhqgg
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\I5vhb7vJPS.exe", ParentImage: C:\Users\user\Desktop\I5vhb7vJPS.exe, ParentProcessId: 2060, ParentProcessName: I5vhb7vJPS.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 7248, ProcessName: sc.exe
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 7456, ProcessName: svchost.exe
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: I5vhb7vJPS.exeAvira: detected
      Source: C:\Users\user\AppData\Local\Temp\wzsddmnn.exeAvira: detection malicious, Label: TR/Dropper.Gen
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.4% probability
      Source: C:\Users\user\AppData\Local\Temp\wzsddmnn.exeJoe Sandbox ML: detected
      Source: I5vhb7vJPS.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeUnpacked PE file: 0.2.I5vhb7vJPS.exe.400000.0.unpack
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeUnpacked PE file: 11.2.wzsddmnn.exe.400000.0.unpack
      Source: I5vhb7vJPS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Change of critical system settings

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\jjcfhqggJump to behavior

      Networking

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 62.76.228.127 443Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.27 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.110 25Jump to behavior
      Source: Malware configuration extractorURLs: vanaheim.cn:443
      Source: Malware configuration extractorURLs: jotunheim.name:443
      Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
      Source: Joe Sandbox ViewIP Address: 67.195.228.110 67.195.228.110
      Source: Joe Sandbox ViewIP Address: 104.47.54.36 104.47.54.36
      Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
      Source: Joe Sandbox ViewASN Name: YAHOO-GQ1US YAHOO-GQ1US
      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
      Source: global trafficTCP traffic: 192.168.2.4:49732 -> 104.47.54.36:25
      Source: global trafficTCP traffic: 192.168.2.4:60617 -> 67.195.228.110:25
      Source: global trafficTCP traffic: 192.168.2.4:60618 -> 64.233.166.27:25
      Source: global trafficTCP traffic: 192.168.2.4:60621 -> 217.69.139.150:25
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
      Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
      Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
      Source: global trafficDNS traffic detected: DNS query: yahoo.com
      Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
      Source: global trafficDNS traffic detected: DNS query: google.com
      Source: global trafficDNS traffic detected: DNS query: smtp.google.com
      Source: global trafficDNS traffic detected: DNS query: mail.ru
      Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60619
      Source: unknownNetwork traffic detected: HTTP traffic on port 60619 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 60622
      Source: unknownNetwork traffic detected: HTTP traffic on port 60622 -> 443

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: I5vhb7vJPS.exe PID: 2060, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wzsddmnn.exe PID: 7424, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7612, type: MEMORYSTR

      System Summary

      barindex
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.3.wzsddmnn.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.3.wzsddmnn.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.2.wzsddmnn.exe.630e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.2.wzsddmnn.exe.630e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000002.1728900989.0000000000623000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0000000B.00000002.1756464706.000000000049E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jjcfhqgg\Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0040C9130_2_0040C913
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_0040C91311_2_0040C913
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004CC91317_2_004CC913
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: String function: 020B27AB appears 35 times
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: String function: 0040EE2A appears 40 times
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: String function: 00402544 appears 53 times
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2060 -ip 2060
      Source: I5vhb7vJPS.exe, 00000000.00000002.1728449668.0000000000432000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesasdf* vs I5vhb7vJPS.exe
      Source: I5vhb7vJPS.exe, 00000000.00000002.1728956745.0000000000668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesasdf* vs I5vhb7vJPS.exe
      Source: I5vhb7vJPS.exe, 00000000.00000002.1728956745.0000000000668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs I5vhb7vJPS.exe
      Source: I5vhb7vJPS.exeBinary or memory string: OriginalFilenamesasdf* vs I5vhb7vJPS.exe
      Source: I5vhb7vJPS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.3.wzsddmnn.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.3.wzsddmnn.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.2.wzsddmnn.exe.630e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.2.wzsddmnn.exe.630e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.3.I5vhb7vJPS.exe.20d0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000002.1728900989.0000000000623000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0000000B.00000002.1756464706.000000000049E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: classification engineClassification label: mal100.troj.evad.winEXE@31/3@8/5
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00627B50 CreateToolhelp32Snapshot,Module32First,0_2_00627B50
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004C9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_004C9A6B
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7256:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7536:64:WilError_03
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7620:64:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeFile created: C:\Users\user\AppData\Local\Temp\wzsddmnn.exeJump to behavior
      Source: I5vhb7vJPS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeFile read: C:\Users\user\Desktop\I5vhb7vJPS.exeJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14750
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-14892
      Source: unknownProcess created: C:\Users\user\Desktop\I5vhb7vJPS.exe "C:\Users\user\Desktop\I5vhb7vJPS.exe"
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjcfhqgg\
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wzsddmnn.exe" C:\Windows\SysWOW64\jjcfhqgg\
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support"
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jjcfhqgg "wifi internet conection"
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jjcfhqgg
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d"C:\Users\user\Desktop\I5vhb7vJPS.exe"
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2060 -ip 2060
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1028
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7424 -ip 7424
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 584
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjcfhqgg\Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wzsddmnn.exe" C:\Windows\SysWOW64\jjcfhqgg\Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jjcfhqgg "wifi internet conection"Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jjcfhqggJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2060 -ip 2060Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1028Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7424 -ip 7424Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 584Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
      Source: I5vhb7vJPS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeUnpacked PE file: 0.2.I5vhb7vJPS.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeUnpacked PE file: 11.2.wzsddmnn.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeUnpacked PE file: 0.2.I5vhb7vJPS.exe.400000.0.unpack
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeUnpacked PE file: 11.2.wzsddmnn.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0062AE38 push 0000002Bh; iretd 0_2_0062AE3E
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_004A5B30 push 0000002Bh; iretd 11_2_004A5B36

      Persistence and Installation Behavior

      barindex
      Source: unknownExecutable created and started: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe (copy)Jump to dropped file
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeFile created: C:\Users\user\AppData\Local\Temp\wzsddmnn.exeJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe (copy)Jump to dropped file
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jjcfhqggJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support"

      Hooking and other Techniques for Hiding and Protection

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\i5vhb7vjps.exeJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,17_2_004C199C
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-15751
      Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-6438
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15185
      Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_17-6145
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15192
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15267
      Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_17-7327
      Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_17-7447
      Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-6175
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14765
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-14907
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeAPI coverage: 5.4 %
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeAPI coverage: 3.9 %
      Source: C:\Windows\SysWOW64\svchost.exe TID: 7656Thread sleep count: 32 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 7656Thread sleep time: -32000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
      Source: svchost.exe, 00000011.00000002.2903167082.0000000002A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQf-
      Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_17-6179
      Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_17-6437

      Anti Debugging

      barindex
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-16236
      Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_17-7671
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0062742D push dword ptr fs:[00000030h]0_2_0062742D
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_020B092B mov eax, dword ptr fs:[00000030h]0_2_020B092B
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_020B0D90 mov eax, dword ptr fs:[00000030h]0_2_020B0D90
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_004A2125 push dword ptr fs:[00000030h]11_2_004A2125
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_0063092B mov eax, dword ptr fs:[00000030h]11_2_0063092B
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_00630D90 mov eax, dword ptr fs:[00000030h]11_2_00630D90
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004C9A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_004C9A6B

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 62.76.228.127 443Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.27 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.228.110 25Jump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 4C0000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4C0000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 4C0000Jump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3E5008Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjcfhqgg\Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wzsddmnn.exe" C:\Windows\SysWOW64\jjcfhqgg\Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jjcfhqgg "wifi internet conection"Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jjcfhqggJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2060 -ip 2060Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1028Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7424 -ip 7424Jump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 584Jump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: I5vhb7vJPS.exe PID: 2060, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wzsddmnn.exe PID: 7424, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7612, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.630e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.dd0000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.I5vhb7vJPS.exe.20d0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.3.wzsddmnn.exe.d90000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.dd0000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.20b0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.svchost.exe.4c0000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.wzsddmnn.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.I5vhb7vJPS.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 17.2.svchost.exe.4c0000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: I5vhb7vJPS.exe PID: 2060, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: wzsddmnn.exe PID: 7424, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7612, type: MEMORYSTR
      Source: C:\Users\user\Desktop\I5vhb7vJPS.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
      Source: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_004C88B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,17_2_004C88B0
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure1
      Valid Accounts
      41
      Native API
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      3
      Disable or Modify Tools
      OS Credential Dumping2
      System Time Discovery
      Remote Services1
      Archive Collected Data
      1
      Ingress Tool Transfer
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts2
      Command and Scripting Interpreter
      1
      Valid Accounts
      1
      Valid Accounts
      1
      Deobfuscate/Decode Files or Information
      LSASS Memory1
      Account Discovery
      Remote Desktop ProtocolData from Removable Media12
      Encrypted Channel
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts3
      Service Execution
      14
      Windows Service
      1
      Access Token Manipulation
      2
      Obfuscated Files or Information
      Security Account Manager1
      File and Directory Discovery
      SMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
      Windows Service
      2
      Software Packing
      NTDS15
      System Information Discovery
      Distributed Component Object ModelInput Capture112
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
      Process Injection
      1
      DLL Side-Loading
      LSA Secrets111
      Security Software Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
      File Deletion
      Cached Domain Credentials11
      Virtualization/Sandbox Evasion
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
      Masquerading
      DCSync1
      Process Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Valid Accounts
      Proc Filesystem1
      System Owner/User Discovery
      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
      Virtualization/Sandbox Evasion
      /etc/passwd and /etc/shadow1
      System Network Configuration Discovery
      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
      Access Token Manipulation
      Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
      Process Injection
      Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457406 Sample: I5vhb7vJPS.exe Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Found malware configuration 2->71 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 9 other signatures 2->77 8 wzsddmnn.exe 2->8         started        11 I5vhb7vJPS.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Writes to foreign memory regions 8->83 91 2 other signatures 8->91 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\wzsddmnn.exe, PE32 11->49 dropped 85 Found API chain indicative of debugger detection 11->85 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta6.am0.yahoodns.net 67.195.228.110, 25 YAHOO-GQ1US United States 16->51 53 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\wzsddmnn.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      I5vhb7vJPS.exe100%AviraHEUR/AGEN.1310445
      I5vhb7vJPS.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\wzsddmnn.exe100%AviraTR/Dropper.Gen
      C:\Users\user\AppData\Local\Temp\wzsddmnn.exe100%Joe Sandbox ML
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      vanaheim.cn:4430%Avira URL Cloudsafe
      jotunheim.name:4430%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      mta6.am0.yahoodns.net
      67.195.228.110
      truetrue
        unknown
        mxs.mail.ru
        217.69.139.150
        truetrue
          unknown
          microsoft-com.mail.protection.outlook.com
          104.47.54.36
          truetrue
            unknown
            vanaheim.cn
            62.76.228.127
            truetrue
              unknown
              smtp.google.com
              64.233.166.27
              truefalse
                unknown
                google.com
                unknown
                unknowntrue
                  unknown
                  yahoo.com
                  unknown
                  unknowntrue
                    unknown
                    mail.ru
                    unknown
                    unknowntrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      vanaheim.cn:443true
                      • Avira URL Cloud: safe
                      unknown
                      jotunheim.name:443true
                      • Avira URL Cloud: safe
                      unknown
                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs
                      IPDomainCountryFlagASNASN NameMalicious
                      217.69.139.150
                      mxs.mail.ruRussian Federation
                      47764MAILRU-ASMailRuRUtrue
                      64.233.166.27
                      smtp.google.comUnited States
                      15169GOOGLEUSfalse
                      62.76.228.127
                      vanaheim.cnRussian Federation
                      201211DRUGOYTEL-ASRUtrue
                      67.195.228.110
                      mta6.am0.yahoodns.netUnited States
                      36647YAHOO-GQ1UStrue
                      104.47.54.36
                      microsoft-com.mail.protection.outlook.comUnited States
                      8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                      Joe Sandbox version:40.0.0 Tourmaline
                      Analysis ID:1457406
                      Start date and time:2024-06-14 17:49:05 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 51s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:24
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:I5vhb7vJPS.exe
                      renamed because original name is a hash value
                      Original Sample Name:b2de784471ee083a4a7e2d6f3057e00c.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@31/3@8/5
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 62
                      • Number of non-executed functions: 260
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 20.112.250.133, 20.70.246.20, 20.76.201.171, 20.236.44.162, 20.231.239.246
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtEnumerateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: I5vhb7vJPS.exe
                      TimeTypeDescription
                      11:50:48API Interceptor5x Sleep call for process: svchost.exe modified
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      217.69.139.150lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                        dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                            OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                              G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                  x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                    EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                      OWd39WUX3D.exeGet hashmaliciousPushdoBrowse
                                        0bv3c9AqYs.exeGet hashmaliciousPushdoBrowse
                                          62.76.228.127lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                            67.195.228.110OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                              file.exeGet hashmaliciousPhorpiexBrowse
                                                file.exeGet hashmaliciousPhorpiexBrowse
                                                  gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                      data.log.exeGet hashmaliciousUnknownBrowse
                                                        Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                                          Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                            Update-KB6340-x86.exeGet hashmaliciousUnknownBrowse
                                                              JgC7A84YOU.exeGet hashmaliciousTofsee XmrigBrowse
                                                                104.47.54.36rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                  DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                      Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                        L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                            U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                              bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                                                                                t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                  SecuriteInfo.com.Win32.TrojanX-gen.11678.1633.exeGet hashmaliciousTofseeBrowse
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    vanaheim.cnlYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    • 62.76.228.127
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                    • 141.8.199.94
                                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                    • 141.8.199.94
                                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 109.107.161.150
                                                                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                    • 85.208.208.90
                                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                    • 77.232.138.239
                                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                    • 5.188.88.112
                                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 5.188.88.112
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                    • 5.188.88.112
                                                                                    mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                                                                                    • 194.169.163.56
                                                                                    mta6.am0.yahoodns.netOgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.110
                                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.228.94
                                                                                    file.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.204.72
                                                                                    RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                                    • 67.195.228.109
                                                                                    webcam.txt.com.exeGet hashmaliciousUnknownBrowse
                                                                                    • 67.195.204.73
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.74
                                                                                    file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                    • 67.195.228.106
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.94
                                                                                    .exeGet hashmaliciousUnknownBrowse
                                                                                    • 98.136.96.91
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                    • 98.136.96.76
                                                                                    microsoft-com.mail.protection.outlook.comlYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.40.26
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                    • 104.47.53.36
                                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                    • 104.47.54.36
                                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 104.47.53.36
                                                                                    DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                    • 104.47.53.36
                                                                                    kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.11.0
                                                                                    Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                    • 104.47.53.36
                                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.11.0
                                                                                    file.exeGet hashmaliciousTofseeBrowse
                                                                                    • 52.101.11.0
                                                                                    sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                                                                                    • 52.101.11.0
                                                                                    mxs.mail.rulYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                    • 94.100.180.31
                                                                                    G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                    • 217.69.139.150
                                                                                    x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                                    • 217.69.139.150
                                                                                    gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 94.100.180.31
                                                                                    PIyT9A3jfC.exeGet hashmaliciousPushdoBrowse
                                                                                    • 217.69.139.150
                                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                    • 217.69.139.150
                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    DRUGOYTEL-ASRUlYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    • 62.76.228.127
                                                                                    http://students.humanconnections.com.au/Y0X.swf?8o542c!cbbbbxm0wqr!c!jtn1s!f40w2!dg!dbk!ck!hrx1b!5hb4!cbbcq4Get hashmaliciousUnknownBrowse
                                                                                    • 62.76.228.2
                                                                                    RSVAU8h96hGet hashmaliciousMiraiBrowse
                                                                                    • 185.73.18.199
                                                                                    LRLZJUXBPkGet hashmaliciousMiraiBrowse
                                                                                    • 185.73.18.116
                                                                                    MAILRU-ASMailRuRUlYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    https://cs13786.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                    • 217.69.129.214
                                                                                    http://cf20871.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                    • 5.61.23.11
                                                                                    x64.nn.elfGet hashmaliciousMiraiBrowse
                                                                                    • 128.140.169.91
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    uUyFtCTKDd.elfGet hashmaliciousMiraiBrowse
                                                                                    • 94.100.184.243
                                                                                    https://www.ixxin.cn/go.html?url=https://ok.me/b5SG1?M6bxrJ9vlWS?MtRgHryntBJGet hashmaliciousGRQ ScamBrowse
                                                                                    • 217.20.155.6
                                                                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                    • 217.69.139.150
                                                                                    c40snYcuW6.elfGet hashmaliciousMiraiBrowse
                                                                                    • 5.61.23.80
                                                                                    YAHOO-GQ1UShttps://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                    • 98.137.11.164
                                                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                    • 67.195.228.94
                                                                                    GK9sEyIS4f.elfGet hashmaliciousMiraiBrowse
                                                                                    • 98.136.201.234
                                                                                    n6UMcur8v3.elfGet hashmaliciousMiraiBrowse
                                                                                    • 98.137.238.181
                                                                                    zGP5DlrwgZ.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                    • 98.137.103.190
                                                                                    9g5gIOlb47.elfGet hashmaliciousMiraiBrowse
                                                                                    • 98.139.117.88
                                                                                    https://www.googleadservices.com/pagead/aclk?sa=L&ai=CEPSIY7k7Zpu1AY3rkPIP8q21mAvP_pi8d4PY85XiEsq6jPG-ARABIPT5xiVgyeaGi7ykoBqgAcCz_YIDyAEC4AIAqAMByAMIqgSdAk_QZfhjp8EKKRw8Ud-sac3T3jbhfjxjJ1sRhgU3SOjAuI5huqeTvemsIazylmO5A9WU45_edGutcUqL46MvuNtxU89a64S7xhljcSlyUs-dysnWLJ2j0jUpH_gKnco9owTuaX1dg-lH7IYSpQI3MKj-Dr00v1SC_8ZhuzoINVR1E2pcblzJpyD5_udwujRkOY3Fao0Lt8Mai9Sq-EbJfdXMijbwOeNV94FwcwlSMZ7he13IkHy_a1HexFAPvo5qqjQXKG7VuYCajYpF3q5URq0loIuDY5WXWNc5RPV77yzvPDM2ytOukuK76vBmfoFdcFIyWUc5xZIVsm9dr8SzjJNE1z63RwDOkXHpq4VxrPcl1gRfUlqaUGyYeMbOoMAEp9WvltcE4AQBiAWQgcDhTpAGAaAGAoAHqMyCfYgHAZAHAqgH2baxAqgH1ckbqAemvhuoB47OG6gHk9gbqAfulrECqAf-nrECqAevvrECqAeaBqgH89EbqAeW2BuoB6qbsQKoB4OtsQKoB-C9sQKoB_-esQKoB9-fsQKoB_jCsQKoB_vCsQLYBwHSCCcIABACGB0yAQA6Dp_QgICAgASAwICAgKAoSL39wTpYjsuajM3-hQOxCUbAF_v0mAHVgAoDmAsByAsBqg0CVVPIDQHiDRMIlf2ajM3-hQMVjTVECB3yVg2z2BMM0BUB-BYBgBcBshgJEgLeaBgCIgEA6BgB&ae=1&gclid=Cj0KCQjwxeyxBhC7ARIsAC7dS38YLg3rX_OKomm_dfFxFHKQ-xaABBJ-7gCz8VhxHk9qVjyKpQQOlOIaAvqNEALw_wcB&num=1&cid=CAQSQwB7FLtqgUEuOym-5Tn68arUiPJ1jdwPgw46Y6zUHfAkI3hTIEhGQzVeYafsm9LBj6pxutwTRiLFJPhCq9OvYdD7CqQYAQ&sig=AOD64_2G4fRbd2sH1E5jnf1iXQS4SW_Q2g&client=ca-pub-6396844742497208&rf=5&nx=CLICK_X&ny=CLICK_Y&uap=UACH(platform)&uapv=UACH(platformVersion)&uaa=UACH(architecture)&uam=UACH(model)&uafv=UACH(uaFullVersion)&uab=UACH(bitness)&uaw=UACH(wow64)&uafvl=UACH(fullVersionList)&nb=2&adurl=https://browsingwithwave.com/%3Fsrc%3Dd-aff16-cp21142438032%26ob%3Dobgcobedobem%26dvc%3Dc%26k%3D%26crt%3D695418066867%26adp%3D%26plc%3D%26tgt%3D%26sl%3D%26cpd%3D21142438032%26iid%3Dwav%26gclid%3DCj0KCQjwxeyxBhC7ARIsAC7dS38YLg3rX_OKomm_dfFxFHKQ-xaABBJ-7gCz8VhxHk9qVjyKpQQOlOIaAvqNEALw_wcBGet hashmaliciousUnknownBrowse
                                                                                    • 98.136.144.138
                                                                                    https://t.co/yKnQGIBNmnGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 74.6.160.138
                                                                                    SecuriteInfo.com.Trojan.DownLoader46.2135.18096.85.exeGet hashmaliciousPhorpiexBrowse
                                                                                    • 67.195.228.94
                                                                                    z8s945rPmZ.exeGet hashmaliciousSystemBCBrowse
                                                                                    • 67.195.12.34
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUShttps://ms-doc.secure-chamber-fil3-doc3565.com/?Ld6B=D0TGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.45
                                                                                    https://amgraphpackaging-my.sharepoint.com/:b:/g/personal/bill_porter_amgraph_com/ERqPRNocNI1EhInqBXiZCNcBcNlJy6x3bcIl0rs7cvc1SQ?e=hkckXPGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.168.112.67
                                                                                    c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                                                                                    • 52.101.194.0
                                                                                    https://boulderassociates-my.sharepoint.com/:b:/p/jsiedler/EWuN3LkL0-lAvjE8xdj-xWcBGqe_EqpoEsT8zVs-mIcKMQ?e=4%3auM1Jkx&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.104.69.55
                                                                                    http://misprogramaspc.com/itoolab-watsgoGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.42.14
                                                                                    http://www.manchac.comGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.42.14
                                                                                    https://firebasestorage.googleapis.com/v0/b/open-1bebe.appspot.com/o/sci.html?alt=media&token=cd1dbc1a-6097-4fcc-a13d-476f52e5185aGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.253.67
                                                                                    hlopRb4roR.msiGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.21.239
                                                                                    Odeme_Takvimi_Ocak-2024.xllGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.43
                                                                                    Odeme_Takvimi_Ocak-2024.xllGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.42
                                                                                    No context
                                                                                    No context
                                                                                    Process:C:\Users\user\Desktop\I5vhb7vJPS.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):13975552
                                                                                    Entropy (8bit):4.8240685222091795
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn:
                                                                                    MD5:7A52D04B959713B97D2AED6162857A7F
                                                                                    SHA1:C9C66E090A2C11D21E5C6D947464391834B102AB
                                                                                    SHA-256:4C202424A49B3BEE00F70548DFB7BD5566A35C75D59B1869A2260E73C9469DD3
                                                                                    SHA-512:9812791EA4968E4EEC504C9CB1928A273C57A2DF2DC1BC271298F497FCB092AEF21B5C6896C257957DF7F66B22DBDC83C9068D5676BB335ADDC470F6F88408A7
                                                                                    Malicious:true
                                                                                    Antivirus:
                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........WO..6!.6!.6!..@..6!..@..6!..@...6!.N..6!.6 ..6!..@..6!..@..6!..@..6!.Rich.6!.........PE..L....S.c.................t...Z......./............@............................................................................(.... ..(...............................................................@...............H............................text....s.......t.................. ..`.rdata...-...........x..............@..@.data....V.......t..................@....rsrc...(.... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    Process:C:\Windows\SysWOW64\cmd.exe
                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Category:dropped
                                                                                    Size (bytes):13975552
                                                                                    Entropy (8bit):4.8240685222091795
                                                                                    Encrypted:false
                                                                                    SSDEEP:98304:xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn:
                                                                                    MD5:7A52D04B959713B97D2AED6162857A7F
                                                                                    SHA1:C9C66E090A2C11D21E5C6D947464391834B102AB
                                                                                    SHA-256:4C202424A49B3BEE00F70548DFB7BD5566A35C75D59B1869A2260E73C9469DD3
                                                                                    SHA-512:9812791EA4968E4EEC504C9CB1928A273C57A2DF2DC1BC271298F497FCB092AEF21B5C6896C257957DF7F66B22DBDC83C9068D5676BB335ADDC470F6F88408A7
                                                                                    Malicious:true
                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........WO..6!.6!.6!..@..6!..@..6!..@...6!.N..6!.6 ..6!..@..6!..@..6!..@..6!.Rich.6!.........PE..L....S.c.................t...Z......./............@............................................................................(.... ..(...............................................................@...............H............................text....s.......t.................. ..`.rdata...-...........x..............@..@.data....V.......t..................@....rsrc...(.... ...&..................@..@................................................................................................................................................................................................................................................................................................................................................................................
                                                                                    Process:C:\Windows\SysWOW64\netsh.exe
                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                    Category:dropped
                                                                                    Size (bytes):3773
                                                                                    Entropy (8bit):4.7109073551842435
                                                                                    Encrypted:false
                                                                                    SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                    MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                    SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                    SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                    SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                    Malicious:false
                                                                                    Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                    Entropy (8bit):6.183458430559476
                                                                                    TrID:
                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                    File name:I5vhb7vJPS.exe
                                                                                    File size:317'440 bytes
                                                                                    MD5:b2de784471ee083a4a7e2d6f3057e00c
                                                                                    SHA1:03e5e0fd35a1eba05ddb6d0c4f4a9d8c8d4c67a3
                                                                                    SHA256:a58c26dd8d015d4e3b081b09c3b21f1cff71e42abe545d90872c2eef003d51c9
                                                                                    SHA512:5aa37e1305403375b475df3abb5cb60aa6ae4e2f5f07b4d45828c67ef7591e931b7155e135d4898dc982404042dfaa7adb02f9fd12a8336b9cd30955f08125fb
                                                                                    SSDEEP:3072:iPlmU+ROj7FN7oY9hjFJBqqKjOyTpZHNBmN+tTJfNr+1QbSoymwTTuB:iPX+RAxoYzMF5TpZtBmwG0SdTy
                                                                                    TLSH:6A64180B92E1BC44E5364B31AF2ED7ECB70DF8918E1AA75A32187E5F14B1172DA63710
                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........WO..6!..6!..6!..@...6!..@...6!..@...6!..N...6!..6 ..6!..@...6!..@...6!..@...6!.Rich.6!.........PE..L....S.c.................t.
                                                                                    Icon Hash:412545454d4d410d
                                                                                    Entrypoint:0x402fc0
                                                                                    Entrypoint Section:.text
                                                                                    Digitally signed:false
                                                                                    Imagebase:0x400000
                                                                                    Subsystem:windows gui
                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                    Time Stamp:0x63F353F4 [Mon Feb 20 11:05:24 2023 UTC]
                                                                                    TLS Callbacks:
                                                                                    CLR (.Net) Version:
                                                                                    OS Version Major:5
                                                                                    OS Version Minor:1
                                                                                    File Version Major:5
                                                                                    File Version Minor:1
                                                                                    Subsystem Version Major:5
                                                                                    Subsystem Version Minor:1
                                                                                    Import Hash:324b9e9be8589ec10412a9c657707429
                                                                                    Instruction
                                                                                    call 00007F11C4E9A00Fh
                                                                                    jmp 00007F11C4E97ABEh
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    mov edx, dword ptr [ebp+08h]
                                                                                    push esi
                                                                                    push edi
                                                                                    test edx, edx
                                                                                    je 00007F11C4E97C39h
                                                                                    mov edi, dword ptr [ebp+0Ch]
                                                                                    test edi, edi
                                                                                    jne 00007F11C4E97C45h
                                                                                    call 00007F11C4E97DDEh
                                                                                    push 00000016h
                                                                                    pop esi
                                                                                    mov dword ptr [eax], esi
                                                                                    call 00007F11C4E9A20Bh
                                                                                    mov eax, esi
                                                                                    jmp 00007F11C4E97C65h
                                                                                    mov eax, dword ptr [ebp+10h]
                                                                                    test eax, eax
                                                                                    jne 00007F11C4E97C36h
                                                                                    mov byte ptr [edx], al
                                                                                    jmp 00007F11C4E97C14h
                                                                                    mov esi, edx
                                                                                    sub esi, eax
                                                                                    mov cl, byte ptr [eax]
                                                                                    mov byte ptr [esi+eax], cl
                                                                                    inc eax
                                                                                    test cl, cl
                                                                                    je 00007F11C4E97C35h
                                                                                    dec edi
                                                                                    jne 00007F11C4E97C25h
                                                                                    test edi, edi
                                                                                    jne 00007F11C4E97C43h
                                                                                    mov byte ptr [edx], 00000000h
                                                                                    call 00007F11C4E97DA8h
                                                                                    push 00000022h
                                                                                    pop ecx
                                                                                    mov dword ptr [eax], ecx
                                                                                    mov esi, ecx
                                                                                    jmp 00007F11C4E97BF8h
                                                                                    xor eax, eax
                                                                                    pop edi
                                                                                    pop esi
                                                                                    pop ebp
                                                                                    ret
                                                                                    mov edi, edi
                                                                                    push ebp
                                                                                    mov ebp, esp
                                                                                    push ebx
                                                                                    mov ebx, dword ptr [ebp+08h]
                                                                                    cmp ebx, FFFFFFE0h
                                                                                    jnbe 00007F11C4E97CA1h
                                                                                    push esi
                                                                                    push edi
                                                                                    cmp dword ptr [00423330h], 00000000h
                                                                                    jne 00007F11C4E97C4Ah
                                                                                    call 00007F11C4E997FBh
                                                                                    push 0000001Eh
                                                                                    call 00007F11C4E99645h
                                                                                    push 000000FFh
                                                                                    call 00007F11C4E98D29h
                                                                                    pop ecx
                                                                                    pop ecx
                                                                                    test ebx, ebx
                                                                                    je 00007F11C4E97C36h
                                                                                    mov eax, ebx
                                                                                    jmp 00007F11C4E97C35h
                                                                                    xor eax, eax
                                                                                    inc eax
                                                                                    push eax
                                                                                    push 00000000h
                                                                                    push dword ptr [00423330h]
                                                                                    call dword ptr [00409084h]
                                                                                    mov edi, eax
                                                                                    test edi, edi
                                                                                    jne 00007F11C4E97C58h
                                                                                    push 0000000Ch
                                                                                    pop esi
                                                                                    cmp dword ptr [004234D8h], eax
                                                                                    je 00007F11C4E97C3Fh
                                                                                    push ebx
                                                                                    call 00007F11C4E97C6Ch
                                                                                    Programming Language:
                                                                                    • [C++] VS2010 build 30319
                                                                                    • [ASM] VS2010 build 30319
                                                                                    • [ C ] VS2010 build 30319
                                                                                    • [IMP] VS2008 SP1 build 30729
                                                                                    • [RES] VS2010 build 30319
                                                                                    • [LNK] VS2010 build 30319
                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb6940x28.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x320000x2bd28.rsrc
                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb6bc0x1c.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb2180x40.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x90000x148.rdata
                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                    .text0x10000x73b00x7400711f9ba02bf97f5002064db8d447507dFalse0.6531182650862069data6.68377040220723IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                    .rdata0x90000x2dfe0x2e00212ae5b30a801ef9e1a10af96edfb27fFalse0.350288722826087data4.960285933311088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    .data0xc0000x256ec0x174004683dc69cd1ddf9b31d4fd080f3041ecFalse0.8863932291666666data7.579863731443322IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                    .rsrc0x320000x2bd280x2be004b896f572ae928951be7a011dc7cbc34False0.3762631321225071data4.786429420432101IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                    RT_CURSOR0x550c80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.2953091684434968
                                                                                    RT_CURSOR0x55f700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.46705776173285196
                                                                                    RT_CURSOR0x568180x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5361271676300579
                                                                                    RT_CURSOR0x56db00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.26439232409381663
                                                                                    RT_CURSOR0x57c580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.3686823104693141
                                                                                    RT_CURSOR0x585000x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.49060693641618497
                                                                                    RT_CURSOR0x58a980x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                                    RT_CURSOR0x58bc80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                                    RT_CURSOR0x58ca00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                                    RT_CURSOR0x59b480x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                                    RT_CURSOR0x5a3f00x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                                    RT_CURSOR0x5a9880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                                    RT_CURSOR0x5b8300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                                    RT_CURSOR0x5c0d80x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                                    RT_ICON0x32df00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsJapaneseJapan0.47547974413646055
                                                                                    RT_ICON0x33c980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsJapaneseJapan0.5934115523465704
                                                                                    RT_ICON0x345400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsJapaneseJapan0.6463133640552995
                                                                                    RT_ICON0x34c080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsJapaneseJapan0.6856936416184971
                                                                                    RT_ICON0x351700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216JapaneseJapan0.37385892116182573
                                                                                    RT_ICON0x377180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096JapaneseJapan0.47607879924953095
                                                                                    RT_ICON0x387c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304JapaneseJapan0.5520491803278689
                                                                                    RT_ICON0x391480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024JapaneseJapan0.6329787234042553
                                                                                    RT_ICON0x396280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.4112903225806452
                                                                                    RT_ICON0x39cf00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.16400414937759336
                                                                                    RT_ICON0x3c2980x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.21365248226950354
                                                                                    RT_ICON0x3c7300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.3670042643923241
                                                                                    RT_ICON0x3d5d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.44945848375451264
                                                                                    RT_ICON0x3de800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.45794930875576034
                                                                                    RT_ICON0x3e5480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.4523121387283237
                                                                                    RT_ICON0x3eab00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.2697095435684647
                                                                                    RT_ICON0x410580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.3072232645403377
                                                                                    RT_ICON0x421000x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.3599290780141844
                                                                                    RT_ICON0x425d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.56636460554371
                                                                                    RT_ICON0x434780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.5451263537906137
                                                                                    RT_ICON0x43d200x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.6127167630057804
                                                                                    RT_ICON0x442880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.46390041493775935
                                                                                    RT_ICON0x468300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.4896810506566604
                                                                                    RT_ICON0x478d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0JapaneseJapan0.49385245901639346
                                                                                    RT_ICON0x482600x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.44769503546099293
                                                                                    RT_ICON0x487300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.4141791044776119
                                                                                    RT_ICON0x495d80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.5072202166064982
                                                                                    RT_ICON0x49e800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.5985023041474654
                                                                                    RT_ICON0x4a5480x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.5505780346820809
                                                                                    RT_ICON0x4aab00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.43734439834024896
                                                                                    RT_ICON0x4d0580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.45614446529080677
                                                                                    RT_ICON0x4e1000x988Device independent bitmap graphic, 24 x 48 x 32, image size 0JapaneseJapan0.4680327868852459
                                                                                    RT_ICON0x4ea880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.5159574468085106
                                                                                    RT_ICON0x4ef680xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0JapaneseJapan0.4906716417910448
                                                                                    RT_ICON0x4fe100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0JapaneseJapan0.47157039711191334
                                                                                    RT_ICON0x506b80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0JapaneseJapan0.44147398843930635
                                                                                    RT_ICON0x50c200x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.279149377593361
                                                                                    RT_ICON0x531c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0JapaneseJapan0.2865853658536585
                                                                                    RT_ICON0x542700x988Device independent bitmap graphic, 24 x 48 x 32, image size 0JapaneseJapan0.30245901639344264
                                                                                    RT_ICON0x54bf80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.3421985815602837
                                                                                    RT_STRING0x5c8d80x3b8dataJapaneseJapan0.4684873949579832
                                                                                    RT_STRING0x5cc900x60cdataJapaneseJapan0.4321705426356589
                                                                                    RT_STRING0x5d2a00x11cdataJapaneseJapan0.5633802816901409
                                                                                    RT_STRING0x5d3c00x1b6dataJapaneseJapan0.5365296803652968
                                                                                    RT_STRING0x5d5780x7acdataJapaneseJapan0.4195519348268839
                                                                                    RT_GROUP_CURSOR0x56d800x30data0.9375
                                                                                    RT_GROUP_CURSOR0x58a680x30data0.9375
                                                                                    RT_GROUP_CURSOR0x58c780x22data1.0588235294117647
                                                                                    RT_GROUP_CURSOR0x5a9580x30data0.9375
                                                                                    RT_GROUP_CURSOR0x5c6400x30data0.9375
                                                                                    RT_GROUP_ICON0x486c80x68dataJapaneseJapan0.7211538461538461
                                                                                    RT_GROUP_ICON0x3c7000x30dataJapaneseJapan1.0
                                                                                    RT_GROUP_ICON0x395b00x76dataJapaneseJapan0.6610169491525424
                                                                                    RT_GROUP_ICON0x425680x68dataJapaneseJapan0.7115384615384616
                                                                                    RT_GROUP_ICON0x4eef00x76dataJapaneseJapan0.6864406779661016
                                                                                    RT_GROUP_ICON0x550600x68dataJapaneseJapan0.7115384615384616
                                                                                    RT_VERSION0x5c6700x268MS Windows COFF Motorola 68000 object file0.5081168831168831
                                                                                    DLLImport
                                                                                    KERNEL32.dllSetComputerNameW, GetTickCount, GetWindowsDirectoryA, GetUserDefaultLangID, TlsSetValue, GlobalAlloc, LoadLibraryW, AssignProcessToJobObject, ReadProcessMemory, lstrcatA, GetACP, IsBadStringPtrA, GetLastError, SetLastError, GetProcAddress, SetComputerNameA, BuildCommDCBW, LoadLibraryA, InterlockedExchangeAdd, GetDiskFreeSpaceA, FoldStringW, FoldStringA, GetModuleFileNameA, FindFirstVolumeMountPointA, LoadLibraryExA, OutputDebugStringA, HeapFree, EncodePointer, DecodePointer, HeapReAlloc, GetCommandLineW, HeapSetInformation, GetStartupInfoW, HeapAlloc, HeapCreate, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, Sleep, HeapSize, GetModuleHandleW, ExitProcess, TlsAlloc, TlsGetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, SetUnhandledExceptionFilter, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, UnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, WriteConsoleW, MultiByteToWideChar, SetFilePointer, SetStdHandle, RtlUnwind, GetCPInfo, GetOEMCP, IsValidCodePage, CreateFileW, CloseHandle, GetStringTypeW, LCMapStringW, IsProcessorFeaturePresent
                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                    JapaneseJapan
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 14, 2024 17:50:06.074909925 CEST4973225192.168.2.4104.47.54.36
                                                                                    Jun 14, 2024 17:50:07.082356930 CEST4973225192.168.2.4104.47.54.36
                                                                                    Jun 14, 2024 17:50:09.082544088 CEST4973225192.168.2.4104.47.54.36
                                                                                    Jun 14, 2024 17:50:09.220607042 CEST49733443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:50:09.220696926 CEST4434973362.76.228.127192.168.2.4
                                                                                    Jun 14, 2024 17:50:09.221024036 CEST49733443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:50:13.082393885 CEST4973225192.168.2.4104.47.54.36
                                                                                    Jun 14, 2024 17:50:21.098066092 CEST4973225192.168.2.4104.47.54.36
                                                                                    Jun 14, 2024 17:50:26.085498095 CEST6061725192.168.2.467.195.228.110
                                                                                    Jun 14, 2024 17:50:27.082498074 CEST6061725192.168.2.467.195.228.110
                                                                                    Jun 14, 2024 17:50:29.098089933 CEST6061725192.168.2.467.195.228.110
                                                                                    Jun 14, 2024 17:50:33.098094940 CEST6061725192.168.2.467.195.228.110
                                                                                    Jun 14, 2024 17:50:41.113809109 CEST6061725192.168.2.467.195.228.110
                                                                                    Jun 14, 2024 17:50:46.123295069 CEST6061825192.168.2.464.233.166.27
                                                                                    Jun 14, 2024 17:50:47.113743067 CEST6061825192.168.2.464.233.166.27
                                                                                    Jun 14, 2024 17:50:49.113847017 CEST6061825192.168.2.464.233.166.27
                                                                                    Jun 14, 2024 17:50:49.207686901 CEST49733443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:50:49.207878113 CEST4434973362.76.228.127192.168.2.4
                                                                                    Jun 14, 2024 17:50:49.207978010 CEST49733443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:50:49.317739010 CEST60619443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:50:49.317795992 CEST4436061962.76.228.127192.168.2.4
                                                                                    Jun 14, 2024 17:50:49.317987919 CEST60619443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:50:53.113790035 CEST6061825192.168.2.464.233.166.27
                                                                                    Jun 14, 2024 17:51:01.129556894 CEST6061825192.168.2.464.233.166.27
                                                                                    Jun 14, 2024 17:51:06.180938005 CEST6062125192.168.2.4217.69.139.150
                                                                                    Jun 14, 2024 17:51:07.191838026 CEST6062125192.168.2.4217.69.139.150
                                                                                    Jun 14, 2024 17:51:09.207463026 CEST6062125192.168.2.4217.69.139.150
                                                                                    Jun 14, 2024 17:51:13.216495991 CEST6062125192.168.2.4217.69.139.150
                                                                                    Jun 14, 2024 17:51:21.223325014 CEST6062125192.168.2.4217.69.139.150
                                                                                    Jun 14, 2024 17:51:29.333148003 CEST60619443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:51:29.333409071 CEST4436061962.76.228.127192.168.2.4
                                                                                    Jun 14, 2024 17:51:29.333817005 CEST60619443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:51:29.443281889 CEST60622443192.168.2.462.76.228.127
                                                                                    Jun 14, 2024 17:51:29.443311930 CEST4436062262.76.228.127192.168.2.4
                                                                                    Jun 14, 2024 17:51:29.443459988 CEST60622443192.168.2.462.76.228.127
                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                    Jun 14, 2024 17:50:06.045389891 CEST5370153192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:50:06.074537039 CEST53537011.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:50:09.036561966 CEST5446453192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:50:09.219655037 CEST53544641.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:50:18.544267893 CEST53500631.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:50:26.067717075 CEST6053253192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:50:26.075263023 CEST53605321.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:50:26.076111078 CEST6423053192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST53642301.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:50:46.099144936 CEST5598653192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:50:46.110491991 CEST53559861.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:50:46.111116886 CEST5379553192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:50:46.121073008 CEST53537951.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:51:06.114952087 CEST6263553192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:51:06.123189926 CEST53626351.1.1.1192.168.2.4
                                                                                    Jun 14, 2024 17:51:06.124459982 CEST5199753192.168.2.41.1.1.1
                                                                                    Jun 14, 2024 17:51:06.179848909 CEST53519971.1.1.1192.168.2.4
                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                    Jun 14, 2024 17:50:06.045389891 CEST192.168.2.41.1.1.10x62f4Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:09.036561966 CEST192.168.2.41.1.1.10xef2eStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.067717075 CEST192.168.2.41.1.1.10x10abStandard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.076111078 CEST192.168.2.41.1.1.10xb125Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.099144936 CEST192.168.2.41.1.1.10x4415Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.111116886 CEST192.168.2.41.1.1.10x6888Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:51:06.114952087 CEST192.168.2.41.1.1.10xdefcStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:51:06.124459982 CEST192.168.2.41.1.1.10xcdb5Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                    Jun 14, 2024 17:50:06.074537039 CEST1.1.1.1192.168.2.40x62f4No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:06.074537039 CEST1.1.1.1192.168.2.40x62f4No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:09.219655037 CEST1.1.1.1192.168.2.40xef2eNo error (0)vanaheim.cn62.76.228.127A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.075263023 CEST1.1.1.1192.168.2.40x10abNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.075263023 CEST1.1.1.1192.168.2.40x10abNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.075263023 CEST1.1.1.1192.168.2.40x10abNo error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:26.084713936 CEST1.1.1.1192.168.2.40xb125No error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.110491991 CEST1.1.1.1192.168.2.40x4415No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.121073008 CEST1.1.1.1192.168.2.40x6888No error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.121073008 CEST1.1.1.1192.168.2.40x6888No error (0)smtp.google.com74.125.206.27A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.121073008 CEST1.1.1.1192.168.2.40x6888No error (0)smtp.google.com74.125.206.26A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.121073008 CEST1.1.1.1192.168.2.40x6888No error (0)smtp.google.com64.233.167.27A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:50:46.121073008 CEST1.1.1.1192.168.2.40x6888No error (0)smtp.google.com64.233.167.26A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:51:06.123189926 CEST1.1.1.1192.168.2.40xdefcNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                    Jun 14, 2024 17:51:06.179848909 CEST1.1.1.1192.168.2.40xcdb5No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                    Jun 14, 2024 17:51:06.179848909 CEST1.1.1.1192.168.2.40xcdb5No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false

                                                                                    Click to jump to process

                                                                                    Click to jump to process

                                                                                    Click to dive into process behavior distribution

                                                                                    Click to jump to process

                                                                                    Target ID:0
                                                                                    Start time:11:49:55
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Users\user\Desktop\I5vhb7vJPS.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Users\user\Desktop\I5vhb7vJPS.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:317'440 bytes
                                                                                    MD5 hash:B2DE784471EE083A4A7E2D6F3057E00C
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1728900989.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1689229491.00000000020D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Target ID:1
                                                                                    Start time:11:49:59
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jjcfhqgg\
                                                                                    Imagebase:0x240000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:2
                                                                                    Start time:11:49:59
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:3
                                                                                    Start time:11:49:59
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\wzsddmnn.exe" C:\Windows\SysWOW64\jjcfhqgg\
                                                                                    Imagebase:0x240000
                                                                                    File size:236'544 bytes
                                                                                    MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:4
                                                                                    Start time:11:49:59
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:5
                                                                                    Start time:11:50:00
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" create jjcfhqgg binPath= "C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d\"C:\Users\user\Desktop\I5vhb7vJPS.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                    Imagebase:0xa30000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:6
                                                                                    Start time:11:50:00
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:7
                                                                                    Start time:11:50:01
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" description jjcfhqgg "wifi internet conection"
                                                                                    Imagebase:0xa30000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:8
                                                                                    Start time:11:50:01
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:9
                                                                                    Start time:11:50:01
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\sc.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\sc.exe" start jjcfhqgg
                                                                                    Imagebase:0xa30000
                                                                                    File size:61'440 bytes
                                                                                    MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:moderate
                                                                                    Has exited:true

                                                                                    Target ID:10
                                                                                    Start time:11:50:01
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:11
                                                                                    Start time:11:50:01
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe /d"C:\Users\user\Desktop\I5vhb7vJPS.exe"
                                                                                    Imagebase:0x400000
                                                                                    File size:13'975'552 bytes
                                                                                    MD5 hash:7A52D04B959713B97D2AED6162857A7F
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1756650523.0000000000DD0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1754871214.0000000000D90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1756464706.000000000049E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                    Reputation:low
                                                                                    Has exited:true

                                                                                    Target ID:12
                                                                                    Start time:11:50:02
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\netsh.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                    Imagebase:0x1560000
                                                                                    File size:82'432 bytes
                                                                                    MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:true

                                                                                    Target ID:13
                                                                                    Start time:11:50:02
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                    Imagebase:0x7ff6eef20000
                                                                                    File size:55'320 bytes
                                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Reputation:high
                                                                                    Has exited:false

                                                                                    Target ID:14
                                                                                    Start time:11:50:02
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                    Wow64 process (32bit):false
                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                    Imagebase:0x7ff7699e0000
                                                                                    File size:862'208 bytes
                                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:15
                                                                                    Start time:11:50:02
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2060 -ip 2060
                                                                                    Imagebase:0xa0000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:16
                                                                                    Start time:11:50:02
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 1028
                                                                                    Imagebase:0xa0000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:17
                                                                                    Start time:11:50:05
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:svchost.exe
                                                                                    Imagebase:0x9a0000
                                                                                    File size:46'504 bytes
                                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Yara matches:
                                                                                    • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                    • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                    • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                    Has exited:false

                                                                                    Target ID:18
                                                                                    Start time:11:50:05
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 7424 -ip 7424
                                                                                    Imagebase:0xa0000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Target ID:19
                                                                                    Start time:11:50:05
                                                                                    Start date:14/06/2024
                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                    Wow64 process (32bit):true
                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7424 -s 584
                                                                                    Imagebase:0xa0000
                                                                                    File size:483'680 bytes
                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                    Has elevated privileges:true
                                                                                    Has administrator privileges:true
                                                                                    Programmed in:C, C++ or other language
                                                                                    Has exited:true

                                                                                    Reset < >

                                                                                      Execution Graph

                                                                                      Execution Coverage:3.6%
                                                                                      Dynamic/Decrypted Code Coverage:2.1%
                                                                                      Signature Coverage:25.6%
                                                                                      Total number of Nodes:1550
                                                                                      Total number of Limit Nodes:17
                                                                                      execution_graph 16482 20b0005 16487 20b092b GetPEB 16482->16487 16484 20b0030 16489 20b003c 16484->16489 16488 20b0972 16487->16488 16488->16484 16490 20b0049 16489->16490 16504 20b0e0f SetErrorMode SetErrorMode 16490->16504 16495 20b0265 16496 20b02ce VirtualProtect 16495->16496 16498 20b030b 16496->16498 16497 20b0439 VirtualFree 16502 20b05f4 LoadLibraryA 16497->16502 16503 20b04be 16497->16503 16498->16497 16499 20b04e3 LoadLibraryA 16499->16503 16501 20b08c7 16502->16501 16503->16499 16503->16502 16505 20b0223 16504->16505 16506 20b0d90 16505->16506 16507 20b0dad 16506->16507 16508 20b0dbb GetPEB 16507->16508 16509 20b0238 VirtualAlloc 16507->16509 16508->16509 16509->16495 14733 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14852 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14733->14852 14735 409a95 14736 409aa3 GetModuleHandleA GetModuleFileNameA 14735->14736 14742 40a3c7 14735->14742 14749 409ac4 14736->14749 14737 40a41c CreateThread WSAStartup 15021 40e52e 14737->15021 15899 40405e CreateEventA 14737->15899 14738 409afd GetCommandLineA 14750 409b22 14738->14750 14739 40a406 DeleteFileA 14739->14742 14743 40a40d 14739->14743 14741 40a445 15040 40eaaf 14741->15040 14742->14737 14742->14739 14742->14743 14745 40a3ed GetLastError 14742->14745 14743->14737 14745->14743 14747 40a3f8 Sleep 14745->14747 14746 40a44d 15044 401d96 14746->15044 14747->14739 14749->14738 14753 409c0c 14750->14753 14760 409b47 14750->14760 14751 40a457 15092 4080c9 14751->15092 14853 4096aa 14753->14853 14764 409b96 lstrlenA 14760->14764 14767 409b58 14760->14767 14761 40a1d2 14768 40a1e3 GetCommandLineA 14761->14768 14762 409c39 14765 40a167 GetModuleHandleA GetModuleFileNameA 14762->14765 14859 404280 CreateEventA 14762->14859 14764->14767 14766 409c05 ExitProcess 14765->14766 14770 40a189 14765->14770 14767->14766 14774 40675c 21 API calls 14767->14774 14794 40a205 14768->14794 14770->14766 14776 40a1b2 GetDriveTypeA 14770->14776 14777 409be3 14774->14777 14776->14766 14779 40a1c5 14776->14779 14777->14766 14958 406a60 CreateFileA 14777->14958 15002 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14779->15002 14785 40a491 14786 40a49f GetTickCount 14785->14786 14788 40a4be Sleep 14785->14788 14793 40a4b7 GetTickCount 14785->14793 15138 40c913 14785->15138 14786->14785 14786->14788 14788->14785 14790 409ca0 GetTempPathA 14791 409e3e 14790->14791 14792 409cba 14790->14792 14797 409e6b GetEnvironmentVariableA 14791->14797 14801 409e04 14791->14801 14914 4099d2 lstrcpyA 14792->14914 14793->14788 14798 40a285 lstrlenA 14794->14798 14810 40a239 14794->14810 14797->14801 14802 409e7d 14797->14802 14798->14810 14997 40ec2e 14801->14997 14803 4099d2 16 API calls 14802->14803 14804 409e9d 14803->14804 14804->14801 14809 409eb0 lstrcpyA lstrlenA 14804->14809 14807 409d5f 14977 406cc9 14807->14977 14808 40a3c2 15014 4098f2 14808->15014 14812 409ef4 14809->14812 15010 406ec3 14810->15010 14816 406dc2 6 API calls 14812->14816 14819 409f03 14812->14819 14815 40a35f 14815->14808 14815->14815 14822 40a37b 14815->14822 14816->14819 14817 40a39d StartServiceCtrlDispatcherA 14817->14808 14818 409cf6 14921 409326 14818->14921 14820 409f32 RegOpenKeyExA 14819->14820 14823 409f0e 14819->14823 14821 409f48 RegSetValueExA RegCloseKey 14820->14821 14826 409f70 14820->14826 14821->14826 14822->14817 14823->14819 14832 409f9d GetModuleHandleA GetModuleFileNameA 14826->14832 14827 409e0c DeleteFileA 14827->14791 14828 409dde GetFileAttributesExA 14828->14827 14829 409df7 14828->14829 14829->14801 14831 409dff 14829->14831 14987 4096ff 14831->14987 14834 409fc2 14832->14834 14835 40a093 14832->14835 14834->14835 14841 409ff1 GetDriveTypeA 14834->14841 14836 40a103 CreateProcessA 14835->14836 14839 40a0a4 wsprintfA 14835->14839 14837 40a13a 14836->14837 14838 40a12a DeleteFileA 14836->14838 14837->14801 14844 4096ff 3 API calls 14837->14844 14838->14837 14993 402544 14839->14993 14841->14835 14842 40a00d 14841->14842 14846 40a02d lstrcatA 14842->14846 14844->14801 14848 40a046 14846->14848 14849 40a052 lstrcatA 14848->14849 14850 40a064 lstrcatA 14848->14850 14849->14850 14850->14835 14851 40a081 lstrcatA 14850->14851 14851->14835 14852->14735 14854 4096b9 14853->14854 15241 4073ff 14854->15241 14856 4096e2 14857 4096f7 14856->14857 15261 40704c 14856->15261 14857->14761 14857->14762 14860 4042a5 14859->14860 14861 40429d 14859->14861 15286 403ecd 14860->15286 14861->14765 14886 40675c 14861->14886 14863 4042b0 15290 404000 14863->15290 14866 4043c1 CloseHandle 14866->14861 14867 4042ce 15296 403f18 WriteFile 14867->15296 14872 4043ba CloseHandle 14872->14866 14873 404318 14874 403f18 4 API calls 14873->14874 14875 404331 14874->14875 14876 403f18 4 API calls 14875->14876 14877 40434a 14876->14877 15304 40ebcc GetProcessHeap RtlAllocateHeap 14877->15304 14880 403f18 4 API calls 14881 404389 14880->14881 14882 40ec2e codecvt 4 API calls 14881->14882 14883 40438f 14882->14883 14884 403f8c 4 API calls 14883->14884 14885 40439f CloseHandle CloseHandle 14884->14885 14885->14861 14887 406784 CreateFileA 14886->14887 14888 40677a SetFileAttributesA 14886->14888 14889 4067a4 CreateFileA 14887->14889 14890 4067b5 14887->14890 14888->14887 14889->14890 14891 4067c5 14890->14891 14892 4067ba SetFileAttributesA 14890->14892 14893 406977 14891->14893 14894 4067cf GetFileSize 14891->14894 14892->14891 14893->14765 14893->14790 14893->14791 14895 4067e5 14894->14895 14913 406965 14894->14913 14896 4067ed ReadFile 14895->14896 14895->14913 14898 406811 SetFilePointer 14896->14898 14896->14913 14897 40696e FindCloseChangeNotification 14897->14893 14899 40682a ReadFile 14898->14899 14898->14913 14900 406848 SetFilePointer 14899->14900 14899->14913 14901 406867 14900->14901 14900->14913 14902 406878 ReadFile 14901->14902 14903 4068d5 14901->14903 14904 4068d0 14902->14904 14907 406891 14902->14907 14903->14897 14905 40ebcc 4 API calls 14903->14905 14904->14903 14906 4068f8 14905->14906 14908 406900 SetFilePointer 14906->14908 14906->14913 14907->14902 14907->14904 14909 40695a 14908->14909 14910 40690d ReadFile 14908->14910 14912 40ec2e codecvt 4 API calls 14909->14912 14910->14909 14911 406922 14910->14911 14911->14897 14912->14913 14913->14897 14915 4099eb 14914->14915 14916 409a2f lstrcatA 14915->14916 14917 40ee2a 14916->14917 14918 409a4b lstrcatA 14917->14918 14919 406a60 13 API calls 14918->14919 14920 409a60 14919->14920 14920->14791 14920->14818 14971 406dc2 14920->14971 15310 401910 14921->15310 14924 40934a GetModuleHandleA GetModuleFileNameA 14926 40937f 14924->14926 14927 4093a4 14926->14927 14928 4093d9 14926->14928 14929 4093c3 wsprintfA 14927->14929 14930 409401 wsprintfA 14928->14930 14932 409415 14929->14932 14930->14932 14931 4094a0 15312 406edd 14931->15312 14932->14931 14935 406cc9 5 API calls 14932->14935 14934 4094ac 14936 40962f 14934->14936 14937 4094e8 RegOpenKeyExA 14934->14937 14941 409439 14935->14941 14943 409646 14936->14943 15340 401820 14936->15340 14939 409502 14937->14939 14940 4094fb 14937->14940 14946 40951f RegQueryValueExA 14939->14946 14940->14936 14945 40958a 14940->14945 15325 40ef1e lstrlenA 14941->15325 14952 4095d6 14943->14952 15320 4091eb 14943->15320 14945->14943 14950 409593 14945->14950 14947 409530 14946->14947 14948 409539 14946->14948 14951 40956e RegCloseKey 14947->14951 14953 409556 RegQueryValueExA 14948->14953 14949 409462 14954 40947e wsprintfA 14949->14954 14950->14952 15327 40f0e4 14950->15327 14951->14940 14952->14827 14952->14828 14953->14947 14953->14951 14954->14931 14956 4095bb 14956->14952 15334 4018e0 14956->15334 14959 406b8c GetLastError 14958->14959 14960 406a8f GetDiskFreeSpaceA 14958->14960 14962 406b86 14959->14962 14961 406ac5 14960->14961 14970 406ad7 14960->14970 15388 40eb0e 14961->15388 14962->14766 14966 406b56 FindCloseChangeNotification 14966->14962 14969 406b65 GetLastError CloseHandle 14966->14969 14967 406b36 GetLastError CloseHandle 14968 406b7f DeleteFileA 14967->14968 14968->14962 14969->14968 15382 406987 14970->15382 14972 406dd7 14971->14972 14976 406e24 14971->14976 14973 406cc9 5 API calls 14972->14973 14974 406ddc 14973->14974 14974->14974 14975 406e02 GetVolumeInformationA 14974->14975 14974->14976 14975->14976 14976->14807 14978 406cdc GetModuleHandleA GetProcAddress 14977->14978 14979 406dbe lstrcpyA lstrcatA lstrcatA 14977->14979 14980 406d12 GetSystemDirectoryA 14978->14980 14981 406cfd 14978->14981 14979->14818 14982 406d27 GetWindowsDirectoryA 14980->14982 14983 406d1e 14980->14983 14981->14980 14985 406d8b 14981->14985 14984 406d42 14982->14984 14983->14982 14983->14985 14986 40ef1e lstrlenA 14984->14986 14985->14979 14986->14985 14988 402544 14987->14988 14989 40972d RegOpenKeyExA 14988->14989 14990 409740 14989->14990 14991 409765 14989->14991 14992 40974f RegDeleteValueA RegCloseKey 14990->14992 14991->14801 14992->14991 14994 402554 lstrcatA 14993->14994 14995 40ee2a 14994->14995 14996 40a0ec lstrcatA 14995->14996 14996->14836 14998 40ec37 14997->14998 14999 40a15d 14997->14999 15396 40eba0 14998->15396 14999->14765 14999->14766 15003 402544 15002->15003 15004 40919e wsprintfA 15003->15004 15005 4091bb 15004->15005 15399 409064 GetTempPathA 15005->15399 15008 4091d5 ShellExecuteA 15009 4091e7 15008->15009 15009->14766 15011 406ecc 15010->15011 15013 406ed5 15010->15013 15012 406e36 2 API calls 15011->15012 15012->15013 15013->14815 15015 4098f6 15014->15015 15016 404280 30 API calls 15015->15016 15017 409904 Sleep 15015->15017 15018 409915 15015->15018 15016->15015 15017->15015 15017->15018 15020 409947 15018->15020 15406 40977c 15018->15406 15020->14742 15428 40dd05 GetTickCount 15021->15428 15023 40e538 15435 40dbcf 15023->15435 15025 40e544 15026 40e555 GetFileSize 15025->15026 15030 40e5b8 15025->15030 15027 40e5b1 CloseHandle 15026->15027 15028 40e566 15026->15028 15027->15030 15445 40db2e 15028->15445 15454 40e3ca RegOpenKeyExA 15030->15454 15032 40e576 ReadFile 15032->15027 15034 40e58d 15032->15034 15449 40e332 15034->15449 15036 40e5f2 15038 40e3ca 19 API calls 15036->15038 15039 40e629 15036->15039 15038->15039 15039->14741 15041 40eabe 15040->15041 15043 40eaba 15040->15043 15042 40dd05 6 API calls 15041->15042 15041->15043 15042->15043 15043->14746 15045 40ee2a 15044->15045 15046 401db4 GetVersionExA 15045->15046 15047 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15046->15047 15049 401e24 15047->15049 15050 401e16 GetCurrentProcess 15047->15050 15507 40e819 15049->15507 15050->15049 15052 401e3d 15053 40e819 11 API calls 15052->15053 15054 401e4e 15053->15054 15055 401e77 15054->15055 15514 40df70 15054->15514 15523 40ea84 15055->15523 15058 401e6c 15060 40df70 12 API calls 15058->15060 15060->15055 15061 40e819 11 API calls 15062 401e93 15061->15062 15527 40199c inet_addr LoadLibraryA 15062->15527 15065 40e819 11 API calls 15066 401eb9 15065->15066 15067 401ed8 15066->15067 15068 40f04e 4 API calls 15066->15068 15069 40e819 11 API calls 15067->15069 15070 401ec9 15068->15070 15071 401eee 15069->15071 15072 40ea84 30 API calls 15070->15072 15073 401f0a 15071->15073 15540 401b71 15071->15540 15072->15067 15074 40e819 11 API calls 15073->15074 15076 401f23 15074->15076 15078 401f3f 15076->15078 15544 401bdf 15076->15544 15077 401efd 15079 40ea84 30 API calls 15077->15079 15081 40e819 11 API calls 15078->15081 15079->15073 15083 401f5e 15081->15083 15085 401f77 15083->15085 15087 40ea84 30 API calls 15083->15087 15084 40ea84 30 API calls 15084->15078 15551 4030b5 15085->15551 15087->15085 15089 406ec3 2 API calls 15091 401f8e GetTickCount 15089->15091 15091->14751 15093 406ec3 2 API calls 15092->15093 15094 4080eb 15093->15094 15095 4080f9 15094->15095 15096 4080ef 15094->15096 15098 40704c 16 API calls 15095->15098 15599 407ee6 15096->15599 15100 408110 15098->15100 15099 408269 CreateThread 15117 405e6c 15099->15117 15928 40877e 15099->15928 15102 408156 RegOpenKeyExA 15100->15102 15103 4080f4 15100->15103 15101 40675c 21 API calls 15108 408244 15101->15108 15102->15103 15104 40816d RegQueryValueExA 15102->15104 15103->15099 15103->15101 15105 4081f7 15104->15105 15106 40818d 15104->15106 15107 40820d RegCloseKey 15105->15107 15110 40ec2e codecvt 4 API calls 15105->15110 15106->15105 15111 40ebcc 4 API calls 15106->15111 15107->15103 15108->15099 15109 40ec2e codecvt 4 API calls 15108->15109 15109->15099 15116 4081dd 15110->15116 15112 4081a0 15111->15112 15112->15107 15113 4081aa RegQueryValueExA 15112->15113 15113->15105 15114 4081c4 15113->15114 15115 40ebcc 4 API calls 15114->15115 15115->15116 15116->15107 15667 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15117->15667 15119 405e71 15668 40e654 15119->15668 15121 405ec1 15122 403132 15121->15122 15123 40df70 12 API calls 15122->15123 15124 40313b 15123->15124 15125 40c125 15124->15125 15679 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15125->15679 15127 40c12d 15128 40e654 13 API calls 15127->15128 15129 40c2bd 15128->15129 15130 40e654 13 API calls 15129->15130 15131 40c2c9 15130->15131 15132 40e654 13 API calls 15131->15132 15133 40a47a 15132->15133 15134 408db1 15133->15134 15135 408dbc 15134->15135 15136 40e654 13 API calls 15135->15136 15137 408dec Sleep 15136->15137 15137->14785 15139 40c92f 15138->15139 15140 40c93c 15139->15140 15680 40c517 15139->15680 15142 40ca2b 15140->15142 15143 40e819 11 API calls 15140->15143 15142->14785 15144 40c96a 15143->15144 15145 40e819 11 API calls 15144->15145 15146 40c97d 15145->15146 15147 40e819 11 API calls 15146->15147 15148 40c990 15147->15148 15149 40c9aa 15148->15149 15150 40ebcc 4 API calls 15148->15150 15149->15142 15697 402684 15149->15697 15150->15149 15155 40ca26 15704 40c8aa 15155->15704 15158 40ca44 15159 40ca4b closesocket 15158->15159 15160 40ca83 15158->15160 15159->15155 15161 40ea84 30 API calls 15160->15161 15162 40caac 15161->15162 15163 40f04e 4 API calls 15162->15163 15164 40cab2 15163->15164 15165 40ea84 30 API calls 15164->15165 15166 40caca 15165->15166 15167 40ea84 30 API calls 15166->15167 15168 40cad9 15167->15168 15712 40c65c 15168->15712 15171 40cb60 closesocket 15171->15142 15173 40dad2 closesocket 15174 40e318 23 API calls 15173->15174 15174->15142 15175 40df4c 20 API calls 15185 40cb70 15175->15185 15180 40e654 13 API calls 15180->15185 15185->15173 15185->15175 15185->15180 15187 40ea84 30 API calls 15185->15187 15188 40d569 closesocket Sleep 15185->15188 15189 40d815 wsprintfA 15185->15189 15190 40cc1c GetTempPathA 15185->15190 15192 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15185->15192 15193 40c517 23 API calls 15185->15193 15195 40e8a1 30 API calls 15185->15195 15196 40cfe3 GetSystemDirectoryA 15185->15196 15197 40675c 21 API calls 15185->15197 15198 40d027 GetSystemDirectoryA 15185->15198 15199 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15185->15199 15200 40cfad GetEnvironmentVariableA 15185->15200 15201 40d105 lstrcatA 15185->15201 15202 40ef1e lstrlenA 15185->15202 15203 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15185->15203 15204 40cc9f CreateFileA 15185->15204 15206 40d15b CreateFileA 15185->15206 15211 40d149 SetFileAttributesA 15185->15211 15212 40d36e GetEnvironmentVariableA 15185->15212 15213 40d1bf SetFileAttributesA 15185->15213 15214 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15185->15214 15216 407ead 6 API calls 15185->15216 15217 40d22d GetEnvironmentVariableA 15185->15217 15219 40d3af lstrcatA 15185->15219 15221 407fcf 64 API calls 15185->15221 15222 40d3f2 CreateFileA 15185->15222 15228 40d3e0 SetFileAttributesA 15185->15228 15229 40d26e lstrcatA 15185->15229 15231 40d4b1 CreateProcessA 15185->15231 15232 40d2b1 CreateFileA 15185->15232 15234 40d452 SetFileAttributesA 15185->15234 15236 407ee6 64 API calls 15185->15236 15237 40d29f SetFileAttributesA 15185->15237 15240 40d31d SetFileAttributesA 15185->15240 15720 40c75d 15185->15720 15732 407e2f 15185->15732 15754 407ead 15185->15754 15764 4031d0 15185->15764 15781 403c09 15185->15781 15791 403a00 15185->15791 15795 40e7b4 15185->15795 15798 40c06c 15185->15798 15804 406f5f GetUserNameA 15185->15804 15815 40e854 15185->15815 15825 407dd6 15185->15825 15187->15185 15759 40e318 15188->15759 15189->15185 15190->15185 15192->15185 15193->15185 15194 40d582 ExitProcess 15195->15185 15196->15185 15197->15185 15198->15185 15199->15185 15200->15185 15201->15185 15202->15185 15203->15185 15204->15185 15205 40ccc6 WriteFile 15204->15205 15207 40cdcc CloseHandle 15205->15207 15208 40cced CloseHandle 15205->15208 15206->15185 15209 40d182 WriteFile CloseHandle 15206->15209 15207->15185 15215 40cd2f 15208->15215 15209->15185 15210 40cd16 wsprintfA 15210->15215 15211->15206 15212->15185 15213->15185 15214->15185 15215->15210 15741 407fcf 15215->15741 15216->15185 15217->15185 15219->15185 15219->15222 15221->15185 15222->15185 15223 40d415 WriteFile CloseHandle 15222->15223 15223->15185 15224 40cd81 WaitForSingleObject CloseHandle CloseHandle 15226 40f04e 4 API calls 15224->15226 15225 40cda5 15227 407ee6 64 API calls 15225->15227 15226->15225 15230 40cdbd DeleteFileA 15227->15230 15228->15222 15229->15185 15229->15232 15230->15185 15231->15185 15233 40d4e8 CloseHandle CloseHandle 15231->15233 15232->15185 15235 40d2d8 WriteFile CloseHandle 15232->15235 15233->15185 15234->15185 15235->15185 15236->15185 15237->15232 15240->15185 15242 40741b 15241->15242 15243 406dc2 6 API calls 15242->15243 15244 40743f 15243->15244 15245 407469 RegOpenKeyExA 15244->15245 15247 4077f9 15245->15247 15251 407487 ___ascii_stricmp 15245->15251 15246 407703 RegEnumKeyA 15248 407714 RegCloseKey 15246->15248 15246->15251 15247->14856 15248->15247 15249 40f1a5 lstrlenA 15249->15251 15250 4074d2 RegOpenKeyExA 15250->15251 15251->15246 15251->15249 15251->15250 15252 40772c 15251->15252 15253 407521 RegQueryValueExA 15251->15253 15257 4076e4 RegCloseKey 15251->15257 15258 407769 15251->15258 15260 40777e GetFileAttributesExA 15251->15260 15254 407742 RegCloseKey 15252->15254 15255 40774b 15252->15255 15253->15251 15254->15255 15256 4077ec RegCloseKey 15255->15256 15256->15247 15257->15251 15259 4077e3 RegCloseKey 15258->15259 15259->15256 15260->15258 15262 407073 15261->15262 15263 4070b9 RegOpenKeyExA 15262->15263 15264 4070d0 15263->15264 15278 4071b8 15263->15278 15265 406dc2 6 API calls 15264->15265 15268 4070d5 15265->15268 15266 40719b RegEnumValueA 15267 4071af RegCloseKey 15266->15267 15266->15268 15267->15278 15268->15266 15270 4071d0 15268->15270 15284 40f1a5 lstrlenA 15268->15284 15271 407205 RegCloseKey 15270->15271 15272 407227 15270->15272 15271->15278 15273 4072b8 ___ascii_stricmp 15272->15273 15274 40728e RegCloseKey 15272->15274 15275 4072cd RegCloseKey 15273->15275 15276 4072dd 15273->15276 15274->15278 15275->15278 15277 407311 RegCloseKey 15276->15277 15280 407335 15276->15280 15277->15278 15278->14857 15279 4073d5 RegCloseKey 15281 4073e4 15279->15281 15280->15279 15282 40737e GetFileAttributesExA 15280->15282 15283 407397 15280->15283 15282->15283 15283->15279 15285 40f1c3 15284->15285 15285->15268 15287 403edc 15286->15287 15289 403ee2 15286->15289 15288 406dc2 6 API calls 15287->15288 15288->15289 15289->14863 15291 40400b CreateFileA 15290->15291 15292 40402c GetLastError 15291->15292 15293 404052 15291->15293 15292->15293 15294 404037 15292->15294 15293->14861 15293->14866 15293->14867 15294->15293 15295 404041 Sleep 15294->15295 15295->15291 15295->15293 15297 403f4e GetLastError 15296->15297 15298 403f7c 15296->15298 15297->15298 15299 403f5b WaitForSingleObject GetOverlappedResult 15297->15299 15300 403f8c ReadFile 15298->15300 15299->15298 15301 403ff0 15300->15301 15302 403fc2 GetLastError 15300->15302 15301->14872 15301->14873 15302->15301 15303 403fcf WaitForSingleObject GetOverlappedResult 15302->15303 15303->15301 15307 40eb74 15304->15307 15308 40eb7b GetProcessHeap HeapSize 15307->15308 15309 404350 15307->15309 15308->15309 15309->14880 15311 401924 GetVersionExA 15310->15311 15311->14924 15313 406f55 15312->15313 15314 406eef AllocateAndInitializeSid 15312->15314 15313->14934 15315 406f44 15314->15315 15316 406f1c CheckTokenMembership 15314->15316 15315->15313 15346 406e36 GetUserNameW 15315->15346 15317 406f3b FreeSid 15316->15317 15318 406f2e 15316->15318 15317->15315 15318->15317 15321 40920e 15320->15321 15324 409308 15320->15324 15322 4092f1 Sleep 15321->15322 15323 4092bf ShellExecuteA 15321->15323 15321->15324 15322->15321 15323->15321 15323->15324 15324->14952 15326 40ef32 15325->15326 15326->14949 15328 40f0f1 15327->15328 15329 40f0ed 15327->15329 15330 40f119 15328->15330 15331 40f0fa lstrlenA SysAllocStringByteLen 15328->15331 15329->14956 15332 40f11c MultiByteToWideChar 15330->15332 15331->15332 15333 40f117 15331->15333 15332->15333 15333->14956 15335 401820 17 API calls 15334->15335 15336 4018f2 15335->15336 15337 4018f9 15336->15337 15349 401280 15336->15349 15337->14952 15339 401908 15339->14952 15361 401000 15340->15361 15342 401839 15343 401851 GetCurrentProcess 15342->15343 15344 40183d 15342->15344 15345 401864 15343->15345 15344->14943 15345->14943 15347 406e5f LookupAccountNameW 15346->15347 15348 406e97 15346->15348 15347->15348 15348->15313 15351 4012e1 15349->15351 15350 4016f9 GetLastError 15353 401699 15350->15353 15351->15350 15352 4013a8 15351->15352 15352->15353 15354 401570 lstrlenW 15352->15354 15355 4015be GetStartupInfoW 15352->15355 15356 4015ff CreateProcessWithLogonW 15352->15356 15360 401668 CloseHandle 15352->15360 15353->15339 15354->15352 15355->15352 15357 4016bf GetLastError 15356->15357 15358 40163f WaitForSingleObject 15356->15358 15357->15353 15358->15352 15359 401659 CloseHandle 15358->15359 15359->15352 15360->15352 15362 40100d LoadLibraryA 15361->15362 15378 401023 15361->15378 15363 401021 15362->15363 15362->15378 15363->15342 15364 4010b5 GetProcAddress 15365 4010d1 GetProcAddress 15364->15365 15366 40127b 15364->15366 15365->15366 15367 4010f0 GetProcAddress 15365->15367 15366->15342 15367->15366 15368 401110 GetProcAddress 15367->15368 15368->15366 15369 401130 GetProcAddress 15368->15369 15369->15366 15370 40114f GetProcAddress 15369->15370 15370->15366 15371 40116f GetProcAddress 15370->15371 15371->15366 15372 40118f GetProcAddress 15371->15372 15372->15366 15373 4011ae GetProcAddress 15372->15373 15373->15366 15374 4011ce GetProcAddress 15373->15374 15374->15366 15375 4011ee GetProcAddress 15374->15375 15375->15366 15376 401209 GetProcAddress 15375->15376 15376->15366 15377 401225 GetProcAddress 15376->15377 15377->15366 15379 401241 GetProcAddress 15377->15379 15378->15364 15381 4010ae 15378->15381 15379->15366 15380 40125c GetProcAddress 15379->15380 15380->15366 15381->15342 15384 4069b9 WriteFile 15382->15384 15385 406a3c 15384->15385 15387 4069ff 15384->15387 15385->14966 15385->14967 15386 406a10 WriteFile 15386->15385 15386->15387 15387->15385 15387->15386 15389 40eb17 15388->15389 15390 40eb21 15388->15390 15392 40eae4 15389->15392 15390->14970 15393 40eb02 GetProcAddress 15392->15393 15394 40eaed LoadLibraryA 15392->15394 15393->15390 15394->15393 15395 40eb01 15394->15395 15395->15390 15397 40eba7 GetProcessHeap HeapSize 15396->15397 15398 40ebbf GetProcessHeap HeapFree 15396->15398 15397->15398 15398->14999 15400 40908d 15399->15400 15401 4090e2 wsprintfA 15400->15401 15402 40ee2a 15401->15402 15403 4090fd CreateFileA 15402->15403 15404 40911a lstrlenA WriteFile CloseHandle 15403->15404 15405 40913f 15403->15405 15404->15405 15405->15008 15405->15009 15407 40ee2a 15406->15407 15408 409794 CreateProcessA 15407->15408 15409 4097c2 15408->15409 15410 4097bb 15408->15410 15411 4097d4 GetThreadContext 15409->15411 15410->15020 15412 409801 15411->15412 15413 4097f5 15411->15413 15420 40637c 15412->15420 15414 4097f6 TerminateProcess 15413->15414 15414->15410 15416 409816 15416->15414 15417 40981e WriteProcessMemory 15416->15417 15417->15413 15418 40983b SetThreadContext 15417->15418 15418->15413 15419 409858 ResumeThread 15418->15419 15419->15410 15421 406386 15420->15421 15422 40638a GetModuleHandleA VirtualAlloc 15420->15422 15421->15416 15423 4063f5 15422->15423 15424 4063b6 15422->15424 15423->15416 15425 4063be VirtualAllocEx 15424->15425 15425->15423 15426 4063d6 15425->15426 15427 4063df WriteProcessMemory 15426->15427 15427->15423 15429 40dd41 InterlockedExchange 15428->15429 15430 40dd20 GetCurrentThreadId 15429->15430 15434 40dd4a 15429->15434 15431 40dd53 GetCurrentThreadId 15430->15431 15432 40dd2e GetTickCount 15430->15432 15431->15023 15433 40dd39 Sleep 15432->15433 15432->15434 15433->15429 15434->15431 15436 40dbf0 15435->15436 15468 40db67 GetEnvironmentVariableA 15436->15468 15438 40dc19 15439 40dcda 15438->15439 15440 40db67 3 API calls 15438->15440 15439->15025 15441 40dc5c 15440->15441 15441->15439 15442 40db67 3 API calls 15441->15442 15443 40dc9b 15442->15443 15443->15439 15444 40db67 3 API calls 15443->15444 15444->15439 15446 40db55 15445->15446 15447 40db3a 15445->15447 15446->15027 15446->15032 15472 40ebed 15447->15472 15481 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15449->15481 15451 40e342 15452 40e3be 15451->15452 15484 40de24 15451->15484 15452->15027 15455 40e528 15454->15455 15456 40e3f4 15454->15456 15455->15036 15457 40e434 RegQueryValueExA 15456->15457 15458 40e458 15457->15458 15459 40e51d RegCloseKey 15457->15459 15460 40e46e RegQueryValueExA 15458->15460 15459->15455 15460->15458 15461 40e488 15460->15461 15461->15459 15462 40db2e 8 API calls 15461->15462 15463 40e499 15462->15463 15463->15459 15464 40e4b9 RegQueryValueExA 15463->15464 15465 40e4e8 15463->15465 15464->15463 15464->15465 15465->15459 15466 40e332 14 API calls 15465->15466 15467 40e513 15466->15467 15467->15459 15469 40db89 lstrcpyA CreateFileA 15468->15469 15470 40dbca 15468->15470 15469->15438 15470->15438 15473 40ec01 15472->15473 15474 40ebf6 15472->15474 15476 40eba0 codecvt 2 API calls 15473->15476 15475 40ebcc 4 API calls 15474->15475 15477 40ebfe 15475->15477 15478 40ec0a GetProcessHeap HeapReAlloc 15476->15478 15477->15446 15479 40eb74 2 API calls 15478->15479 15480 40ec28 15479->15480 15480->15446 15495 40eb41 15481->15495 15485 40de3a 15484->15485 15491 40de4e 15485->15491 15499 40dd84 15485->15499 15488 40ebed 8 API calls 15493 40def6 15488->15493 15489 40de9e 15489->15488 15489->15491 15490 40de76 15503 40ddcf 15490->15503 15491->15451 15493->15491 15494 40ddcf lstrcmpA 15493->15494 15494->15491 15496 40eb54 15495->15496 15497 40eb4a 15495->15497 15496->15451 15498 40eae4 2 API calls 15497->15498 15498->15496 15500 40dd96 15499->15500 15501 40ddc5 15499->15501 15500->15501 15502 40ddad lstrcmpiA 15500->15502 15501->15489 15501->15490 15502->15500 15502->15501 15504 40dddd 15503->15504 15506 40de20 15503->15506 15505 40ddfa lstrcmpA 15504->15505 15504->15506 15505->15504 15506->15491 15508 40dd05 6 API calls 15507->15508 15509 40e821 15508->15509 15510 40dd84 lstrcmpiA 15509->15510 15511 40e82c 15510->15511 15512 40e844 15511->15512 15555 402480 15511->15555 15512->15052 15515 40dd05 6 API calls 15514->15515 15516 40df7c 15515->15516 15517 40dd84 lstrcmpiA 15516->15517 15520 40df89 15517->15520 15518 40dfc4 15518->15058 15519 40ddcf lstrcmpA 15519->15520 15520->15518 15520->15519 15521 40ec2e codecvt 4 API calls 15520->15521 15522 40dd84 lstrcmpiA 15520->15522 15521->15520 15522->15520 15524 40ea98 15523->15524 15564 40e8a1 15524->15564 15526 401e84 15526->15061 15528 4019d5 GetProcAddress GetProcAddress GetProcAddress 15527->15528 15531 4019ce 15527->15531 15529 401ab3 FreeLibrary 15528->15529 15530 401a04 15528->15530 15529->15531 15530->15529 15532 401a14 GetProcessHeap 15530->15532 15531->15065 15532->15531 15534 401a2e HeapAlloc 15532->15534 15534->15531 15535 401a42 15534->15535 15536 401a52 HeapReAlloc 15535->15536 15538 401a62 15535->15538 15536->15538 15537 401aa1 FreeLibrary 15537->15531 15538->15537 15539 401a96 HeapFree 15538->15539 15539->15537 15592 401ac3 LoadLibraryA 15540->15592 15543 401bcf 15543->15077 15545 401ac3 12 API calls 15544->15545 15546 401c09 15545->15546 15547 401c41 15546->15547 15548 401c0d GetComputerNameA 15546->15548 15547->15084 15549 401c45 GetVolumeInformationA 15548->15549 15550 401c1f 15548->15550 15549->15547 15550->15547 15550->15549 15552 40ee2a 15551->15552 15553 4030d0 gethostname gethostbyname 15552->15553 15554 401f82 15553->15554 15554->15089 15554->15091 15558 402419 lstrlenA 15555->15558 15557 402491 15557->15512 15559 402474 15558->15559 15560 40243d lstrlenA 15558->15560 15559->15557 15561 402464 lstrlenA 15560->15561 15562 40244e lstrcmpiA 15560->15562 15561->15559 15561->15560 15562->15561 15563 40245c 15562->15563 15563->15559 15563->15561 15565 40dd05 6 API calls 15564->15565 15566 40e8b4 15565->15566 15567 40dd84 lstrcmpiA 15566->15567 15568 40e8c0 15567->15568 15569 40e90a 15568->15569 15570 40e8c8 lstrcpynA 15568->15570 15571 402419 4 API calls 15569->15571 15580 40ea27 15569->15580 15572 40e8f5 15570->15572 15573 40e926 lstrlenA lstrlenA 15571->15573 15585 40df4c 15572->15585 15574 40e96a 15573->15574 15575 40e94c lstrlenA 15573->15575 15579 40ebcc 4 API calls 15574->15579 15574->15580 15575->15574 15577 40e901 15578 40dd84 lstrcmpiA 15577->15578 15578->15569 15581 40e98f 15579->15581 15580->15526 15581->15580 15582 40df4c 20 API calls 15581->15582 15583 40ea1e 15582->15583 15584 40ec2e codecvt 4 API calls 15583->15584 15584->15580 15586 40dd05 6 API calls 15585->15586 15587 40df51 15586->15587 15588 40f04e 4 API calls 15587->15588 15589 40df58 15588->15589 15590 40de24 10 API calls 15589->15590 15591 40df63 15590->15591 15591->15577 15593 401ae2 GetProcAddress 15592->15593 15598 401b68 GetComputerNameA GetVolumeInformationA 15592->15598 15594 401af5 15593->15594 15593->15598 15595 40ebed 8 API calls 15594->15595 15596 401b29 15594->15596 15595->15594 15596->15596 15597 40ec2e codecvt 4 API calls 15596->15597 15596->15598 15597->15598 15598->15543 15600 406ec3 2 API calls 15599->15600 15601 407ef4 15600->15601 15602 4073ff 17 API calls 15601->15602 15603 407fc9 15601->15603 15604 407f16 15602->15604 15603->15103 15604->15603 15612 407809 GetUserNameA 15604->15612 15606 407f63 15606->15603 15607 40ef1e lstrlenA 15606->15607 15608 407fa6 15607->15608 15609 40ef1e lstrlenA 15608->15609 15610 407fb7 15609->15610 15636 407a95 RegOpenKeyExA 15610->15636 15613 40783d LookupAccountNameA 15612->15613 15619 407a8d 15612->15619 15614 407874 GetLengthSid GetFileSecurityA 15613->15614 15613->15619 15615 4078a8 GetSecurityDescriptorOwner 15614->15615 15614->15619 15616 4078c5 EqualSid 15615->15616 15617 40791d GetSecurityDescriptorDacl 15615->15617 15616->15617 15618 4078dc LocalAlloc 15616->15618 15617->15619 15624 407941 15617->15624 15618->15617 15620 4078ef InitializeSecurityDescriptor 15618->15620 15619->15606 15621 407916 LocalFree 15620->15621 15622 4078fb SetSecurityDescriptorOwner 15620->15622 15621->15617 15622->15621 15625 40790b SetFileSecurityA 15622->15625 15623 40795b GetAce 15623->15624 15624->15619 15624->15623 15626 407980 EqualSid 15624->15626 15627 407a3d 15624->15627 15628 4079be EqualSid 15624->15628 15629 40799d DeleteAce 15624->15629 15625->15621 15626->15624 15627->15619 15630 407a43 LocalAlloc 15627->15630 15628->15624 15629->15624 15630->15619 15631 407a56 InitializeSecurityDescriptor 15630->15631 15632 407a62 SetSecurityDescriptorDacl 15631->15632 15633 407a86 LocalFree 15631->15633 15632->15633 15634 407a73 SetFileSecurityA 15632->15634 15633->15619 15634->15633 15635 407a83 15634->15635 15635->15633 15637 407ac4 15636->15637 15638 407acb GetUserNameA 15636->15638 15637->15603 15639 407da7 RegCloseKey 15638->15639 15640 407aed LookupAccountNameA 15638->15640 15639->15637 15640->15639 15641 407b24 RegGetKeySecurity 15640->15641 15641->15639 15642 407b49 GetSecurityDescriptorOwner 15641->15642 15643 407b63 EqualSid 15642->15643 15644 407bb8 GetSecurityDescriptorDacl 15642->15644 15643->15644 15646 407b74 LocalAlloc 15643->15646 15645 407da6 15644->15645 15653 407bdc 15644->15653 15645->15639 15646->15644 15647 407b8a InitializeSecurityDescriptor 15646->15647 15649 407bb1 LocalFree 15647->15649 15650 407b96 SetSecurityDescriptorOwner 15647->15650 15648 407bf8 GetAce 15648->15653 15649->15644 15650->15649 15651 407ba6 RegSetKeySecurity 15650->15651 15651->15649 15652 407c1d EqualSid 15652->15653 15653->15645 15653->15648 15653->15652 15654 407cd9 15653->15654 15655 407c5f EqualSid 15653->15655 15656 407c3a DeleteAce 15653->15656 15654->15645 15657 407d5a LocalAlloc 15654->15657 15658 407cf2 RegOpenKeyExA 15654->15658 15655->15653 15656->15653 15657->15645 15659 407d70 InitializeSecurityDescriptor 15657->15659 15658->15657 15664 407d0f 15658->15664 15660 407d7c SetSecurityDescriptorDacl 15659->15660 15661 407d9f LocalFree 15659->15661 15660->15661 15662 407d8c RegSetKeySecurity 15660->15662 15661->15645 15662->15661 15663 407d9c 15662->15663 15663->15661 15665 407d43 RegSetValueExA 15664->15665 15665->15657 15666 407d54 15665->15666 15666->15657 15667->15119 15669 40dd05 6 API calls 15668->15669 15672 40e65f 15669->15672 15670 40e6a5 15671 40ebcc 4 API calls 15670->15671 15675 40e6f5 15670->15675 15674 40e6b0 15671->15674 15672->15670 15673 40e68c lstrcmpA 15672->15673 15673->15672 15674->15675 15677 40e6b7 15674->15677 15678 40e6e0 lstrcpynA 15674->15678 15676 40e71d lstrcmpA 15675->15676 15675->15677 15676->15675 15677->15121 15678->15675 15679->15127 15681 40c525 15680->15681 15686 40c532 15680->15686 15684 40ec2e codecvt 4 API calls 15681->15684 15681->15686 15682 40c548 15685 40e7ff lstrcmpiA 15682->15685 15693 40c54f 15682->15693 15684->15686 15687 40c615 15685->15687 15686->15682 15832 40e7ff 15686->15832 15688 40ebcc 4 API calls 15687->15688 15687->15693 15688->15693 15689 40c5d1 15691 40ebcc 4 API calls 15689->15691 15691->15693 15692 40e819 11 API calls 15694 40c5b7 15692->15694 15693->15140 15695 40f04e 4 API calls 15694->15695 15696 40c5bf 15695->15696 15696->15682 15696->15689 15698 402692 inet_addr 15697->15698 15699 40268e 15697->15699 15698->15699 15700 40269e gethostbyname 15698->15700 15701 40f428 15699->15701 15700->15699 15835 40f315 15701->15835 15706 40c8d2 15704->15706 15705 40c907 15705->15142 15706->15705 15707 40c517 23 API calls 15706->15707 15707->15705 15708 40f43e 15709 40f473 recv 15708->15709 15710 40f47c 15709->15710 15711 40f458 15709->15711 15710->15158 15711->15709 15711->15710 15713 40c670 15712->15713 15714 40c67d 15712->15714 15715 40ebcc 4 API calls 15713->15715 15716 40ebcc 4 API calls 15714->15716 15717 40c699 15714->15717 15715->15714 15716->15717 15718 40c6f3 15717->15718 15719 40c73c send 15717->15719 15718->15171 15718->15185 15719->15718 15721 40c770 15720->15721 15722 40c77d 15720->15722 15724 40ebcc 4 API calls 15721->15724 15723 40c799 15722->15723 15725 40ebcc 4 API calls 15722->15725 15726 40c7b5 15723->15726 15727 40ebcc 4 API calls 15723->15727 15724->15722 15725->15723 15728 40f43e recv 15726->15728 15727->15726 15729 40c7cb 15728->15729 15730 40f43e recv 15729->15730 15731 40c7d3 15729->15731 15730->15731 15731->15185 15848 407db7 15732->15848 15735 407e96 15735->15185 15736 40f04e 4 API calls 15738 407e4c 15736->15738 15737 40f04e 4 API calls 15737->15735 15739 40f04e 4 API calls 15738->15739 15740 407e70 15738->15740 15739->15740 15740->15735 15740->15737 15742 406ec3 2 API calls 15741->15742 15743 407fdd 15742->15743 15744 4073ff 17 API calls 15743->15744 15753 4080c2 CreateProcessA 15743->15753 15745 407fff 15744->15745 15746 407809 21 API calls 15745->15746 15745->15753 15747 40804d 15746->15747 15748 40ef1e lstrlenA 15747->15748 15747->15753 15749 40809e 15748->15749 15750 40ef1e lstrlenA 15749->15750 15751 4080af 15750->15751 15752 407a95 24 API calls 15751->15752 15752->15753 15753->15224 15753->15225 15755 407db7 2 API calls 15754->15755 15756 407eb8 15755->15756 15757 40f04e 4 API calls 15756->15757 15758 407ece DeleteFileA 15757->15758 15758->15185 15760 40dd05 6 API calls 15759->15760 15761 40e31d 15760->15761 15852 40e177 15761->15852 15763 40e326 15763->15194 15765 4031f3 15764->15765 15775 4031ec 15764->15775 15766 40ebcc 4 API calls 15765->15766 15773 4031fc 15766->15773 15767 403459 15770 40f04e 4 API calls 15767->15770 15768 40349d 15769 40ec2e codecvt 4 API calls 15768->15769 15769->15775 15771 40345f 15770->15771 15772 4030fa 4 API calls 15771->15772 15772->15775 15774 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15773->15774 15773->15775 15776 40344d 15773->15776 15779 40344b 15773->15779 15780 403141 lstrcmpiA 15773->15780 15878 4030fa GetTickCount 15773->15878 15774->15773 15775->15185 15777 40ec2e codecvt 4 API calls 15776->15777 15777->15779 15779->15767 15779->15768 15780->15773 15782 4030fa 4 API calls 15781->15782 15783 403c1a 15782->15783 15788 403ce6 15783->15788 15883 403a72 15783->15883 15786 403a72 9 API calls 15789 403c5e 15786->15789 15787 403a72 9 API calls 15787->15789 15788->15185 15789->15787 15789->15788 15790 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15789->15790 15790->15789 15792 403a10 15791->15792 15793 4030fa 4 API calls 15792->15793 15794 403a1a 15793->15794 15794->15185 15796 40dd05 6 API calls 15795->15796 15797 40e7be 15796->15797 15797->15185 15799 40c105 15798->15799 15800 40c07e wsprintfA 15798->15800 15799->15185 15892 40bfce GetTickCount wsprintfA 15800->15892 15802 40c0ef 15893 40bfce GetTickCount wsprintfA 15802->15893 15805 407047 15804->15805 15806 406f88 LookupAccountNameA 15804->15806 15805->15185 15808 407025 15806->15808 15809 406fcb 15806->15809 15810 406edd 5 API calls 15808->15810 15812 406fdb ConvertSidToStringSidA 15809->15812 15811 40702a wsprintfA 15810->15811 15811->15805 15812->15808 15813 406ff1 15812->15813 15814 407013 LocalFree 15813->15814 15814->15808 15816 40dd05 6 API calls 15815->15816 15817 40e85c 15816->15817 15818 40dd84 lstrcmpiA 15817->15818 15819 40e867 15818->15819 15820 40e885 lstrcpyA 15819->15820 15894 4024a5 15819->15894 15897 40dd69 15820->15897 15826 407db7 2 API calls 15825->15826 15827 407de1 15826->15827 15828 407e16 15827->15828 15829 40f04e 4 API calls 15827->15829 15828->15185 15830 407df2 15829->15830 15830->15828 15831 40f04e 4 API calls 15830->15831 15831->15828 15833 40dd84 lstrcmpiA 15832->15833 15834 40c58e 15833->15834 15834->15682 15834->15689 15834->15692 15836 40ca1d 15835->15836 15837 40f33b 15835->15837 15836->15155 15836->15708 15838 40f347 htons socket 15837->15838 15839 40f382 ioctlsocket 15838->15839 15840 40f374 closesocket 15838->15840 15841 40f3aa connect select 15839->15841 15842 40f39d 15839->15842 15840->15836 15841->15836 15844 40f3f2 __WSAFDIsSet 15841->15844 15843 40f39f closesocket 15842->15843 15843->15836 15844->15843 15845 40f403 ioctlsocket 15844->15845 15847 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15845->15847 15847->15836 15849 407dc8 InterlockedExchange 15848->15849 15850 407dc0 Sleep 15849->15850 15851 407dd4 15849->15851 15850->15849 15851->15736 15851->15740 15853 40e184 15852->15853 15854 40e2e4 15853->15854 15855 40e223 15853->15855 15868 40dfe2 15853->15868 15854->15763 15855->15854 15857 40dfe2 8 API calls 15855->15857 15861 40e23c 15857->15861 15858 40e1be 15858->15855 15859 40dbcf 3 API calls 15858->15859 15862 40e1d6 15859->15862 15860 40e21a CloseHandle 15860->15855 15861->15854 15872 40e095 RegCreateKeyExA 15861->15872 15862->15855 15862->15860 15863 40e1f9 WriteFile 15862->15863 15863->15860 15865 40e213 15863->15865 15865->15860 15866 40e2a3 15866->15854 15867 40e095 4 API calls 15866->15867 15867->15854 15869 40dffc 15868->15869 15871 40e024 15868->15871 15870 40db2e 8 API calls 15869->15870 15869->15871 15870->15871 15871->15858 15873 40e172 15872->15873 15874 40e0c0 15872->15874 15873->15866 15875 40e13d 15874->15875 15877 40e115 RegSetValueExA 15874->15877 15876 40e14e RegDeleteValueA RegCloseKey 15875->15876 15876->15873 15877->15874 15877->15875 15879 403122 InterlockedExchange 15878->15879 15880 40312e 15879->15880 15881 40310f GetTickCount 15879->15881 15880->15773 15881->15880 15882 40311a Sleep 15881->15882 15882->15879 15884 40f04e 4 API calls 15883->15884 15891 403a83 15884->15891 15885 403ac1 15885->15786 15885->15788 15886 403be6 15888 40ec2e codecvt 4 API calls 15886->15888 15887 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15889 403bc0 15887->15889 15888->15885 15889->15886 15889->15887 15890 403b66 lstrlenA 15890->15885 15890->15891 15891->15885 15891->15889 15891->15890 15892->15802 15893->15799 15895 402419 4 API calls 15894->15895 15896 4024b6 15895->15896 15896->15820 15898 40dd79 lstrlenA 15897->15898 15898->15185 15900 404084 15899->15900 15901 40407d 15899->15901 15902 403ecd 6 API calls 15900->15902 15903 40408f 15902->15903 15904 404000 3 API calls 15903->15904 15906 404095 15904->15906 15905 404130 15907 403ecd 6 API calls 15905->15907 15906->15905 15911 403f18 4 API calls 15906->15911 15908 404159 CreateNamedPipeA 15907->15908 15909 404167 Sleep 15908->15909 15910 404188 ConnectNamedPipe 15908->15910 15909->15905 15913 404176 CloseHandle 15909->15913 15912 404195 GetLastError 15910->15912 15923 4041ab 15910->15923 15914 4040da 15911->15914 15915 40425e DisconnectNamedPipe 15912->15915 15912->15923 15913->15910 15916 403f8c 4 API calls 15914->15916 15915->15910 15917 4040ec 15916->15917 15918 404127 CloseHandle 15917->15918 15919 404101 15917->15919 15918->15905 15920 403f18 4 API calls 15919->15920 15921 40411c ExitProcess 15920->15921 15922 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15922->15923 15923->15910 15923->15915 15923->15922 15924 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15923->15924 15925 40426a CloseHandle CloseHandle 15923->15925 15924->15923 15926 40e318 23 API calls 15925->15926 15927 40427b 15926->15927 15927->15927 15929 408791 15928->15929 15930 40879f 15928->15930 15931 40f04e 4 API calls 15929->15931 15932 4087bc 15930->15932 15933 40f04e 4 API calls 15930->15933 15931->15930 15934 40e819 11 API calls 15932->15934 15933->15932 15935 4087d7 15934->15935 15947 408803 15935->15947 15949 4026b2 gethostbyaddr 15935->15949 15937 4087eb 15939 40e8a1 30 API calls 15937->15939 15937->15947 15939->15947 15942 40e819 11 API calls 15942->15947 15943 4088a0 Sleep 15943->15947 15944 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15944->15947 15946 4026b2 2 API calls 15946->15947 15947->15942 15947->15943 15947->15944 15947->15946 15948 40e8a1 30 API calls 15947->15948 15954 40c4d6 15947->15954 15957 40c4e2 15947->15957 15960 402011 15947->15960 15995 408328 15947->15995 15948->15947 15950 4026fb 15949->15950 15951 4026cd 15949->15951 15950->15937 15952 4026e1 inet_ntoa 15951->15952 15953 4026de 15951->15953 15952->15953 15953->15937 16047 40c2dc 15954->16047 15958 40c2dc 141 API calls 15957->15958 15959 40c4ec 15958->15959 15959->15947 15961 402020 15960->15961 15962 40202e 15960->15962 15963 40f04e 4 API calls 15961->15963 15964 40204b 15962->15964 15965 40f04e 4 API calls 15962->15965 15963->15962 15966 40206e GetTickCount 15964->15966 15968 40f04e 4 API calls 15964->15968 15965->15964 15967 4020db GetTickCount 15966->15967 15977 402090 15966->15977 15971 402132 GetTickCount GetTickCount 15967->15971 15979 4020e7 15967->15979 15969 402068 15968->15969 15969->15966 15970 4020d4 GetTickCount 15970->15967 15973 40f04e 4 API calls 15971->15973 15972 40212b GetTickCount 15972->15971 15975 402159 15973->15975 15974 402684 2 API calls 15974->15977 15978 4021b4 15975->15978 15981 40e854 13 API calls 15975->15981 15977->15970 15977->15974 15985 4020ce 15977->15985 16382 401978 15977->16382 15980 40f04e 4 API calls 15978->15980 15979->15972 15987 401978 15 API calls 15979->15987 15988 402125 15979->15988 16387 402ef8 15979->16387 15984 4021d1 15980->15984 15982 40218e 15981->15982 15986 40e819 11 API calls 15982->15986 15989 4021f2 15984->15989 15991 40ea84 30 API calls 15984->15991 15985->15970 15990 40219c 15986->15990 15987->15979 15988->15972 15989->15947 15990->15978 16395 401c5f 15990->16395 15992 4021ec 15991->15992 15993 40f04e 4 API calls 15992->15993 15993->15989 15996 407dd6 6 API calls 15995->15996 15997 40833c 15996->15997 15998 406ec3 2 API calls 15997->15998 16021 408340 15997->16021 15999 40834f 15998->15999 16000 40835c 15999->16000 16001 40846b 15999->16001 16002 4073ff 17 API calls 16000->16002 16006 4084a7 RegOpenKeyExA 16001->16006 16019 408450 16001->16019 16023 408373 16002->16023 16003 4085df 16005 408626 GetTempPathA 16003->16005 16013 408762 16003->16013 16022 408638 16003->16022 16004 40675c 21 API calls 16004->16003 16005->16022 16008 4084c0 RegQueryValueExA 16006->16008 16009 40852f 16006->16009 16011 408521 RegCloseKey 16008->16011 16012 4084dd 16008->16012 16015 408564 RegOpenKeyExA 16009->16015 16026 4085a5 16009->16026 16010 4086ad 16010->16013 16014 407e2f 6 API calls 16010->16014 16011->16009 16012->16011 16020 40ebcc 4 API calls 16012->16020 16018 40ec2e codecvt 4 API calls 16013->16018 16013->16021 16027 4086bb 16014->16027 16016 408573 RegSetValueExA RegCloseKey 16015->16016 16015->16026 16016->16026 16017 40875b DeleteFileA 16017->16013 16018->16021 16019->16003 16019->16004 16025 4084f0 16020->16025 16021->15947 16467 406ba7 IsBadCodePtr 16022->16467 16023->16019 16023->16021 16028 4083ea RegOpenKeyExA 16023->16028 16025->16011 16029 4084f8 RegQueryValueExA 16025->16029 16026->16019 16031 40ec2e codecvt 4 API calls 16026->16031 16027->16017 16034 4086e0 lstrcpyA lstrlenA 16027->16034 16028->16019 16032 4083fd RegQueryValueExA 16028->16032 16029->16011 16030 408515 16029->16030 16033 40ec2e codecvt 4 API calls 16030->16033 16031->16019 16035 40842d RegSetValueExA 16032->16035 16036 40841e 16032->16036 16037 40851d 16033->16037 16038 407fcf 64 API calls 16034->16038 16039 408447 RegCloseKey 16035->16039 16036->16035 16036->16039 16037->16011 16040 408719 CreateProcessA 16038->16040 16039->16019 16041 40873d CloseHandle CloseHandle 16040->16041 16042 40874f 16040->16042 16041->16013 16043 407ee6 64 API calls 16042->16043 16044 408754 16043->16044 16045 407ead 6 API calls 16044->16045 16046 40875a 16045->16046 16046->16017 16063 40a4c7 GetTickCount 16047->16063 16050 40c45e 16055 40c4d2 16050->16055 16056 40c4ab InterlockedIncrement CreateThread 16050->16056 16051 40c300 GetTickCount 16053 40c337 16051->16053 16052 40c326 16052->16053 16054 40c32b GetTickCount 16052->16054 16053->16050 16058 40c363 GetTickCount 16053->16058 16054->16053 16055->15947 16056->16055 16057 40c4cb CloseHandle 16056->16057 16068 40b535 16056->16068 16057->16055 16058->16050 16059 40c373 16058->16059 16060 40c378 GetTickCount 16059->16060 16061 40c37f 16059->16061 16060->16061 16062 40c43b GetTickCount 16061->16062 16062->16050 16064 40a4f7 InterlockedExchange 16063->16064 16065 40a500 16064->16065 16066 40a4e4 GetTickCount 16064->16066 16065->16050 16065->16051 16065->16052 16066->16065 16067 40a4ef Sleep 16066->16067 16067->16064 16069 40b566 16068->16069 16070 40ebcc 4 API calls 16069->16070 16071 40b587 16070->16071 16072 40ebcc 4 API calls 16071->16072 16099 40b590 16072->16099 16073 40bdcd InterlockedDecrement 16074 40bde2 16073->16074 16076 40ec2e codecvt 4 API calls 16074->16076 16077 40bdea 16076->16077 16079 40ec2e codecvt 4 API calls 16077->16079 16078 40bdb7 Sleep 16078->16099 16080 40bdf2 16079->16080 16082 40be05 16080->16082 16083 40ec2e codecvt 4 API calls 16080->16083 16081 40bdcc 16081->16073 16083->16082 16084 40ebed 8 API calls 16084->16099 16087 40b6b6 lstrlenA 16087->16099 16088 4030b5 2 API calls 16088->16099 16089 40e819 11 API calls 16089->16099 16090 40b6ed lstrcpyA 16143 405ce1 16090->16143 16093 40b731 lstrlenA 16093->16099 16094 40b71f lstrcmpA 16094->16093 16094->16099 16095 40b772 GetTickCount 16095->16099 16096 40bd49 InterlockedIncrement 16240 40a628 16096->16240 16099->16073 16099->16078 16099->16081 16099->16084 16099->16087 16099->16088 16099->16089 16099->16090 16099->16093 16099->16094 16099->16095 16099->16096 16100 40b7ce InterlockedIncrement 16099->16100 16101 4038f0 6 API calls 16099->16101 16102 40bc5b InterlockedIncrement 16099->16102 16105 40b912 GetTickCount 16099->16105 16106 40b826 InterlockedIncrement 16099->16106 16107 40b932 GetTickCount 16099->16107 16108 40bcdc closesocket 16099->16108 16110 405ce1 22 API calls 16099->16110 16113 40bba6 InterlockedIncrement 16099->16113 16115 40bc4c closesocket 16099->16115 16118 40ba71 wsprintfA 16099->16118 16120 40a7c1 22 API calls 16099->16120 16121 40ab81 lstrcpynA InterlockedIncrement 16099->16121 16122 40ef1e lstrlenA 16099->16122 16123 405ded 12 API calls 16099->16123 16125 403e10 16099->16125 16128 403e4f 16099->16128 16131 40384f 16099->16131 16151 40a7a3 inet_ntoa 16099->16151 16158 40abee 16099->16158 16170 401feb GetTickCount 16099->16170 16171 40a688 16099->16171 16194 403cfb 16099->16194 16197 40b3c5 16099->16197 16228 40ab81 16099->16228 16153 40acd7 16100->16153 16101->16099 16102->16099 16105->16099 16106->16095 16107->16099 16109 40bc6d InterlockedIncrement 16107->16109 16108->16099 16109->16099 16110->16099 16113->16099 16115->16099 16174 40a7c1 16118->16174 16120->16099 16121->16099 16122->16099 16123->16099 16126 4030fa 4 API calls 16125->16126 16127 403e1d 16126->16127 16127->16099 16129 4030fa 4 API calls 16128->16129 16130 403e5c 16129->16130 16130->16099 16132 4030fa 4 API calls 16131->16132 16133 403863 16132->16133 16134 4038b9 16133->16134 16135 403889 16133->16135 16142 4038b2 16133->16142 16249 4035f9 16134->16249 16243 403718 16135->16243 16140 403718 6 API calls 16140->16142 16141 4035f9 6 API calls 16141->16142 16142->16099 16144 405cf4 16143->16144 16145 405cec 16143->16145 16147 404bd1 4 API calls 16144->16147 16255 404bd1 GetTickCount 16145->16255 16148 405d02 16147->16148 16260 405472 16148->16260 16152 40a7b9 16151->16152 16152->16099 16154 40f315 14 API calls 16153->16154 16155 40aceb 16154->16155 16156 40acff 16155->16156 16157 40f315 14 API calls 16155->16157 16156->16099 16157->16156 16159 40abfb 16158->16159 16162 40ac65 16159->16162 16323 402f22 16159->16323 16161 40f315 14 API calls 16161->16162 16162->16161 16163 40ac6f 16162->16163 16169 40ac8a 16162->16169 16164 40ab81 2 API calls 16163->16164 16165 40ac81 16164->16165 16331 4038f0 16165->16331 16166 402684 2 API calls 16168 40ac23 16166->16168 16168->16162 16168->16166 16169->16099 16170->16099 16345 40a63d 16171->16345 16173 40a696 16173->16099 16175 40a87d lstrlenA send 16174->16175 16176 40a7df 16174->16176 16177 40a899 16175->16177 16178 40a8bf 16175->16178 16176->16175 16183 40a7fa wsprintfA 16176->16183 16185 40a80a 16176->16185 16186 40a8f2 16176->16186 16180 40a8a5 wsprintfA 16177->16180 16193 40a89e 16177->16193 16181 40a8c4 send 16178->16181 16178->16186 16179 40a978 recv 16179->16186 16187 40a982 16179->16187 16180->16193 16182 40a8d8 wsprintfA 16181->16182 16181->16186 16182->16193 16183->16185 16184 40a9b0 wsprintfA 16184->16193 16185->16175 16186->16179 16186->16184 16186->16187 16188 4030b5 2 API calls 16187->16188 16187->16193 16189 40ab05 16188->16189 16190 40e819 11 API calls 16189->16190 16191 40ab17 16190->16191 16192 40a7a3 inet_ntoa 16191->16192 16192->16193 16193->16099 16195 4030fa 4 API calls 16194->16195 16196 403d0b 16195->16196 16196->16099 16198 405ce1 22 API calls 16197->16198 16199 40b3e6 16198->16199 16200 405ce1 22 API calls 16199->16200 16202 40b404 16200->16202 16201 40b440 16204 40ef7c 3 API calls 16201->16204 16202->16201 16203 40ef7c 3 API calls 16202->16203 16205 40b42b 16203->16205 16206 40b458 wsprintfA 16204->16206 16207 40ef7c 3 API calls 16205->16207 16208 40ef7c 3 API calls 16206->16208 16207->16201 16209 40b480 16208->16209 16210 40ef7c 3 API calls 16209->16210 16211 40b493 16210->16211 16212 40ef7c 3 API calls 16211->16212 16213 40b4bb 16212->16213 16350 40ad89 GetLocalTime SystemTimeToFileTime 16213->16350 16217 40b4cc 16218 40ef7c 3 API calls 16217->16218 16219 40b4dd 16218->16219 16220 40b211 7 API calls 16219->16220 16221 40b4ec 16220->16221 16222 40ef7c 3 API calls 16221->16222 16223 40b4fd 16222->16223 16224 40b211 7 API calls 16223->16224 16225 40b509 16224->16225 16226 40ef7c 3 API calls 16225->16226 16227 40b51a 16226->16227 16227->16099 16229 40abe9 GetTickCount 16228->16229 16231 40ab8c 16228->16231 16233 40a51d 16229->16233 16230 40aba8 lstrcpynA 16230->16231 16231->16229 16231->16230 16232 40abe1 InterlockedIncrement 16231->16232 16232->16231 16234 40a4c7 4 API calls 16233->16234 16235 40a52c 16234->16235 16236 40a542 GetTickCount 16235->16236 16238 40a539 GetTickCount 16235->16238 16236->16238 16239 40a56c 16238->16239 16239->16099 16241 40a4c7 4 API calls 16240->16241 16242 40a633 16241->16242 16242->16099 16244 40f04e 4 API calls 16243->16244 16246 40372a 16244->16246 16245 403847 16245->16140 16245->16142 16246->16245 16247 4037b3 GetCurrentThreadId 16246->16247 16247->16246 16248 4037c8 GetCurrentThreadId 16247->16248 16248->16246 16250 40f04e 4 API calls 16249->16250 16254 40360c 16250->16254 16251 4036f1 16251->16141 16251->16142 16252 4036da GetCurrentThreadId 16252->16251 16253 4036e5 GetCurrentThreadId 16252->16253 16253->16251 16254->16251 16254->16252 16256 404bff InterlockedExchange 16255->16256 16257 404c08 16256->16257 16258 404bec GetTickCount 16256->16258 16257->16144 16258->16257 16259 404bf7 Sleep 16258->16259 16259->16256 16279 404763 16260->16279 16262 405b58 16289 404699 16262->16289 16265 404763 lstrlenA 16266 405b6e 16265->16266 16310 404f9f 16266->16310 16268 405b79 16268->16099 16270 405549 lstrlenA 16276 40548a 16270->16276 16272 40558d lstrcpynA 16272->16276 16273 405a9f lstrcpyA 16273->16276 16274 404ae6 8 API calls 16274->16276 16275 405935 lstrcpynA 16275->16276 16276->16262 16276->16272 16276->16273 16276->16274 16276->16275 16277 405472 13 API calls 16276->16277 16278 4058e7 lstrcpyA 16276->16278 16283 404ae6 16276->16283 16287 40ef7c lstrlenA lstrlenA lstrlenA 16276->16287 16277->16276 16278->16276 16280 40477a 16279->16280 16281 404859 16280->16281 16282 40480d lstrlenA 16280->16282 16281->16276 16282->16280 16284 404af3 16283->16284 16286 404b03 16283->16286 16285 40ebed 8 API calls 16284->16285 16285->16286 16286->16270 16288 40efb4 16287->16288 16288->16276 16315 4045b3 16289->16315 16292 4045b3 7 API calls 16293 4046c6 16292->16293 16294 4045b3 7 API calls 16293->16294 16295 4046d8 16294->16295 16296 4045b3 7 API calls 16295->16296 16297 4046ea 16296->16297 16298 4045b3 7 API calls 16297->16298 16299 4046ff 16298->16299 16300 4045b3 7 API calls 16299->16300 16301 404711 16300->16301 16302 4045b3 7 API calls 16301->16302 16303 404723 16302->16303 16304 40ef7c 3 API calls 16303->16304 16305 404735 16304->16305 16306 40ef7c 3 API calls 16305->16306 16307 40474a 16306->16307 16308 40ef7c 3 API calls 16307->16308 16309 40475c 16308->16309 16309->16265 16311 404fac 16310->16311 16314 404fb0 16310->16314 16311->16268 16312 404ffd 16312->16268 16313 404fd5 IsBadCodePtr 16313->16314 16314->16312 16314->16313 16316 4045c1 16315->16316 16317 4045c8 16315->16317 16318 40ebcc 4 API calls 16316->16318 16319 40ebcc 4 API calls 16317->16319 16321 4045e1 16317->16321 16318->16317 16319->16321 16320 404691 16320->16292 16321->16320 16322 40ef7c 3 API calls 16321->16322 16322->16321 16338 402d21 GetModuleHandleA 16323->16338 16326 402fcf GetProcessHeap HeapFree 16330 402f44 16326->16330 16327 402f85 16327->16326 16327->16327 16328 402f4f 16329 402f6b GetProcessHeap HeapFree 16328->16329 16329->16330 16330->16168 16332 403900 16331->16332 16333 403980 16331->16333 16334 4030fa 4 API calls 16332->16334 16333->16169 16337 40390a 16334->16337 16335 40391b GetCurrentThreadId 16335->16337 16336 403939 GetCurrentThreadId 16336->16337 16337->16333 16337->16335 16337->16336 16339 402d46 LoadLibraryA 16338->16339 16340 402d5b GetProcAddress 16338->16340 16339->16340 16342 402d54 16339->16342 16340->16342 16344 402d6b 16340->16344 16341 402d97 GetProcessHeap HeapAlloc 16341->16342 16341->16344 16342->16327 16342->16328 16342->16330 16343 402db5 lstrcpynA 16343->16344 16344->16341 16344->16342 16344->16343 16346 40a645 16345->16346 16347 40a64d 16345->16347 16346->16173 16348 40a66e 16347->16348 16349 40a65e GetTickCount 16347->16349 16348->16173 16349->16348 16351 40adbf 16350->16351 16375 40ad08 gethostname 16351->16375 16354 4030b5 2 API calls 16355 40add3 16354->16355 16356 40a7a3 inet_ntoa 16355->16356 16357 40ade4 16355->16357 16356->16357 16358 40ae85 wsprintfA 16357->16358 16360 40ae36 wsprintfA wsprintfA 16357->16360 16359 40ef7c 3 API calls 16358->16359 16361 40aebb 16359->16361 16362 40ef7c 3 API calls 16360->16362 16363 40ef7c 3 API calls 16361->16363 16362->16357 16364 40aed2 16363->16364 16365 40b211 16364->16365 16366 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16365->16366 16367 40b2af GetLocalTime 16365->16367 16368 40b2d2 16366->16368 16367->16368 16369 40b2d9 SystemTimeToFileTime 16368->16369 16370 40b31c GetTimeZoneInformation 16368->16370 16371 40b2ec 16369->16371 16372 40b33a wsprintfA 16370->16372 16373 40b312 FileTimeToSystemTime 16371->16373 16372->16217 16373->16370 16376 40ad71 16375->16376 16380 40ad26 lstrlenA 16375->16380 16378 40ad85 16376->16378 16379 40ad79 lstrcpyA 16376->16379 16378->16354 16379->16378 16380->16376 16381 40ad68 lstrlenA 16380->16381 16381->16376 16383 40f428 14 API calls 16382->16383 16384 40198a 16383->16384 16385 401990 closesocket 16384->16385 16386 401998 16384->16386 16385->16386 16386->15977 16388 402d21 6 API calls 16387->16388 16389 402f01 16388->16389 16390 402f0f 16389->16390 16403 402df2 GetModuleHandleA 16389->16403 16391 402684 2 API calls 16390->16391 16394 402f1f 16390->16394 16393 402f1d 16391->16393 16393->15979 16394->15979 16396 401c80 16395->16396 16397 401cc2 wsprintfA 16396->16397 16398 401d1c 16396->16398 16402 401d79 16396->16402 16399 402684 2 API calls 16397->16399 16398->16398 16400 401d47 wsprintfA 16398->16400 16399->16396 16401 402684 2 API calls 16400->16401 16401->16402 16402->15978 16404 402e10 LoadLibraryA 16403->16404 16405 402e0b 16403->16405 16406 402e17 16404->16406 16405->16404 16405->16406 16407 402ef1 16406->16407 16408 402e28 GetProcAddress 16406->16408 16407->16390 16408->16407 16409 402e3e GetProcessHeap HeapAlloc 16408->16409 16410 402e62 16409->16410 16410->16407 16411 402ede GetProcessHeap HeapFree 16410->16411 16412 402e7f htons inet_addr 16410->16412 16413 402ea5 gethostbyname 16410->16413 16415 402ceb 16410->16415 16411->16407 16412->16410 16412->16413 16413->16410 16416 402cf2 16415->16416 16418 402d1c 16416->16418 16419 402d0e Sleep 16416->16419 16420 402a62 GetProcessHeap HeapAlloc 16416->16420 16418->16410 16419->16416 16419->16418 16421 402a92 16420->16421 16422 402a99 socket 16420->16422 16421->16416 16423 402cd3 GetProcessHeap HeapFree 16422->16423 16424 402ab4 16422->16424 16423->16421 16424->16423 16438 402abd 16424->16438 16425 402adb htons 16440 4026ff 16425->16440 16427 402b04 select 16427->16438 16428 402ca4 16429 402cb3 GetProcessHeap HeapFree closesocket 16428->16429 16429->16421 16430 402b3f recv 16430->16438 16431 402b66 htons 16431->16428 16431->16438 16432 402b87 htons 16432->16428 16432->16438 16435 402bf3 GetProcessHeap HeapAlloc 16435->16438 16436 402c17 htons 16455 402871 16436->16455 16438->16425 16438->16427 16438->16428 16438->16429 16438->16430 16438->16431 16438->16432 16438->16435 16438->16436 16439 402c4d GetProcessHeap HeapFree 16438->16439 16447 402923 16438->16447 16459 402904 16438->16459 16439->16438 16441 40271d 16440->16441 16442 402717 16440->16442 16444 40272b GetTickCount htons 16441->16444 16443 40ebcc 4 API calls 16442->16443 16443->16441 16445 4027cc htons htons sendto 16444->16445 16446 40278a 16444->16446 16445->16438 16446->16445 16448 402944 16447->16448 16449 40293d 16447->16449 16463 402816 htons 16448->16463 16449->16438 16451 402871 htons 16454 402950 16451->16454 16452 4029bd htons htons htons 16452->16449 16453 4029f6 GetProcessHeap HeapAlloc 16452->16453 16453->16449 16453->16454 16454->16449 16454->16451 16454->16452 16456 4028e3 16455->16456 16458 402889 16455->16458 16456->16438 16457 4028c3 htons 16457->16456 16457->16458 16458->16456 16458->16457 16460 402921 16459->16460 16461 402908 16459->16461 16460->16438 16462 402909 GetProcessHeap HeapFree 16461->16462 16462->16460 16462->16462 16464 40286b 16463->16464 16465 402836 16463->16465 16464->16454 16465->16464 16466 40285c htons 16465->16466 16466->16464 16466->16465 16468 406bc0 16467->16468 16469 406bbc 16467->16469 16470 40ebcc 4 API calls 16468->16470 16480 406bd4 16468->16480 16469->16010 16471 406be4 16470->16471 16472 406c07 CreateFileA 16471->16472 16473 406bfc 16471->16473 16471->16480 16475 406c34 WriteFile 16472->16475 16476 406c2a 16472->16476 16474 40ec2e codecvt 4 API calls 16473->16474 16474->16480 16478 406c49 CloseHandle DeleteFileA 16475->16478 16479 406c5a CloseHandle 16475->16479 16477 40ec2e codecvt 4 API calls 16476->16477 16477->16480 16478->16476 16481 40ec2e codecvt 4 API calls 16479->16481 16480->16010 16481->16480 14715 6273a0 14718 6273b0 14715->14718 14719 6273bf 14718->14719 14722 627b50 14719->14722 14723 627b6b 14722->14723 14724 627b74 CreateToolhelp32Snapshot 14723->14724 14725 627b90 Module32First 14723->14725 14724->14723 14724->14725 14726 6273af 14725->14726 14727 627b9f 14725->14727 14729 62780f 14727->14729 14730 62783a 14729->14730 14731 627883 14730->14731 14732 62784b VirtualAlloc 14730->14732 14731->14731 14732->14731
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                      • lstrlenA.KERNEL32(?,00000020), ref: 00409B99
                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                      • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                      • API String ID: 2089075347-2824936573
                                                                                      • Opcode ID: 4d376ad398af10e8180197a370fab4305cdb7a8350a95e6006a40bc34d3ada67
                                                                                      • Instruction ID: c54dd164401bc8252f7c7d364e59892cce9d7843782f7eb75857c238c925ac93
                                                                                      • Opcode Fuzzy Hash: 4d376ad398af10e8180197a370fab4305cdb7a8350a95e6006a40bc34d3ada67
                                                                                      • Instruction Fuzzy Hash: 815290B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 532 409502-40952e call 402544 RegQueryValueExA 520->532 533 4094fb-409500 520->533 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 544 40964c-409662 526->544 545 40966d-409679 526->545 530 409683 call 4091eb 527->530 541 409688-409690 530->541 547 409530-409537 532->547 548 409539-409565 call 402544 RegQueryValueExA 532->548 537 40957a-40957f 533->537 542 409581-409584 537->542 543 40958a-40958d 537->543 550 409692 541->550 551 409698-4096a0 541->551 542->523 542->543 543->527 552 409593-40959a 543->552 553 409664-40966b 544->553 554 40962b-40962d 544->554 545->530 555 40956e-409577 RegCloseKey 547->555 548->555 565 409567 548->565 550->551 558 4096a2-4096a9 551->558 559 40961a-40961f 552->559 560 40959c-4095a1 552->560 553->554 554->558 555->537 563 409625 559->563 560->559 564 4095a3-4095c0 call 40f0e4 560->564 563->554 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->555 570->558 574 4095e1-4095f9 570->574 571->563 574->558 575 4095ff-409607 574->575 575->558
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: PromptOnSecureDesktop$runas
                                                                                      • API String ID: 3696105349-2220793183
                                                                                      • Opcode ID: 22ebba4a15f844ca6926cd38191801fef154a6796d3e5a6cc06fe4d794d23856
                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                      • Opcode Fuzzy Hash: 22ebba4a15f844ca6926cd38191801fef154a6796d3e5a6cc06fe4d794d23856
                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 FindCloseChangeNotification 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 634 406b01 632->634 636 406b03-406b08 634->636 637 406b0a-406b17 call 40eca5 634->637 636->618 636->637 637->618
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1251348514-2980165447
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 811 627b50-627b69 812 627b6b-627b6d 811->812 813 627b74-627b80 CreateToolhelp32Snapshot 812->813 814 627b6f 812->814 815 627b82-627b88 813->815 816 627b90-627b9d Module32First 813->816 814->813 815->816 821 627b8a-627b8e 815->821 817 627ba6-627bae 816->817 818 627b9f-627ba0 call 62780f 816->818 822 627ba5 818->822 821->812 821->816 822->817
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00627B78
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 00627B98
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728900989.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Offset: 00623000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_623000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: 673e9bfefa8ebc8bfab8f579407970521f9837e0d9e6c608ff7dbb1850a4a359
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: DFF0F632500B21AFD7203FF4B88CFAE72E9AF59326F100168F642911C0CB70EC454E61

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 827 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                        • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                        • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                      • String ID:
                                                                                      • API String ID: 2559512979-0
                                                                                      • Opcode ID: 016757daa93d1c8f4fdb8ed6cb81e37ee7fb74fee72fced1de4250a91a8c3a9c
                                                                                      • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                      • Opcode Fuzzy Hash: 016757daa93d1c8f4fdb8ed6cb81e37ee7fb74fee72fced1de4250a91a8c3a9c
                                                                                      • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 306 4076df-4076e2 297->306 307 407742-407745 RegCloseKey 298->307 308 40774b-40774e 298->308 309 40753f-407544 305->309 306->291 311 4076e4-4076e7 RegCloseKey 306->311 307->308 310 4077ec-4077f7 RegCloseKey 308->310 309->309 312 407546-40754b 309->312 310->287 311->291 312->297 313 407551-40756b call 40ee95 312->313 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->310 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->306 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 382 4077e0-4077e2 378->382 383 4077de 378->383 379->378 382->359 383->382
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                      • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 3433985886-3108538426
                                                                                      • Opcode ID: 2df205727842959c67d89485333c37da782172426ac12f7c67d6d65fc9424ce3
                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                      • Opcode Fuzzy Hash: 2df205727842959c67d89485333c37da782172426ac12f7c67d6d65fc9424ce3
                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 436 407222-407225 432->436 437 407214-407221 call 40ef00 432->437 434 407230-407256 call 40ef00 call 40ed23 433->434 435 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->435 434->435 448 407258 434->448 451 4072b8-4072cb call 40ed77 435->451 452 40728e-40729a RegCloseKey 435->452 436->403 437->436 448->435 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->403 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 486 4073a4 483->486 487 4073a6-4073a9 483->487 484->483 488 407397 484->488 486->487 489 4073b9-4073bc 487->489 490 4073ab-4073b8 call 40ef00 487->490 488->483 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                      • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                      • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"$PromptOnSecureDesktop
                                                                                      • API String ID: 4293430545-98143240
                                                                                      • Opcode ID: 548ddad5ef42cfce8c7bacff6a3676c54bc4849cd622c264de59799d3391f747
                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                      • Opcode Fuzzy Hash: 548ddad5ef42cfce8c7bacff6a3676c54bc4849cd622c264de59799d3391f747
                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 FindCloseChangeNotification 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                      • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 1400801100-0
                                                                                      • Opcode ID: b1a785068fcebdbf7fbaccced5a56eae94fb2a5cdca60ee24118808f1867984c
                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                      • Opcode Fuzzy Hash: b1a785068fcebdbf7fbaccced5a56eae94fb2a5cdca60ee24118808f1867984c
                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 640 20b003c-20b0047 641 20b0049 640->641 642 20b004c-20b0263 call 20b0a3f call 20b0e0f call 20b0d90 VirtualAlloc 640->642 641->642 657 20b028b-20b0292 642->657 658 20b0265-20b0289 call 20b0a69 642->658 660 20b02a1-20b02b0 657->660 662 20b02ce-20b03c2 VirtualProtect call 20b0cce call 20b0ce7 658->662 660->662 663 20b02b2-20b02cc 660->663 669 20b03d1-20b03e0 662->669 663->660 670 20b0439-20b04b8 VirtualFree 669->670 671 20b03e2-20b0437 call 20b0ce7 669->671 673 20b04be-20b04cd 670->673 674 20b05f4-20b05fe 670->674 671->669 676 20b04d3-20b04dd 673->676 677 20b077f-20b0789 674->677 678 20b0604-20b060d 674->678 676->674 682 20b04e3-20b0505 LoadLibraryA 676->682 680 20b078b-20b07a3 677->680 681 20b07a6-20b07b0 677->681 678->677 683 20b0613-20b0637 678->683 680->681 685 20b086e-20b08be LoadLibraryA 681->685 686 20b07b6-20b07cb 681->686 687 20b0517-20b0520 682->687 688 20b0507-20b0515 682->688 684 20b063e-20b0648 683->684 684->677 690 20b064e-20b065a 684->690 696 20b08c7-20b08f9 685->696 691 20b07d2-20b07d5 686->691 689 20b0526-20b0547 687->689 688->689 694 20b054d-20b0550 689->694 690->677 695 20b0660-20b066a 690->695 692 20b07d7-20b07e0 691->692 693 20b0824-20b0833 691->693 697 20b07e2 692->697 698 20b07e4-20b0822 692->698 702 20b0839-20b083c 693->702 699 20b05e0-20b05ef 694->699 700 20b0556-20b056b 694->700 701 20b067a-20b0689 695->701 703 20b08fb-20b0901 696->703 704 20b0902-20b091d 696->704 697->693 698->691 699->676 705 20b056f-20b057a 700->705 706 20b056d 700->706 707 20b068f-20b06b2 701->707 708 20b0750-20b077a 701->708 702->685 709 20b083e-20b0847 702->709 703->704 710 20b059b-20b05bb 705->710 711 20b057c-20b0599 705->711 706->699 712 20b06ef-20b06fc 707->712 713 20b06b4-20b06ed 707->713 708->684 714 20b084b-20b086c 709->714 715 20b0849 709->715 723 20b05bd-20b05db 710->723 711->723 717 20b074b 712->717 718 20b06fe-20b0748 712->718 713->712 714->702 715->685 717->701 718->717 723->694
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020B024D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID: cess$kernel32.dll
                                                                                      • API String ID: 4275171209-1230238691
                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction ID: 14817da49ff3392f219a4229ff7d25448ff8ef163c1352c92a335c57ab03c33e
                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction Fuzzy Hash: B8526974A01229DFDBA5CF68C984BADBBB1BF09304F1480D9E54DAB351DB30AA85DF14

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                      • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                      • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                        • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                        • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                        • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                        • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                        • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4131120076-2980165447
                                                                                      • Opcode ID: e8dec48c999e38d9a1383b34990487ed0824902fe415a726a9595d522d2b8c62
                                                                                      • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                      • Opcode Fuzzy Hash: e8dec48c999e38d9a1383b34990487ed0824902fe415a726a9595d522d2b8c62
                                                                                      • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 745 404059-40405c 741->745 743 404052 742->743 744 404037-40403a 742->744 747 404054-404056 743->747 744->743 746 40403c-40403f 744->746 745->747 746->745 748 404041-404050 Sleep 746->748 748->740 748->743
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 408151869-2980165447
                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 763 406a5b-406a5f 759->763 761 406a0a-406a0d 760->761 762 406a3c-406a3e 760->762 764 406a10-406a2e WriteFile 761->764 762->763 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->763 766->765 767 406a35-406a3a 766->767 767->762 767->764
                                                                                      APIs
                                                                                      • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                      • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,k@
                                                                                      • API String ID: 3934441357-1053005162
                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 769 4091eb-409208 770 409308 769->770 771 40920e-40921c call 40ed03 769->771 773 40930b-40930f 770->773 775 40921e-40922c call 40ed03 771->775 776 40923f-409249 771->776 775->776 783 40922e-409230 775->783 778 409250-409270 call 40ee08 776->778 779 40924b 776->779 784 409272-40927f 778->784 785 4092dd-4092e1 778->785 779->778 786 409233-409238 783->786 787 409281-409285 784->787 788 40929b-40929e 784->788 789 4092e3-4092e5 785->789 790 4092e7-4092e8 785->790 786->786 791 40923a-40923c 786->791 787->787 792 409287 787->792 794 4092a0 788->794 795 40928e-409293 788->795 789->790 793 4092ea-4092ef 789->793 790->785 791->776 792->788 798 4092f1-4092f6 Sleep 793->798 799 4092fc-409302 793->799 800 4092a8-4092ab 794->800 796 409295-409298 795->796 797 409289-40928c 795->797 796->800 801 40929a 796->801 797->795 797->801 798->799 799->770 799->771 802 4092a2-4092a5 800->802 803 4092ad-4092b0 800->803 801->788 804 4092b2 802->804 805 4092a7 802->805 803->804 806 4092bd 803->806 807 4092b5-4092b9 804->807 805->800 808 4092bf-4092db ShellExecuteA 806->808 807->807 809 4092bb 807->809 808->785 810 409310-409324 808->810 809->808 810->773
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                      • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-0
                                                                                      • Opcode ID: b5ba1f4869b893782c1a8b3f9d638dedecc2304624039232ebf8de47d5d34da1
                                                                                      • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                      • Opcode Fuzzy Hash: b5ba1f4869b893782c1a8b3f9d638dedecc2304624039232ebf8de47d5d34da1
                                                                                      • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 824 20b0e0f-20b0e24 SetErrorMode * 2 825 20b0e2b-20b0e2c 824->825 826 20b0e26 824->826 826->825
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,020B0223,?,?), ref: 020B0E19
                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,020B0223,?,?), ref: 020B0E1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction ID: c2860f47db282722f4f6209d79134e175963663ed1f9cd71128f4e39bb3dd98e
                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction Fuzzy Hash: 53D0123514522877D7512A94DC09BCE7B5CDF05B66F008011FB0DD9080C770954046E5

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 830 406dc2-406dd5 831 406e33-406e35 830->831 832 406dd7-406df1 call 406cc9 call 40ef00 830->832 837 406df4-406df9 832->837 837->837 838 406dfb-406e00 837->838 839 406e02-406e22 GetVolumeInformationA 838->839 840 406e24 838->840 839->840 841 406e2e 839->841 840->841 841->831
                                                                                      APIs
                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                      • String ID:
                                                                                      • API String ID: 1823874839-0
                                                                                      • Opcode ID: bdb1d1e0272e0a02f4fd0db7a1ece7ab80c25a3e7f07441334a3d300ce80d24d
                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                      • Opcode Fuzzy Hash: bdb1d1e0272e0a02f4fd0db7a1ece7ab80c25a3e7f07441334a3d300ce80d24d
                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00627860
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728900989.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Offset: 00623000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_623000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: 41abd7fdae48b6a7d9c1cf1e03571e5e530f07763bb427ef771a44a3f6bb4b75
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: CA113C79A00208EFDB01DF98C985E99BFF5AF08351F0580A4F9489B362D375EA50DF90
                                                                                      APIs
                                                                                      • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                      • closesocket.WS2_32(?), ref: 0040CB63
                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                      • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                      • wsprintfA.USER32 ref: 0040CD21
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                      • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,.dat), ref: 0040D155
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,.dat), ref: 0040D1C8
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,.dat,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                      • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                      • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                      • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                      • closesocket.WS2_32(?), ref: 0040D56C
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                      • ExitProcess.KERNEL32 ref: 0040D583
                                                                                      • wsprintfA.USER32 ref: 0040D81F
                                                                                        • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                      • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                      • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                      • API String ID: 562065436-3791576231
                                                                                      • Opcode ID: 3d819cb602cae3537d3f4aaffe5be6d4d62e57ac01cca65cfd5db845ca7bec14
                                                                                      • Instruction ID: 7de2b6e3916d61af54a21f8e373482f72987fa921bce225ad61aacfc468b7174
                                                                                      • Opcode Fuzzy Hash: 3d819cb602cae3537d3f4aaffe5be6d4d62e57ac01cca65cfd5db845ca7bec14
                                                                                      • Instruction Fuzzy Hash: 73B2C471D00209BBEB209FA4DD85FEA7BB9AB08304F14457BF505B22D1D7789A89CB5C
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                      • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                      • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                      • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                      • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                      • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                      • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                      • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                      • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                      • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                      • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                      • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-179334549
                                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                      • select.WS2_32 ref: 00402B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: bd1a51c2e9407ac430f6576f859c19e3b22172b3d394597aff4f9cfca0298820
                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                      • Opcode Fuzzy Hash: bd1a51c2e9407ac430f6576f859c19e3b22172b3d394597aff4f9cfca0298820
                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2404124870-2980165447
                                                                                      • Opcode ID: c16d4a3b1f15c080ebf39b77e6f88fb021d923f107e4966bb67ea8295942f7c8
                                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                      • Opcode Fuzzy Hash: c16d4a3b1f15c080ebf39b77e6f88fb021d923f107e4966bb67ea8295942f7c8
                                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: 0f22fe24dbf077d2b442127c41be14a4979ccbdb3e2203d8393d0dd42a6504e5
                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                      • Opcode Fuzzy Hash: 0f22fe24dbf077d2b442127c41be14a4979ccbdb3e2203d8393d0dd42a6504e5
                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *p@
                                                                                      • API String ID: 3429775523-2474123842
                                                                                      • Opcode ID: d0e948cacbc09e720e3321fbcf961fef4977f08be961d70e0acc64f9b42743bb
                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                      • Opcode Fuzzy Hash: d0e948cacbc09e720e3321fbcf961fef4977f08be961d70e0acc64f9b42743bb
                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 020B65F6
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 020B6610
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 020B6631
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 020B6652
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction ID: 662921b5bf1401847fbe026ce65465b4f6b718c10bf5159dd3a956fd5314c55c
                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction Fuzzy Hash: B7116D71600218BFDB229F75DC09FDB3BACEF057A5F004024FA09A7250D7B2DD109AA4
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: 3c26a2e63fe1e44e7a0b6f258d651225f22a146f3c30eeb6549516378f5f9d63
                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                      • Opcode Fuzzy Hash: 3c26a2e63fe1e44e7a0b6f258d651225f22a146f3c30eeb6549516378f5f9d63
                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                      APIs
                                                                                      • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                      • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                        • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                        • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                      • String ID:
                                                                                      • API String ID: 3754425949-0
                                                                                      • Opcode ID: 1ec4011c045f949cfec2697498cac72ed0385a77bd95f77c300cb36665fb2fc4
                                                                                      • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                      • Opcode Fuzzy Hash: 1ec4011c045f949cfec2697498cac72ed0385a77bd95f77c300cb36665fb2fc4
                                                                                      • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID: .$GetProcAddress.$l
                                                                                      • API String ID: 0-2784972518
                                                                                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                      • Instruction ID: 2c8b122756e7d1c76dbf3307e28635d16f169baddcd9f84f6343000e4a12ced9
                                                                                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                      • Instruction Fuzzy Hash: D23149B6900709DFDB21CF99C880AEEBBF6FF48324F14415AD441A7250D771EA45CBA4
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                      • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                      • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                      • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728900989.0000000000623000.00000040.00000020.00020000.00000000.sdmp, Offset: 00623000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_623000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction ID: 74caa411b88500afa507b792b79d91b4f03aa53bd90ed31cb016c47221ad2e03
                                                                                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                      • Instruction Fuzzy Hash: 99117C72344510AFD754EE55EC91EA677EAEB88320B298069ED08CB312E675EC02CB60
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                      • Instruction ID: ae801a88314c073f9ce041e53d5c6a4f1ccaa872c9aa568154bc63fafd5e974a
                                                                                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                      • Instruction Fuzzy Hash: 0201A276A107048FDF33CF24C805BEB33E6FF86216F4545B5D91A97281E774A9418B90
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32 ref: 020B9E6D
                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 020B9FE1
                                                                                      • lstrcat.KERNEL32(?,?), ref: 020B9FF2
                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 020BA004
                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 020BA054
                                                                                      • DeleteFileA.KERNEL32(?), ref: 020BA09F
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 020BA0D6
                                                                                      • lstrcpy.KERNEL32 ref: 020BA12F
                                                                                      • lstrlen.KERNEL32(00000022), ref: 020BA13C
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 020B9F13
                                                                                        • Part of subcall function 020B7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 020B7081
                                                                                        • Part of subcall function 020B6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ddwzbkaa,020B7043), ref: 020B6F4E
                                                                                        • Part of subcall function 020B6F30: GetProcAddress.KERNEL32(00000000), ref: 020B6F55
                                                                                        • Part of subcall function 020B6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 020B6F7B
                                                                                        • Part of subcall function 020B6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 020B6F92
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 020BA1A2
                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 020BA1C5
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 020BA214
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 020BA21B
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 020BA265
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 020BA29F
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 020BA2C5
                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 020BA2D9
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 020BA2F4
                                                                                      • wsprintfA.USER32 ref: 020BA31D
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 020BA345
                                                                                      • lstrcat.KERNEL32(?,?), ref: 020BA364
                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 020BA387
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 020BA398
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 020BA1D1
                                                                                        • Part of subcall function 020B9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 020B999D
                                                                                        • Part of subcall function 020B9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 020B99BD
                                                                                        • Part of subcall function 020B9966: RegCloseKey.ADVAPI32(?), ref: 020B99C6
                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 020BA3DB
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 020BA3E2
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 020BA41D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                      • String ID: "$"$"$D$P$\
                                                                                      • API String ID: 1653845638-2605685093
                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction ID: a83e2a8f72b5503957182c00e3a75de5f1d1c8f4338ab88a280c260145a37514
                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction Fuzzy Hash: 4CF131B1D4035DAFDB62DBA08C88FEE7BBCAF08704F0484A6F605E2151E77586849F65
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 020B7D21
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020B7D46
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 020B7D7D
                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 020B7DA2
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 020B7DC0
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 020B7DD1
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 020B7DE5
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 020B7DF3
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 020B7E03
                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 020B7E12
                                                                                      • LocalFree.KERNEL32(00000000), ref: 020B7E19
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 020B7E35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2976863881-1403908072
                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction ID: 8e68325ffa114e7c37aff0fcf60c8992f8bdebed37e9d8520a14a4b9ed056e58
                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction Fuzzy Hash: E8A16C72900219AFDB628FA0DC88FEEBBBDFF48344F048169F515E6160D7758A84DB64
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2976863881-1403908072
                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: 9fa8e0b94cba88ccf9c39099ec117cabac316901c6146e9ce34772f6ef20867e
                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                      • Opcode Fuzzy Hash: 9fa8e0b94cba88ccf9c39099ec117cabac316901c6146e9ce34772f6ef20867e
                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: c2b0cafdd9967373d9d9f1cb15ea6c3679760664ce6b838b3656b1082fd95473
                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                      • Opcode Fuzzy Hash: c2b0cafdd9967373d9d9f1cb15ea6c3679760664ce6b838b3656b1082fd95473
                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020B7A96
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 020B7ACD
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 020B7ADF
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 020B7B01
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 020B7B1F
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 020B7B39
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 020B7B4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 020B7B58
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 020B7B68
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 020B7B77
                                                                                      • LocalFree.KERNEL32(00000000), ref: 020B7B7E
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 020B7B9A
                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 020B7BCA
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 020B7BF1
                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 020B7C0A
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 020B7C2C
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 020B7CB1
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 020B7CBF
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 020B7CD0
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 020B7CE0
                                                                                      • LocalFree.KERNEL32(00000000), ref: 020B7CEE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: b2c797bf42a13e2057e0704ae4e02491cae11804d492396491a07781cca4b0da
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 3F814C72900219AFDB22CFA4DD84FEEBBB8AF48305F04806EE505E6160D7759A45DF64
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: PromptOnSecureDesktop$localcfg
                                                                                      • API String ID: 237177642-1678164370
                                                                                      • Opcode ID: a6af351dc60d213a9e30d467bee2029ed5c5b8402c9b4adaa502445c168a30de
                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                      • Opcode Fuzzy Hash: a6af351dc60d213a9e30d467bee2029ed5c5b8402c9b4adaa502445c168a30de
                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 835516345-270533642
                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 020B865A
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 020B867B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 020B86A8
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 020B86B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 237177642-3108538426
                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction ID: 430bf462bc1897731a6494b2fa0bb481d0a9544d765b6ba6ef61e3b89e58ff1a
                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction Fuzzy Hash: 58C18271940309BFEF639BA4DD84EEE7BBDEF08304F148065F504E2060E7718A94AB65
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 020B1601
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 020B17D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $<$@$D
                                                                                      • API String ID: 1628651668-1974347203
                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction ID: 39340a4aff4f5a4142df9285fd28095db2b120a8dfde31878d63ecd538f7e7c5
                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction Fuzzy Hash: BAF16BB15083819FD722CF64C898BEAF7E5FF89304F00892DF59A972A0D7B49944CB56
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020B76D9
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 020B7757
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 020B778F
                                                                                      • ___ascii_stricmp.LIBCMT ref: 020B78B4
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B794E
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 020B796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B797E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B79AC
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B7A56
                                                                                        • Part of subcall function 020BF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,020B772A,?), ref: 020BF414
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 020B79F6
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B7A4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "$PromptOnSecureDesktop
                                                                                      • API String ID: 3433985886-3108538426
                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction ID: a9320e0d86e28fe19b14acad2ee09205d3ff45ade1e14a05373a13796a9e4622
                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction Fuzzy Hash: 72C15472900309AFDB739BA4DC45FEEBBB9EF89710F1440A5E504E7160EB719A84DB60
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020B2CED
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 020B2D07
                                                                                      • htons.WS2_32(00000000), ref: 020B2D42
                                                                                      • select.WS2_32 ref: 020B2D8F
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 020B2DB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 020B2E62
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 127016686-0
                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction ID: c2dc4a98cd34abb095b38a8ef7d70925226cd8793e95fde724699a3f0261af3c
                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction Fuzzy Hash: C961CE71504305AFC332AF65DC08BEBBBE8EF48745F004829FD9497250D7B59880EBA6
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: e4e7b347f81ef414ffae5a6dba2503777c8a9ab283212ed9991d401180a6d3c8
                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                      • Opcode Fuzzy Hash: e4e7b347f81ef414ffae5a6dba2503777c8a9ab283212ed9991d401180a6d3c8
                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: 99710eefac5b10cb2603ebf4cc5b3122d70b499804368040b16c6ad90511ad8a
                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                      • Opcode Fuzzy Hash: 99710eefac5b10cb2603ebf4cc5b3122d70b499804368040b16c6ad90511ad8a
                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 020B95A7
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020B95D5
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 020B95DC
                                                                                      • wsprintfA.USER32 ref: 020B9635
                                                                                      • wsprintfA.USER32 ref: 020B9673
                                                                                      • wsprintfA.USER32 ref: 020B96F4
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 020B9758
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020B978D
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 020B97D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3696105349-2980165447
                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction ID: 08c84401884688bfddd362d642cd0314a891c57d3cc28d23a2e218760a1c9653
                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction Fuzzy Hash: F8A149B294034CAFEB22DFA0CC85FDE3BADAF08745F104026FA15A6151E7B59584DFA4
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-142018493
                                                                                      • Opcode ID: 9552de4cbf515d2b6d47e6dea1da8c2fc5587847f94a27b71e070b1f180ebfee
                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                      • Opcode Fuzzy Hash: 9552de4cbf515d2b6d47e6dea1da8c2fc5587847f94a27b71e070b1f180ebfee
                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-2340906255
                                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: 4d94c23129a6a95dc8b502b505784d49c9536e162242480fe8a8ec954b8a9c2e
                                                                                      • Instruction ID: 1184364059730f832c26daebfda2be78d1cd239b5bb8d2ab2a191843992ce0bd
                                                                                      • Opcode Fuzzy Hash: 4d94c23129a6a95dc8b502b505784d49c9536e162242480fe8a8ec954b8a9c2e
                                                                                      • Instruction Fuzzy Hash: 1E51E2706043465ED728EB25EF49B9A3BD4BB04318F10457FE605E62E2DBFC9898CA1D
                                                                                      APIs
                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: c383e088c647de8533948b28d14b88c3b4e202cf7a7734b8022f5977264c5b02
                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                      • Opcode Fuzzy Hash: c383e088c647de8533948b28d14b88c3b4e202cf7a7734b8022f5977264c5b02
                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                      APIs
                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: 22cde20289bbd58cf4c87b835a79ec9fa87a49d804031adc8a6c655dfaebea53
                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                      • Opcode Fuzzy Hash: 22cde20289bbd58cf4c87b835a79ec9fa87a49d804031adc8a6c655dfaebea53
                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 020B3068
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 020B3078
                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 020B3095
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020B30B6
                                                                                      • htons.WS2_32(00000035), ref: 020B30EF
                                                                                      • inet_addr.WS2_32(?), ref: 020B30FA
                                                                                      • gethostbyname.WS2_32(?), ref: 020B310D
                                                                                      • HeapFree.KERNEL32(00000000), ref: 020B314D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: iphlpapi.dll
                                                                                      • API String ID: 2869546040-3565520932
                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction ID: b65c8f3981448c4a7cd2408d9c22e4f56a5a0134cc61b324c6210c0da88d354a
                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction Fuzzy Hash: D031C731A00306BBDB639BB89C48BEE77FCEF04364F2445A5E518E3290DB74D9419B58
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 3560063639-3847274415
                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                      • API String ID: 1082366364-2834986871
                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D$PromptOnSecureDesktop
                                                                                      • API String ID: 2981417381-1403908072
                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 020B67C3
                                                                                      • htonl.WS2_32(?), ref: 020B67DF
                                                                                      • htonl.WS2_32(?), ref: 020B67EE
                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 020B68F1
                                                                                      • ExitProcess.KERNEL32 ref: 020B69BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                                      • String ID: except_info$localcfg
                                                                                      • API String ID: 1150517154-3605449297
                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction ID: 7e9a758e40b918786803386518786f5ade211852a9568743d75c8a9119fb9c5e
                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction Fuzzy Hash: 87616D72A40308AFDB619FA4DC45FEA77E9FF08300F148066FA6DD2161EB7599909F14
                                                                                      APIs
                                                                                      • htons.WS2_32(020BCC84), ref: 020BF5B4
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 020BF5CE
                                                                                      • closesocket.WS2_32(00000000), ref: 020BF5DC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction ID: 0b33739a1560d10e028c5fe28013605ce0f1c23ebdcb965515021f3b8ed42f9c
                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction Fuzzy Hash: 77318071900219ABDB22DFB5DC88DEE7BFCEF48350F104566F905D3150E7708A819BA4
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: 45945144c7b3a0dc554c0e43740ff6cc9c440821671827daef62f6fd9ca141c1
                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                      • Opcode Fuzzy Hash: 45945144c7b3a0dc554c0e43740ff6cc9c440821671827daef62f6fd9ca141c1
                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 020B2FA1
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 020B2FB1
                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 020B2FC8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 020B3000
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 020B3007
                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 020B3032
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: dnsapi.dll
                                                                                      • API String ID: 1242400761-3175542204
                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction ID: 05a771e34119f56bd418067c1b2b316e7b0a04035cf408f7351097cd6d91eb45
                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction Fuzzy Hash: A8216271D0172ABBCB339B55DC48AEEBBB8EF08B50F114461F905E7140D7B49A819BD4
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ddwzbkaa,020B7043), ref: 020B6F4E
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 020B6F55
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 020B6F7B
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 020B6F92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\ddwzbkaa
                                                                                      • API String ID: 1082366364-2378185361
                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction ID: c23889384eba206123d0151347149b468da05d0e08f4bbf45e7f4045b1ccc4d3
                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction Fuzzy Hash: FF2101227403457AF77353359C8CFFB2E8C8F52724F1880A6F904E64A1DBDA84D692AD
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3609698214-2980165447
                                                                                      • Opcode ID: bf6cadca1482983015e6f85411285f51ea61ea868c04ee3d6e5a036a4d77e9af
                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                      • Opcode Fuzzy Hash: bf6cadca1482983015e6f85411285f51ea61ea868c04ee3d6e5a036a4d77e9af
                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 020B92E2
                                                                                      • wsprintfA.USER32 ref: 020B9350
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 020B9375
                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 020B9389
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 020B9394
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 020B939B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2439722600-2980165447
                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction ID: 35c718ada15e68abf739d78001ff3d72bab222af73c65ec3961b68da927d37f2
                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction Fuzzy Hash: BF1184B17402147BE7316B31EC0DFEF3A6EDFC9B10F00C065BB09E5091EAB44A419A64
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2439722600-2980165447
                                                                                      • Opcode ID: eeac8930079615ecde9ddd9b6b90ae0a2380363d55059ccf95723b33c5a67a0b
                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                      • Opcode Fuzzy Hash: eeac8930079615ecde9ddd9b6b90ae0a2380363d55059ccf95723b33c5a67a0b
                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 020B9A18
                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 020B9A52
                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 020B9A60
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 020B9A98
                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 020B9AB5
                                                                                      • ResumeThread.KERNEL32(?), ref: 020B9AC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction ID: 5287277037d973d1866bb15bb31516dde5e4ce6657702f0ece33efd24df7609c
                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction Fuzzy Hash: CE213D7190121DBBDB629BA1DC09EEF7BBCEF05750F404061BA19E1050E7758644DFA4
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(004102D8), ref: 020B1C18
                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 020B1C26
                                                                                      • GetProcessHeap.KERNEL32 ref: 020B1C84
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 020B1C9D
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 020B1CC1
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 020B1D02
                                                                                      • FreeLibrary.KERNEL32(?), ref: 020B1D0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2324436984-0
                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction ID: 195af248adcd451ac020faea8f9895ce3d98a6deee8501eec0e64bf94c16fc92
                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction Fuzzy Hash: 07315E31E00209BFCB629FA4DC988EEFBB9EF45305F24447AE509E2110D7B54E80EB94
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1586453840-2980165447
                                                                                      • Opcode ID: 408187160a9fd672143b2fb6dc480bda50dca4705688b53d13eec5f5d618ee99
                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                      • Opcode Fuzzy Hash: 408187160a9fd672143b2fb6dc480bda50dca4705688b53d13eec5f5d618ee99
                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1371578007-2980165447
                                                                                      • Opcode ID: bcf9f26feddd2ed5ed551e83e2f4d069af3bfaacc5c7330f22f0f7afc01b2182
                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                      • Opcode Fuzzy Hash: bcf9f26feddd2ed5ed551e83e2f4d069af3bfaacc5c7330f22f0f7afc01b2182
                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 020B6CE4
                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 020B6D22
                                                                                      • GetLastError.KERNEL32 ref: 020B6DA7
                                                                                      • CloseHandle.KERNEL32(?), ref: 020B6DB5
                                                                                      • GetLastError.KERNEL32 ref: 020B6DD6
                                                                                      • DeleteFileA.KERNEL32(?), ref: 020B6DE7
                                                                                      • GetLastError.KERNEL32 ref: 020B6DFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3873183294-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: 328727202ecef840faef5d3cced1538218e9f8e7becfbff9fdb1fce00649d5bd
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 2331F076D00249BFCB22DFA4DD48ADE7FBDEF48300F148066E211E3211D7728A85AB61
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 020B93C6
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 020B93CD
                                                                                      • CharToOemA.USER32(?,?), ref: 020B93DB
                                                                                      • wsprintfA.USER32 ref: 020B9410
                                                                                        • Part of subcall function 020B92CB: GetTempPathA.KERNEL32(00000400,?), ref: 020B92E2
                                                                                        • Part of subcall function 020B92CB: wsprintfA.USER32 ref: 020B9350
                                                                                        • Part of subcall function 020B92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 020B9375
                                                                                        • Part of subcall function 020B92CB: lstrlen.KERNEL32(?,?,00000000), ref: 020B9389
                                                                                        • Part of subcall function 020B92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 020B9394
                                                                                        • Part of subcall function 020B92CB: CloseHandle.KERNEL32(00000000), ref: 020B939B
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 020B9448
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3857584221-2980165447
                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction ID: 86a7609f3b6bfbfbdeb51b4ead42456fa0c3bdf319853f87e3b382425e57b17e
                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction Fuzzy Hash: EE014CF69402187BDB21A7619D89EDF3A7CDB95701F0040A2BB49E2080EAB496C58F75
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3857584221-2980165447
                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: $localcfg
                                                                                      • API String ID: 1659193697-2018645984
                                                                                      • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                      • Instruction ID: b9ddbd9b3b962d305894abf2fda2b2cb23b294fde88b712bb4d8ab119be387ba
                                                                                      • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                      • Instruction Fuzzy Hash: 3B712971B00308BADF738B58DC85FEE37A9AF00719F244427F905A7091DF729984AB69
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: b12b09febf6a93b5a857205a9020b291ac36bae7336f41d82ae420c8a7da9417
                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                      • Opcode Fuzzy Hash: b12b09febf6a93b5a857205a9020b291ac36bae7336f41d82ae420c8a7da9417
                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                      APIs
                                                                                        • Part of subcall function 020BDF6C: GetCurrentThreadId.KERNEL32 ref: 020BDFBA
                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 020BE8FA
                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,020B6128), ref: 020BE950
                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 020BE989
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 2920362961-1846390581
                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction ID: b70b69cb623f2b8472db7c686d778147b4f4bb76f96dc968348e039985ebf78a
                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction Fuzzy Hash: 67319E31A047059BDFB38F24C884BEA7BE4EF09725F80892AE55687551D374E888EB81
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction ID: 8737b3c9c1ce5211dc5fd96e1ac55da6aaea6382587a2c534dd958b6d1f73533
                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction Fuzzy Hash: 1F214D7A104219BFDB229B60EC48EDF3FADEF49265B108425F512D1091EB71DA40AB74
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                      • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 020BC6B4
                                                                                      • InterlockedIncrement.KERNEL32(020BC74B), ref: 020BC715
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,020BC747), ref: 020BC728
                                                                                      • CloseHandle.KERNEL32(00000000,?,020BC747,00413588,020B8A77), ref: 020BC733
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1026198776-1857712256
                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction ID: b770d18bb786006355a93342d3fa015839e3018e4d97ebc0bc63ccc5d569265c
                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction Fuzzy Hash: 485139B1A01B418FE7768F29C99466ABBE9FF48304B50593FE18BC7A90D774E840DB14
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 124786226-2980165447
                                                                                      • Opcode ID: cbafa232a6e94f8975ef8f9c1c9f1bb8b2ba5715a16b1a9a54536c77f0dcfabb
                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                      • Opcode Fuzzy Hash: cbafa232a6e94f8975ef8f9c1c9f1bb8b2ba5715a16b1a9a54536c77f0dcfabb
                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,020BE50A,00000000,00000000,00000000,00020106,00000000,020BE50A,00000000,000000E4), ref: 020BE319
                                                                                      • RegSetValueExA.ADVAPI32(020BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020BE38E
                                                                                      • RegDeleteValueA.ADVAPI32(020BE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020BE3BF
                                                                                      • RegCloseKey.ADVAPI32(020BE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,020BE50A), ref: 020BE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2667537340-2980165447
                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction ID: d7e3380ca434f22873d5833936da4f2bcedc7fc205c087cf0f8d751abd7da75e
                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction Fuzzy Hash: 81212F71A0021DBBDF229FA5EC89EDE7FB9EF08B50F048061F904E6150E7718A54EB90
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 2667537340-2980165447
                                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 020B71E1
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 020B7228
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 020B7286
                                                                                      • wsprintfA.USER32 ref: 020B729D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                      • String ID: |
                                                                                      • API String ID: 2539190677-2343686810
                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction ID: 002e77e2f083015ba059fd21cb8ae90aa74d41291cb2a8d655d3ab818ef177e5
                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction Fuzzy Hash: D9313A72900209BFCB12DFA8DC48BDA7BACEF04314F148066F859DB250EB75D6488BA4
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 020BB51A
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 020BB529
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 020BB548
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 020BB590
                                                                                      • wsprintfA.USER32 ref: 020BB61E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 4026320513-0
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 9efc873904c55ff832a2e8ee475afec9cefdcbe247178639d8fdaf3cdc0238fa
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: BE5120B1D0021CABCF65CFD5D8885EEBBB9FF48304F10812AE501A6150E7B84AC9DF98
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 020B6303
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 020B632A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 020B63B1
                                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 020B6405
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 3498078134-0
                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction ID: 81b1d130fd931b900514c89300d82a483ab7186e1bb1a1f3c4e411add15b7c8a
                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction Fuzzy Hash: 08415C71A00605ABDB66CF58C884BEDB7F8FF04758F188179E925E7290D772E980EB50
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 9330360b6e1371249270e3654020af71fef978c9da79cf6a334d0c8045d78e73
                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                      • Opcode Fuzzy Hash: 9330360b6e1371249270e3654020af71fef978c9da79cf6a334d0c8045d78e73
                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: A$ A
                                                                                      • API String ID: 3343386518-686259309
                                                                                      • Opcode ID: 0f63d472f6005489d6367e153140da01beedcd43e8f3e57f886e240d56cbd5fe
                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                      • Opcode Fuzzy Hash: 0f63d472f6005489d6367e153140da01beedcd43e8f3e57f886e240d56cbd5fe
                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1128258776-0
                                                                                      • Opcode ID: 8e6a9532d72d51de89e2fd9f75b6ba5ac83ae2ff66b6af1cfb9e75e8d3b17b2d
                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                      • Opcode Fuzzy Hash: 8e6a9532d72d51de89e2fd9f75b6ba5ac83ae2ff66b6af1cfb9e75e8d3b17b2d
                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: b9568b5d259a03ff5e7acc11fe935b2567c3f076d90e58e3ea0b9b9781d75a7f
                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                      • Opcode Fuzzy Hash: b9568b5d259a03ff5e7acc11fe935b2567c3f076d90e58e3ea0b9b9781d75a7f
                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                      APIs
                                                                                        • Part of subcall function 020BDF6C: GetCurrentThreadId.KERNEL32 ref: 020BDFBA
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,020BA6AC), ref: 020BE7BF
                                                                                      • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,020BA6AC), ref: 020BE7EA
                                                                                      • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,020BA6AC), ref: 020BE819
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1396056608-2980165447
                                                                                      • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                      • Instruction ID: 67537bedbd30e0e8633291af622f4aa11ab367e1a8d006700f0deeacef5767b0
                                                                                      • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                      • Instruction Fuzzy Hash: C32105B1A403007AE6337735AC09FEB3E4DDF65B60F500024BA0DB55D3EAA59450AAB9
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                      • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                      • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 3683885500-2980165447
                                                                                      • Opcode ID: 375ee97a820c2ddf17ebd87f02f20ee2f8afeeea92a135757b731e7364b890fb
                                                                                      • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                      • Opcode Fuzzy Hash: 375ee97a820c2ddf17ebd87f02f20ee2f8afeeea92a135757b731e7364b890fb
                                                                                      • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 2574300362-1087626847
                                                                                      • Opcode ID: cef1619c9ddb93373a3b26c2c3d895f019988db76d1b257518542825d62f9407
                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                      • Opcode Fuzzy Hash: cef1619c9ddb93373a3b26c2c3d895f019988db76d1b257518542825d62f9407
                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 020B76D9
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 020B796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B797E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseEnumOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 1332880857-2980165447
                                                                                      • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                      • Instruction ID: c37e05cf11f9d367b262cc820ceea0ca51ba642ada62f67c63864b780d0309ba
                                                                                      • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                      • Instruction Fuzzy Hash: AB11DF32A00209AFDB238F69DC44FEFBFB9EF85304F140151F510E62A0E3B089409B60
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2777991786-2393279970
                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 020B999D
                                                                                      • RegDeleteValueA.ADVAPI32(?,00000000), ref: 020B99BD
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 020B99C6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteOpenValue
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 849931509-2980165447
                                                                                      • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                      • Instruction ID: 026134e0592d24479ddf96465cfa04e045e8c15bdb34230dc86faad89c388a30
                                                                                      • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                      • Instruction Fuzzy Hash: 7DF096B2680208BFF7226B54EC06FDF3A2DDF95B14F104061FA05B5091F6E59A9096BD
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                      • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                      • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseDeleteOpenValue
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 849931509-2980165447
                                                                                      • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                      • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                      • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                      • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg$u6A
                                                                                      • API String ID: 1594361348-1940331995
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 0b19078f5ef8ec188b396e30a9762471c5d75feb92a8c00fe74a039b75b05243
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: F6E0C2306052119FCBA28B2CF848AC537E4EF0A230F008580F844D31A0C734DCC0A780
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 020B69E5
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 020B6A26
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 020B6A3A
                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 020B6BD8
                                                                                        • Part of subcall function 020BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,020B1DCF,?), ref: 020BEEA8
                                                                                        • Part of subcall function 020BEE95: HeapFree.KERNEL32(00000000), ref: 020BEEAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 3384756699-0
                                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction ID: 01d3545f48b3ba396aceb0a4ef73ee510a9fb9b7617d5a5c0625c35119e71aa6
                                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction Fuzzy Hash: F671F57190021DEFDF229FA4CC80EEEBBB9FF08354F10456AE515A6190D7719E92EB60
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: b81ff642ec8c405db45b3491a41a5ff03a93d7a0b594a8e685d163348fa56039
                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                      • Opcode Fuzzy Hash: b81ff642ec8c405db45b3491a41a5ff03a93d7a0b594a8e685d163348fa56039
                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020B41AB
                                                                                      • GetLastError.KERNEL32 ref: 020B41B5
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 020B41C6
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020B41D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 3aea55bbbdbe87a7dff48ae83d648c1dea204ceecc7f3d0bbb61ae934cd5b7cd
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B001257691120AABDF12DF90ED84BEE3BACEF18259F008461F901E2050D7709B609BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 020B421F
                                                                                      • GetLastError.KERNEL32 ref: 020B4229
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 020B423A
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 020B424D
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 96c06ea3fa6e0fa098199a9f03cc43d734dec729951d67beff7dc3dafb17f46c
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: EA01E572911209ABDF12DF90ED84BEE7BACEF08255F418061F901E2051D7709A54ABB6
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                      APIs
                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 020BE066
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 1534048567-1846390581
                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction ID: c72e62088ac3987e448c3d1c33efa8cef92556f74f35c88a2a2a6a14a11289cb
                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction Fuzzy Hash: D3F06D322007029BCB73CF25D884AC2B7F9FF09325B848A2AE659C3160D374B8D8DB51
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,020B44E2,00000000,00000000,00000000), ref: 020BE470
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 020BE484
                                                                                        • Part of subcall function 020BE2FC: RegCreateKeyExA.ADVAPI32(80000001,020BE50A,00000000,00000000,00000000,00020106,00000000,020BE50A,00000000,000000E4), ref: 020BE319
                                                                                        • Part of subcall function 020BE2FC: RegSetValueExA.ADVAPI32(020BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020BE38E
                                                                                        • Part of subcall function 020BE2FC: RegDeleteValueA.ADVAPI32(020BE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 020BE3BF
                                                                                        • Part of subcall function 020BE2FC: RegCloseKey.ADVAPI32(020BE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,020BE50A), ref: 020BE3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4151426672-2980165447
                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction ID: a2621d0e46eac62de182caa9a776c8e43d88516f761756839c18f06837726450
                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction Fuzzy Hash: 0241B3B2D40308BAEB326F51CC45FEB3BACEF05724F548125FA0994191E7B58650EAA4
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                        • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                        • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                        • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                        • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 4151426672-2980165447
                                                                                      • Opcode ID: 8be28398c9b64518b0c2b4a9ca03f67626971bf670fb2bb82cd1ddcbbc63f74b
                                                                                      • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                      • Opcode Fuzzy Hash: 8be28398c9b64518b0c2b4a9ca03f67626971bf670fb2bb82cd1ddcbbc63f74b
                                                                                      • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 020B83C6
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 020B8477
                                                                                        • Part of subcall function 020B69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 020B69E5
                                                                                        • Part of subcall function 020B69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 020B6A26
                                                                                        • Part of subcall function 020B69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 020B6A3A
                                                                                        • Part of subcall function 020BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,020B1DCF,?), ref: 020BEEA8
                                                                                        • Part of subcall function 020BEE95: HeapFree.KERNEL32(00000000), ref: 020BEEAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 359188348-2980165447
                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction ID: 18469f3522df28c08b9198e961927124c79e52f9432de062d34b5cad2631fa4f
                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction Fuzzy Hash: F74163B2900209BFDB33ABA49D84EFF77ADEF04304F0484A6E504D7160E7705A549B64
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,020BE859,00000000,00020119,020BE859,PromptOnSecureDesktop), ref: 020BE64D
                                                                                      • RegCloseKey.ADVAPI32(020BE859,?,?,?,?,000000C8,000000E4), ref: 020BE787
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseOpen
                                                                                      • String ID: PromptOnSecureDesktop
                                                                                      • API String ID: 47109696-2980165447
                                                                                      • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                      • Instruction ID: 5a102d11cc27b2b5d69c8784e108caf4a88dab27edd4686924da40e719d3f682
                                                                                      • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                      • Instruction Fuzzy Hash: 8D4109B2D0021DBFDF22EFA4DC85DEEBBB9FF04344F544466EA00A6150E3719A55AB60
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 020BAFFF
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 020BB00D
                                                                                        • Part of subcall function 020BAF6F: gethostname.WS2_32(?,00000080), ref: 020BAF83
                                                                                        • Part of subcall function 020BAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 020BAFE6
                                                                                        • Part of subcall function 020B331C: gethostname.WS2_32(?,00000080), ref: 020B333F
                                                                                        • Part of subcall function 020B331C: gethostbyname.WS2_32(?), ref: 020B3349
                                                                                        • Part of subcall function 020BAA0A: inet_ntoa.WS2_32(00000000), ref: 020BAA10
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %OUTLOOK_BND_
                                                                                      • API String ID: 1981676241-3684217054
                                                                                      • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                      • Instruction ID: 81300da70221dc085e3d3f3ed83514ce282ade3da381cdd6fb427193d005f67e
                                                                                      • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                      • Instruction Fuzzy Hash: 08412F7290030DABDB36EFA0DC49EEE3BADFF08304F144426F92592151EA75D6549F54
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 020B9536
                                                                                      • Sleep.KERNEL32(000001F4), ref: 020B955D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-3916222277
                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction ID: 6e7e213be56f713982f0420fc86156c3e02ba86d94e5ef28bee9c9a62d09bb96
                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction Fuzzy Hash: 9D41257184838D6FEBB78B64DC9CBEA3FE49F02314F1840A5D282971A2D7B44981EF11
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 020BB9D9
                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 020BBA3A
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 020BBA94
                                                                                      • GetTickCount.KERNEL32 ref: 020BBB79
                                                                                      • GetTickCount.KERNEL32 ref: 020BBB99
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 020BBE15
                                                                                      • closesocket.WS2_32(00000000), ref: 020BBEB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 1869671989-2903620461
                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction ID: 92380a855041da6e06a83263d5c844db06d7806671b907855842c57ca87c8caa
                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction Fuzzy Hash: 43316A715003489FDF76DFA4DC84AEEB7A9EF48704F204456FA2582160EB749A85DF10
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: e1f66ca458b0c02b098c3f9bf5ab9d6aa128bf2eae483acf175470e5a77abb1b
                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                      • Opcode Fuzzy Hash: e1f66ca458b0c02b098c3f9bf5ab9d6aa128bf2eae483acf175470e5a77abb1b
                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 020B70BC
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 020B70F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID: |
                                                                                      • API String ID: 2370142434-2343686810
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: d749a97d7e52f992994e23099d584e76ba884f137f567051843b04bf6cbe4c6a
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: B3112A73900218EBDB62CBD8DC84ADEB7BCAF44305F1441A6E501E60A4D7709B88DBA0
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2777991786-1857712256
                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: a08d305d75887146466c199ddd6057d320457f51b90cc9ea0957b561bafc3010
                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                      • Opcode Fuzzy Hash: a08d305d75887146466c199ddd6057d320457f51b90cc9ea0957b561bafc3010
                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                      • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                      APIs
                                                                                        • Part of subcall function 020B2F88: GetModuleHandleA.KERNEL32(?), ref: 020B2FA1
                                                                                        • Part of subcall function 020B2F88: LoadLibraryA.KERNEL32(?), ref: 020B2FB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 020B31DA
                                                                                      • HeapFree.KERNEL32(00000000), ref: 020B31E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1729199823.00000000020B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020B0000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_20b0000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction ID: 9465b5716c29b89ebf8e3702e36db19eb311442702c92e17e8a0dcb1a06907d9
                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction Fuzzy Hash: 01518E71900346EFCB229F64DC88AFAB7B5FF05305F2445A9EC96D7210E7329A19DB90
                                                                                      APIs
                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000000.00000002.1728388128.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                      • Associated: 00000000.00000002.1728388128.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_0_2_400000_I5vhb7vJPS.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 844cf183498a50414e2a144f10c99375846975ccfb8c44de2e9068b35b99d8d8
                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                      • Opcode Fuzzy Hash: 844cf183498a50414e2a144f10c99375846975ccfb8c44de2e9068b35b99d8d8
                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                      Execution Graph

                                                                                      Execution Coverage:2.9%
                                                                                      Dynamic/Decrypted Code Coverage:2.1%
                                                                                      Signature Coverage:0%
                                                                                      Total number of Nodes:1563
                                                                                      Total number of Limit Nodes:12
                                                                                      execution_graph 14709 409961 RegisterServiceCtrlHandlerA 14710 40997d 14709->14710 14717 4099cb 14709->14717 14719 409892 14710->14719 14712 40999a 14713 4099ba 14712->14713 14714 409892 SetServiceStatus 14712->14714 14715 409892 SetServiceStatus 14713->14715 14713->14717 14716 4099aa 14714->14716 14715->14717 14716->14713 14722 4098f2 14716->14722 14720 4098c2 SetServiceStatus 14719->14720 14720->14712 14723 4098f6 14722->14723 14725 409904 Sleep 14723->14725 14727 409917 14723->14727 14730 404280 CreateEventA 14723->14730 14725->14723 14726 409915 14725->14726 14726->14727 14729 409947 14727->14729 14757 40977c 14727->14757 14729->14713 14731 4042a5 14730->14731 14732 40429d 14730->14732 14771 403ecd 14731->14771 14732->14723 14734 4042b0 14775 404000 14734->14775 14737 4043c1 CloseHandle 14737->14732 14738 4042ce 14781 403f18 WriteFile 14738->14781 14743 4043ba CloseHandle 14743->14737 14744 404318 14745 403f18 4 API calls 14744->14745 14746 404331 14745->14746 14747 403f18 4 API calls 14746->14747 14748 40434a 14747->14748 14789 40ebcc GetProcessHeap HeapAlloc 14748->14789 14751 403f18 4 API calls 14752 404389 14751->14752 14792 40ec2e 14752->14792 14755 403f8c 4 API calls 14756 40439f CloseHandle CloseHandle 14755->14756 14756->14732 14821 40ee2a 14757->14821 14760 4097bb 14760->14729 14761 4097c2 14762 4097d4 Wow64GetThreadContext 14761->14762 14763 409801 14762->14763 14764 4097f5 14762->14764 14823 40637c 14763->14823 14765 4097f6 TerminateProcess 14764->14765 14765->14760 14767 409816 14767->14765 14768 40981e WriteProcessMemory 14767->14768 14768->14764 14769 40983b Wow64SetThreadContext 14768->14769 14769->14764 14770 409858 ResumeThread 14769->14770 14770->14760 14772 403ee2 14771->14772 14773 403edc 14771->14773 14772->14734 14797 406dc2 14773->14797 14776 40400b CreateFileA 14775->14776 14777 40402c GetLastError 14776->14777 14778 404052 14776->14778 14777->14778 14779 404037 14777->14779 14778->14732 14778->14737 14778->14738 14779->14778 14780 404041 Sleep 14779->14780 14780->14776 14780->14778 14782 403f7c 14781->14782 14783 403f4e GetLastError 14781->14783 14785 403f8c ReadFile 14782->14785 14783->14782 14784 403f5b WaitForSingleObject GetOverlappedResult 14783->14784 14784->14782 14786 403fc2 GetLastError 14785->14786 14788 403ff0 14785->14788 14787 403fcf WaitForSingleObject GetOverlappedResult 14786->14787 14786->14788 14787->14788 14788->14743 14788->14744 14815 40eb74 14789->14815 14793 40ec37 14792->14793 14794 40438f 14792->14794 14818 40eba0 14793->14818 14794->14755 14798 406dd7 14797->14798 14802 406e24 14797->14802 14803 406cc9 14798->14803 14800 406ddc 14800->14800 14801 406e02 GetVolumeInformationA 14800->14801 14800->14802 14801->14802 14802->14772 14804 406cdc GetModuleHandleA GetProcAddress 14803->14804 14805 406dbe 14803->14805 14806 406d12 GetSystemDirectoryA 14804->14806 14807 406cfd 14804->14807 14805->14800 14808 406d27 GetWindowsDirectoryA 14806->14808 14809 406d1e 14806->14809 14807->14806 14811 406d8b 14807->14811 14810 406d42 14808->14810 14809->14808 14809->14811 14813 40ef1e lstrlenA 14810->14813 14811->14805 14814 40ef32 14813->14814 14814->14811 14816 40eb7b GetProcessHeap HeapSize 14815->14816 14817 404350 14815->14817 14816->14817 14817->14751 14819 40eba7 GetProcessHeap HeapSize 14818->14819 14820 40ebbf GetProcessHeap HeapFree 14818->14820 14819->14820 14820->14794 14822 409794 CreateProcessA 14821->14822 14822->14760 14822->14761 14824 406386 14823->14824 14825 40638a GetModuleHandleA VirtualAlloc 14823->14825 14824->14767 14826 4063f5 14825->14826 14827 4063b6 14825->14827 14826->14767 14828 4063be VirtualAllocEx 14827->14828 14828->14826 14829 4063d6 14828->14829 14830 4063df WriteProcessMemory 14829->14830 14830->14826 14877 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14994 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14877->14994 14879 409a95 14880 409aa3 GetModuleHandleA GetModuleFileNameA 14879->14880 14886 40a3c7 14879->14886 14894 409ac4 14880->14894 14881 40a41c CreateThread WSAStartup 15105 40e52e 14881->15105 15932 40405e CreateEventA 14881->15932 14883 409afd GetCommandLineA 14892 409b22 14883->14892 14884 40a406 DeleteFileA 14884->14886 14887 40a40d 14884->14887 14885 40a445 15124 40eaaf 14885->15124 14886->14881 14886->14884 14886->14887 14889 40a3ed GetLastError 14886->14889 14887->14881 14889->14887 14891 40a3f8 Sleep 14889->14891 14890 40a44d 15128 401d96 14890->15128 14891->14884 14897 409c0c 14892->14897 14906 409b47 14892->14906 14894->14883 14895 40a457 15176 4080c9 14895->15176 14995 4096aa 14897->14995 14903 40a1d2 14914 40a1e3 GetCommandLineA 14903->14914 14904 409c39 14907 40a167 GetModuleHandleA GetModuleFileNameA 14904->14907 14912 409c4b 14904->14912 14909 409b96 lstrlenA 14906->14909 14913 409b58 14906->14913 14910 409c05 ExitProcess 14907->14910 14911 40a189 14907->14911 14909->14913 14911->14910 14923 40a1b2 GetDriveTypeA 14911->14923 14912->14907 14916 404280 30 API calls 14912->14916 14913->14910 14917 409bd2 14913->14917 14939 40a205 14914->14939 14920 409c5b 14916->14920 15007 40675c 14917->15007 14920->14907 14926 40675c 21 API calls 14920->14926 14923->14910 14925 40a1c5 14923->14925 15097 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14925->15097 14928 409c79 14926->14928 14928->14907 14935 409ca0 GetTempPathA 14928->14935 14936 409e3e 14928->14936 14929 409bff 14929->14910 14931 40a491 14932 40a49f GetTickCount 14931->14932 14933 40a4be Sleep 14931->14933 14938 40a4b7 GetTickCount 14931->14938 15222 40c913 14931->15222 14932->14931 14932->14933 14933->14931 14935->14936 14937 409cba 14935->14937 14942 409e6b GetEnvironmentVariableA 14936->14942 14946 409e04 14936->14946 15045 4099d2 lstrcpyA 14937->15045 14938->14933 14943 40a285 lstrlenA 14939->14943 14951 40a239 14939->14951 14940 40ec2e codecvt 4 API calls 14944 40a15d 14940->14944 14942->14946 14947 409e7d 14942->14947 14943->14951 14944->14907 14944->14910 14946->14940 14948 4099d2 16 API calls 14947->14948 14950 409e9d 14948->14950 14949 409cf6 15052 409326 14949->15052 14950->14946 14956 409eb0 lstrcpyA lstrlenA 14950->14956 15003 406ec3 14951->15003 14952 406dc2 6 API calls 14954 409d5f 14952->14954 14957 406cc9 5 API calls 14954->14957 14955 40a3c2 14958 4098f2 41 API calls 14955->14958 14959 409ef4 14956->14959 14961 409d72 lstrcpyA lstrcatA lstrcatA 14957->14961 14958->14886 14962 406dc2 6 API calls 14959->14962 14963 409f03 14959->14963 14960 40a39d StartServiceCtrlDispatcherA 14960->14955 14961->14949 14962->14963 14964 409f32 RegOpenKeyExA 14963->14964 14965 409f48 RegSetValueExA RegCloseKey 14964->14965 14969 409f70 14964->14969 14965->14969 14966 40a35f 14966->14955 14966->14960 14974 409f9d GetModuleHandleA GetModuleFileNameA 14969->14974 14970 409e0c DeleteFileA 14970->14936 14971 409dde GetFileAttributesExA 14971->14970 14973 409df7 14971->14973 14973->14946 15089 4096ff 14973->15089 14976 409fc2 14974->14976 14977 40a093 14974->14977 14976->14977 14982 409ff1 GetDriveTypeA 14976->14982 14978 40a103 CreateProcessA 14977->14978 14981 40a0a4 wsprintfA 14977->14981 14979 40a13a 14978->14979 14980 40a12a DeleteFileA 14978->14980 14979->14946 14987 4096ff 3 API calls 14979->14987 14980->14979 15095 402544 14981->15095 14982->14977 14985 40a00d 14982->14985 14989 40a02d lstrcatA 14985->14989 14986 40ee2a 14988 40a0ec lstrcatA 14986->14988 14987->14946 14988->14978 14990 40a046 14989->14990 14991 40a052 lstrcatA 14990->14991 14992 40a064 lstrcatA 14990->14992 14991->14992 14992->14977 14993 40a081 lstrcatA 14992->14993 14993->14977 14994->14879 14996 4096b9 14995->14996 15325 4073ff 14996->15325 14998 4096e2 14999 4096e9 14998->14999 15000 4096fa 14998->15000 15345 40704c 14999->15345 15000->14903 15000->14904 15002 4096f7 15002->15000 15004 406ed5 15003->15004 15005 406ecc 15003->15005 15004->14966 15370 406e36 GetUserNameW 15005->15370 15008 406784 CreateFileA 15007->15008 15009 40677a SetFileAttributesA 15007->15009 15010 4067a4 CreateFileA 15008->15010 15011 4067b5 15008->15011 15009->15008 15010->15011 15012 4067c5 15011->15012 15013 4067ba SetFileAttributesA 15011->15013 15014 406977 15012->15014 15015 4067cf GetFileSize 15012->15015 15013->15012 15014->14910 15032 406a60 CreateFileA 15014->15032 15016 4067e5 15015->15016 15017 406922 15015->15017 15016->15017 15019 4067ed ReadFile 15016->15019 15018 40696e CloseHandle 15017->15018 15018->15014 15019->15017 15020 406811 SetFilePointer 15019->15020 15020->15017 15021 40682a ReadFile 15020->15021 15021->15017 15022 406848 SetFilePointer 15021->15022 15022->15017 15025 406867 15022->15025 15023 4068d0 15023->15018 15026 40ebcc 4 API calls 15023->15026 15024 406878 ReadFile 15024->15023 15024->15025 15025->15023 15025->15024 15027 4068f8 15026->15027 15027->15017 15028 406900 SetFilePointer 15027->15028 15029 40695a 15028->15029 15030 40690d ReadFile 15028->15030 15031 40ec2e codecvt 4 API calls 15029->15031 15030->15017 15030->15029 15031->15017 15033 406b8c GetLastError 15032->15033 15034 406a8f GetDiskFreeSpaceA 15032->15034 15036 406b86 15033->15036 15035 406ac5 15034->15035 15044 406ad7 15034->15044 15373 40eb0e 15035->15373 15036->14929 15040 406b56 CloseHandle 15040->15036 15043 406b65 GetLastError CloseHandle 15040->15043 15041 406b36 GetLastError CloseHandle 15042 406b7f DeleteFileA 15041->15042 15042->15036 15043->15042 15377 406987 15044->15377 15046 4099eb 15045->15046 15047 409a2f lstrcatA 15046->15047 15048 40ee2a 15047->15048 15049 409a4b lstrcatA 15048->15049 15050 406a60 13 API calls 15049->15050 15051 409a60 15050->15051 15051->14936 15051->14949 15051->14952 15387 401910 15052->15387 15055 40934a GetModuleHandleA GetModuleFileNameA 15057 40937f 15055->15057 15058 4093a4 15057->15058 15059 4093d9 15057->15059 15060 4093c3 wsprintfA 15058->15060 15061 409401 wsprintfA 15059->15061 15063 409415 15060->15063 15061->15063 15062 4094a0 15389 406edd 15062->15389 15063->15062 15066 406cc9 5 API calls 15063->15066 15065 4094ac 15067 40962f 15065->15067 15068 4094e8 RegOpenKeyExA 15065->15068 15072 409439 15066->15072 15073 409646 15067->15073 15410 401820 15067->15410 15070 409502 15068->15070 15071 4094fb 15068->15071 15075 40951f RegQueryValueExA 15070->15075 15071->15067 15077 40958a 15071->15077 15076 40ef1e lstrlenA 15072->15076 15082 4095d6 15073->15082 15416 4091eb 15073->15416 15079 409530 15075->15079 15080 409539 15075->15080 15081 409462 15076->15081 15077->15073 15078 409593 15077->15078 15078->15082 15397 40f0e4 15078->15397 15083 40956e RegCloseKey 15079->15083 15084 409556 RegQueryValueExA 15080->15084 15085 40947e wsprintfA 15081->15085 15082->14970 15082->14971 15083->15071 15084->15079 15084->15083 15085->15062 15087 4095bb 15087->15082 15404 4018e0 15087->15404 15090 402544 15089->15090 15091 40972d RegOpenKeyExA 15090->15091 15092 409765 15091->15092 15093 409740 15091->15093 15092->14946 15094 40974f RegDeleteValueA RegCloseKey 15093->15094 15094->15092 15096 402554 lstrcatA 15095->15096 15096->14986 15098 402544 15097->15098 15099 40919e wsprintfA 15098->15099 15100 4091bb 15099->15100 15454 409064 GetTempPathA 15100->15454 15103 4091d5 ShellExecuteA 15104 4091e7 15103->15104 15104->14929 15461 40dd05 GetTickCount 15105->15461 15107 40e538 15468 40dbcf 15107->15468 15109 40e544 15110 40e555 GetFileSize 15109->15110 15115 40e5b8 15109->15115 15111 40e5b1 CloseHandle 15110->15111 15112 40e566 15110->15112 15111->15115 15478 40db2e 15112->15478 15487 40e3ca RegOpenKeyExA 15115->15487 15116 40e576 ReadFile 15116->15111 15117 40e58d 15116->15117 15482 40e332 15117->15482 15121 40e5f2 15122 40e629 15121->15122 15123 40e3ca 19 API calls 15121->15123 15122->14885 15123->15122 15125 40eabe 15124->15125 15127 40eaba 15124->15127 15126 40dd05 6 API calls 15125->15126 15125->15127 15126->15127 15127->14890 15129 40ee2a 15128->15129 15130 401db4 GetVersionExA 15129->15130 15131 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15130->15131 15133 401e24 15131->15133 15134 401e16 GetCurrentProcess 15131->15134 15540 40e819 15133->15540 15134->15133 15136 401e3d 15137 40e819 11 API calls 15136->15137 15138 401e4e 15137->15138 15139 401e77 15138->15139 15547 40df70 15138->15547 15556 40ea84 15139->15556 15143 401e6c 15145 40df70 12 API calls 15143->15145 15144 40e819 11 API calls 15146 401e93 15144->15146 15145->15139 15560 40199c inet_addr LoadLibraryA 15146->15560 15149 40e819 11 API calls 15150 401eb9 15149->15150 15151 401ed8 15150->15151 15153 40f04e 4 API calls 15150->15153 15152 40e819 11 API calls 15151->15152 15154 401eee 15152->15154 15155 401ec9 15153->15155 15156 401f0a 15154->15156 15573 401b71 15154->15573 15157 40ea84 30 API calls 15155->15157 15159 40e819 11 API calls 15156->15159 15157->15151 15161 401f23 15159->15161 15160 401efd 15162 40ea84 30 API calls 15160->15162 15163 401f3f 15161->15163 15577 401bdf 15161->15577 15162->15156 15164 40e819 11 API calls 15163->15164 15166 401f5e 15164->15166 15168 401f77 15166->15168 15170 40ea84 30 API calls 15166->15170 15584 4030b5 15168->15584 15169 40ea84 30 API calls 15169->15163 15170->15168 15174 406ec3 2 API calls 15175 401f8e GetTickCount 15174->15175 15175->14895 15177 406ec3 2 API calls 15176->15177 15178 4080eb 15177->15178 15179 4080f9 15178->15179 15180 4080ef 15178->15180 15181 40704c 16 API calls 15179->15181 15632 407ee6 15180->15632 15184 408110 15181->15184 15183 4080f4 15185 40675c 21 API calls 15183->15185 15194 408269 CreateThread 15183->15194 15184->15183 15187 408156 RegOpenKeyExA 15184->15187 15186 408244 15185->15186 15192 40ec2e codecvt 4 API calls 15186->15192 15186->15194 15187->15183 15188 40816d RegQueryValueExA 15187->15188 15189 4081f7 15188->15189 15190 40818d 15188->15190 15191 40820d RegCloseKey 15189->15191 15193 40ec2e codecvt 4 API calls 15189->15193 15190->15189 15195 40ebcc 4 API calls 15190->15195 15191->15183 15192->15194 15200 4081dd 15193->15200 15201 405e6c 15194->15201 15961 40877e 15194->15961 15196 4081a0 15195->15196 15196->15191 15197 4081aa RegQueryValueExA 15196->15197 15197->15189 15198 4081c4 15197->15198 15199 40ebcc 4 API calls 15198->15199 15199->15200 15200->15191 15700 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15201->15700 15203 405e71 15701 40e654 15203->15701 15205 405ec1 15206 403132 15205->15206 15207 40df70 12 API calls 15206->15207 15208 40313b 15207->15208 15209 40c125 15208->15209 15712 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15209->15712 15211 40c12d 15212 40e654 13 API calls 15211->15212 15213 40c2bd 15212->15213 15214 40e654 13 API calls 15213->15214 15215 40c2c9 15214->15215 15216 40e654 13 API calls 15215->15216 15217 40a47a 15216->15217 15218 408db1 15217->15218 15219 408dbc 15218->15219 15220 40e654 13 API calls 15219->15220 15221 408dec Sleep 15220->15221 15221->14931 15223 40c92f 15222->15223 15224 40c93c 15223->15224 15713 40c517 15223->15713 15226 40ca2b 15224->15226 15227 40e819 11 API calls 15224->15227 15226->14931 15228 40c96a 15227->15228 15229 40e819 11 API calls 15228->15229 15230 40c97d 15229->15230 15231 40e819 11 API calls 15230->15231 15232 40c990 15231->15232 15233 40c9aa 15232->15233 15234 40ebcc 4 API calls 15232->15234 15233->15226 15730 402684 15233->15730 15234->15233 15239 40ca26 15737 40c8aa 15239->15737 15242 40ca44 15243 40ca4b closesocket 15242->15243 15244 40ca83 15242->15244 15243->15239 15245 40ea84 30 API calls 15244->15245 15246 40caac 15245->15246 15247 40f04e 4 API calls 15246->15247 15248 40cab2 15247->15248 15249 40ea84 30 API calls 15248->15249 15250 40caca 15249->15250 15251 40ea84 30 API calls 15250->15251 15252 40cad9 15251->15252 15745 40c65c 15252->15745 15255 40cb60 closesocket 15255->15226 15257 40dad2 closesocket 15258 40e318 23 API calls 15257->15258 15258->15226 15259 40df4c 20 API calls 15319 40cb70 15259->15319 15265 40e654 13 API calls 15265->15319 15267 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15267->15319 15271 40ea84 30 API calls 15271->15319 15272 40d569 closesocket Sleep 15792 40e318 15272->15792 15273 40d815 wsprintfA 15273->15319 15274 40cc1c GetTempPathA 15274->15319 15275 40c517 23 API calls 15275->15319 15277 407ead 6 API calls 15277->15319 15278 40e8a1 30 API calls 15278->15319 15279 40d582 ExitProcess 15280 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15280->15319 15281 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15281->15319 15282 40cfe3 GetSystemDirectoryA 15282->15319 15283 40cfad GetEnvironmentVariableA 15283->15319 15284 40675c 21 API calls 15284->15319 15285 40d027 GetSystemDirectoryA 15285->15319 15286 40d105 lstrcatA 15286->15319 15287 40ef1e lstrlenA 15287->15319 15288 40cc9f CreateFileA 15289 40ccc6 WriteFile 15288->15289 15288->15319 15292 40cdcc CloseHandle 15289->15292 15293 40cced CloseHandle 15289->15293 15290 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15290->15319 15291 40d15b CreateFileA 15294 40d182 WriteFile CloseHandle 15291->15294 15291->15319 15292->15319 15299 40cd2f 15293->15299 15294->15319 15295 40cd16 wsprintfA 15295->15299 15296 40d149 SetFileAttributesA 15296->15291 15297 40d1bf SetFileAttributesA 15297->15319 15298 40d36e GetEnvironmentVariableA 15298->15319 15299->15295 15774 407fcf 15299->15774 15300 40d22d GetEnvironmentVariableA 15300->15319 15301 40d3af lstrcatA 15303 40d3f2 CreateFileA 15301->15303 15301->15319 15306 40d415 WriteFile CloseHandle 15303->15306 15303->15319 15305 407fcf 64 API calls 15305->15319 15306->15319 15307 40cd81 WaitForSingleObject CloseHandle CloseHandle 15309 40f04e 4 API calls 15307->15309 15308 40cda5 15310 407ee6 64 API calls 15308->15310 15309->15308 15313 40cdbd DeleteFileA 15310->15313 15311 40d3e0 SetFileAttributesA 15311->15303 15312 40d26e lstrcatA 15315 40d2b1 CreateFileA 15312->15315 15312->15319 15313->15319 15314 40d4b1 CreateProcessA 15316 40d4e8 CloseHandle CloseHandle 15314->15316 15314->15319 15315->15319 15320 40d2d8 WriteFile CloseHandle 15315->15320 15316->15319 15317 407ee6 64 API calls 15317->15319 15318 40d452 SetFileAttributesA 15318->15319 15319->15257 15319->15259 15319->15265 15319->15267 15319->15271 15319->15272 15319->15273 15319->15274 15319->15275 15319->15277 15319->15278 15319->15280 15319->15281 15319->15282 15319->15283 15319->15284 15319->15285 15319->15286 15319->15287 15319->15288 15319->15290 15319->15291 15319->15296 15319->15297 15319->15298 15319->15300 15319->15301 15319->15303 15319->15305 15319->15311 15319->15312 15319->15314 15319->15315 15319->15317 15319->15318 15322 40d29f SetFileAttributesA 15319->15322 15324 40d31d SetFileAttributesA 15319->15324 15753 40c75d 15319->15753 15765 407e2f 15319->15765 15787 407ead 15319->15787 15797 4031d0 15319->15797 15814 403c09 15319->15814 15824 403a00 15319->15824 15828 40e7b4 15319->15828 15831 40c06c 15319->15831 15837 406f5f GetUserNameA 15319->15837 15848 40e854 15319->15848 15858 407dd6 15319->15858 15320->15319 15322->15315 15324->15319 15326 40741b 15325->15326 15327 406dc2 6 API calls 15326->15327 15328 40743f 15327->15328 15329 407469 RegOpenKeyExA 15328->15329 15331 4077f9 15329->15331 15340 407487 ___ascii_stricmp 15329->15340 15330 407703 RegEnumKeyA 15332 407714 RegCloseKey 15330->15332 15330->15340 15331->14998 15332->15331 15333 4074d2 RegOpenKeyExA 15333->15340 15334 40772c 15336 407742 RegCloseKey 15334->15336 15337 40774b 15334->15337 15335 407521 RegQueryValueExA 15335->15340 15336->15337 15338 4077ec RegCloseKey 15337->15338 15338->15331 15339 4076e4 RegCloseKey 15339->15340 15340->15330 15340->15333 15340->15334 15340->15335 15340->15339 15341 407769 15340->15341 15343 40f1a5 lstrlenA 15340->15343 15344 40777e GetFileAttributesExA 15340->15344 15342 4077e3 RegCloseKey 15341->15342 15342->15338 15343->15340 15344->15341 15346 407073 15345->15346 15347 4070b9 RegOpenKeyExA 15346->15347 15348 4070d0 15347->15348 15362 4071b8 15347->15362 15349 406dc2 6 API calls 15348->15349 15352 4070d5 15349->15352 15350 40719b RegEnumValueA 15351 4071af RegCloseKey 15350->15351 15350->15352 15351->15362 15352->15350 15354 4071d0 15352->15354 15368 40f1a5 lstrlenA 15352->15368 15355 407205 RegCloseKey 15354->15355 15356 407227 15354->15356 15355->15362 15357 4072b8 ___ascii_stricmp 15356->15357 15358 40728e RegCloseKey 15356->15358 15359 4072cd RegCloseKey 15357->15359 15360 4072dd 15357->15360 15358->15362 15359->15362 15361 407311 RegCloseKey 15360->15361 15364 407335 15360->15364 15361->15362 15362->15002 15363 4073d5 RegCloseKey 15365 4073e4 15363->15365 15364->15363 15366 40737e GetFileAttributesExA 15364->15366 15367 407397 15364->15367 15366->15367 15367->15363 15369 40f1c3 15368->15369 15369->15352 15371 406e5f LookupAccountNameW 15370->15371 15372 406e97 15370->15372 15371->15372 15372->15004 15374 40eb17 15373->15374 15375 40eb21 15373->15375 15383 40eae4 15374->15383 15375->15044 15379 4069b9 WriteFile 15377->15379 15380 406a3c 15379->15380 15382 4069ff 15379->15382 15380->15040 15380->15041 15381 406a10 WriteFile 15381->15380 15381->15382 15382->15380 15382->15381 15384 40eb02 GetProcAddress 15383->15384 15385 40eaed LoadLibraryA 15383->15385 15384->15375 15385->15384 15386 40eb01 15385->15386 15386->15375 15388 401924 GetVersionExA 15387->15388 15388->15055 15390 406f55 15389->15390 15391 406eef AllocateAndInitializeSid 15389->15391 15390->15065 15392 406f44 15391->15392 15393 406f1c CheckTokenMembership 15391->15393 15392->15390 15396 406e36 2 API calls 15392->15396 15394 406f3b FreeSid 15393->15394 15395 406f2e 15393->15395 15394->15392 15395->15394 15396->15390 15398 40f0f1 15397->15398 15399 40f0ed 15397->15399 15400 40f119 15398->15400 15401 40f0fa lstrlenA SysAllocStringByteLen 15398->15401 15399->15087 15403 40f11c MultiByteToWideChar 15400->15403 15402 40f117 15401->15402 15401->15403 15402->15087 15403->15402 15405 401820 17 API calls 15404->15405 15406 4018f2 15405->15406 15407 4018f9 15406->15407 15421 401280 15406->15421 15407->15082 15409 401908 15409->15082 15433 401000 15410->15433 15412 401839 15413 401851 GetCurrentProcess 15412->15413 15414 40183d 15412->15414 15415 401864 15413->15415 15414->15073 15415->15073 15418 40920e 15416->15418 15420 409308 15416->15420 15417 4092f1 Sleep 15417->15418 15418->15417 15418->15418 15419 4092bf ShellExecuteA 15418->15419 15418->15420 15419->15418 15419->15420 15420->15082 15422 4012e1 15421->15422 15423 4016f9 GetLastError 15422->15423 15430 4013a8 15422->15430 15424 401699 15423->15424 15424->15409 15425 401570 lstrlenW 15425->15430 15426 4015be GetStartupInfoW 15426->15430 15427 4015ff CreateProcessWithLogonW 15428 4016bf GetLastError 15427->15428 15429 40163f WaitForSingleObject 15427->15429 15428->15424 15429->15430 15431 401659 CloseHandle 15429->15431 15430->15424 15430->15425 15430->15426 15430->15427 15432 401668 CloseHandle 15430->15432 15431->15430 15432->15430 15434 40100d LoadLibraryA 15433->15434 15445 401023 15433->15445 15435 401021 15434->15435 15434->15445 15435->15412 15436 4010b5 GetProcAddress 15437 4010d1 GetProcAddress 15436->15437 15438 40127b 15436->15438 15437->15438 15439 4010f0 GetProcAddress 15437->15439 15438->15412 15439->15438 15440 401110 GetProcAddress 15439->15440 15440->15438 15441 401130 GetProcAddress 15440->15441 15441->15438 15442 40114f GetProcAddress 15441->15442 15442->15438 15443 40116f GetProcAddress 15442->15443 15443->15438 15444 40118f GetProcAddress 15443->15444 15444->15438 15446 4011ae GetProcAddress 15444->15446 15445->15436 15453 4010ae 15445->15453 15446->15438 15447 4011ce GetProcAddress 15446->15447 15447->15438 15448 4011ee GetProcAddress 15447->15448 15448->15438 15449 401209 GetProcAddress 15448->15449 15449->15438 15450 401225 GetProcAddress 15449->15450 15450->15438 15451 401241 GetProcAddress 15450->15451 15451->15438 15452 40125c GetProcAddress 15451->15452 15452->15438 15453->15412 15455 40908d 15454->15455 15456 4090e2 wsprintfA 15455->15456 15457 40ee2a 15456->15457 15458 4090fd CreateFileA 15457->15458 15459 40911a lstrlenA WriteFile CloseHandle 15458->15459 15460 40913f 15458->15460 15459->15460 15460->15103 15460->15104 15462 40dd41 InterlockedExchange 15461->15462 15463 40dd20 GetCurrentThreadId 15462->15463 15464 40dd4a 15462->15464 15465 40dd53 GetCurrentThreadId 15463->15465 15466 40dd2e GetTickCount 15463->15466 15464->15465 15465->15107 15466->15464 15467 40dd39 Sleep 15466->15467 15467->15462 15469 40dbf0 15468->15469 15501 40db67 GetEnvironmentVariableA 15469->15501 15471 40dc19 15472 40dcda 15471->15472 15473 40db67 3 API calls 15471->15473 15472->15109 15474 40dc5c 15473->15474 15474->15472 15475 40db67 3 API calls 15474->15475 15476 40dc9b 15475->15476 15476->15472 15477 40db67 3 API calls 15476->15477 15477->15472 15479 40db55 15478->15479 15480 40db3a 15478->15480 15479->15111 15479->15116 15505 40ebed 15480->15505 15514 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15482->15514 15484 40e3be 15484->15111 15485 40e342 15485->15484 15517 40de24 15485->15517 15488 40e528 15487->15488 15489 40e3f4 15487->15489 15488->15121 15490 40e434 RegQueryValueExA 15489->15490 15491 40e458 15490->15491 15492 40e51d RegCloseKey 15490->15492 15493 40e46e RegQueryValueExA 15491->15493 15492->15488 15493->15491 15494 40e488 15493->15494 15494->15492 15495 40db2e 8 API calls 15494->15495 15496 40e499 15495->15496 15496->15492 15497 40e4b9 RegQueryValueExA 15496->15497 15498 40e4e8 15496->15498 15497->15496 15497->15498 15498->15492 15499 40e332 14 API calls 15498->15499 15500 40e513 15499->15500 15500->15492 15502 40db89 lstrcpyA CreateFileA 15501->15502 15503 40dbca 15501->15503 15502->15471 15503->15471 15506 40ec01 15505->15506 15507 40ebf6 15505->15507 15509 40eba0 codecvt 2 API calls 15506->15509 15508 40ebcc 4 API calls 15507->15508 15510 40ebfe 15508->15510 15511 40ec0a GetProcessHeap HeapReAlloc 15509->15511 15510->15479 15512 40eb74 2 API calls 15511->15512 15513 40ec28 15512->15513 15513->15479 15528 40eb41 15514->15528 15518 40de3a 15517->15518 15524 40de4e 15518->15524 15532 40dd84 15518->15532 15521 40ebed 8 API calls 15526 40def6 15521->15526 15522 40de9e 15522->15521 15522->15524 15523 40de76 15536 40ddcf 15523->15536 15524->15485 15526->15524 15527 40ddcf lstrcmpA 15526->15527 15527->15524 15529 40eb54 15528->15529 15530 40eb4a 15528->15530 15529->15485 15531 40eae4 2 API calls 15530->15531 15531->15529 15533 40dd96 15532->15533 15534 40ddc5 15532->15534 15533->15534 15535 40ddad lstrcmpiA 15533->15535 15534->15522 15534->15523 15535->15533 15535->15534 15537 40dddd 15536->15537 15539 40de20 15536->15539 15538 40ddfa lstrcmpA 15537->15538 15537->15539 15538->15537 15539->15524 15541 40dd05 6 API calls 15540->15541 15542 40e821 15541->15542 15543 40dd84 lstrcmpiA 15542->15543 15544 40e82c 15543->15544 15545 40e844 15544->15545 15588 402480 15544->15588 15545->15136 15548 40dd05 6 API calls 15547->15548 15549 40df7c 15548->15549 15550 40dd84 lstrcmpiA 15549->15550 15553 40df89 15550->15553 15551 40dfc4 15551->15143 15552 40ddcf lstrcmpA 15552->15553 15553->15551 15553->15552 15554 40ec2e codecvt 4 API calls 15553->15554 15555 40dd84 lstrcmpiA 15553->15555 15554->15553 15555->15553 15557 40ea98 15556->15557 15597 40e8a1 15557->15597 15559 401e84 15559->15144 15561 4019d5 GetProcAddress GetProcAddress GetProcAddress 15560->15561 15564 4019ce 15560->15564 15562 401ab3 FreeLibrary 15561->15562 15563 401a04 15561->15563 15562->15564 15563->15562 15565 401a14 GetProcessHeap 15563->15565 15564->15149 15565->15564 15567 401a2e HeapAlloc 15565->15567 15567->15564 15568 401a42 15567->15568 15569 401a62 15568->15569 15570 401a52 HeapReAlloc 15568->15570 15571 401aa1 FreeLibrary 15569->15571 15572 401a96 HeapFree 15569->15572 15570->15569 15571->15564 15572->15571 15625 401ac3 LoadLibraryA 15573->15625 15576 401bcf 15576->15160 15578 401ac3 12 API calls 15577->15578 15579 401c09 15578->15579 15580 401c0d GetComputerNameA 15579->15580 15583 401c41 15579->15583 15581 401c45 GetVolumeInformationA 15580->15581 15582 401c1f 15580->15582 15581->15583 15582->15581 15582->15583 15583->15169 15585 40ee2a 15584->15585 15586 4030d0 gethostname gethostbyname 15585->15586 15587 401f82 15586->15587 15587->15174 15587->15175 15591 402419 lstrlenA 15588->15591 15590 402491 15590->15545 15592 40243d lstrlenA 15591->15592 15595 402474 15591->15595 15593 402464 lstrlenA 15592->15593 15594 40244e lstrcmpiA 15592->15594 15593->15592 15593->15595 15594->15593 15596 40245c 15594->15596 15595->15590 15596->15593 15596->15595 15598 40dd05 6 API calls 15597->15598 15599 40e8b4 15598->15599 15600 40dd84 lstrcmpiA 15599->15600 15601 40e8c0 15600->15601 15602 40e8c8 lstrcpynA 15601->15602 15612 40e90a 15601->15612 15603 40e8f5 15602->15603 15618 40df4c 15603->15618 15604 402419 4 API calls 15605 40e926 lstrlenA lstrlenA 15604->15605 15607 40e94c lstrlenA 15605->15607 15608 40e96a 15605->15608 15607->15608 15611 40ebcc 4 API calls 15608->15611 15613 40ea27 15608->15613 15609 40e901 15610 40dd84 lstrcmpiA 15609->15610 15610->15612 15614 40e98f 15611->15614 15612->15604 15612->15613 15613->15559 15614->15613 15615 40df4c 20 API calls 15614->15615 15616 40ea1e 15615->15616 15617 40ec2e codecvt 4 API calls 15616->15617 15617->15613 15619 40dd05 6 API calls 15618->15619 15620 40df51 15619->15620 15621 40f04e 4 API calls 15620->15621 15622 40df58 15621->15622 15623 40de24 10 API calls 15622->15623 15624 40df63 15623->15624 15624->15609 15626 401ae2 GetProcAddress 15625->15626 15629 401b68 GetComputerNameA GetVolumeInformationA 15625->15629 15627 401af5 15626->15627 15626->15629 15628 40ebed 8 API calls 15627->15628 15630 401b29 15627->15630 15628->15627 15629->15576 15630->15629 15630->15630 15631 40ec2e codecvt 4 API calls 15630->15631 15631->15629 15633 406ec3 2 API calls 15632->15633 15634 407ef4 15633->15634 15635 4073ff 17 API calls 15634->15635 15644 407fc9 15634->15644 15636 407f16 15635->15636 15636->15644 15645 407809 GetUserNameA 15636->15645 15638 407f63 15639 40ef1e lstrlenA 15638->15639 15638->15644 15640 407fa6 15639->15640 15641 40ef1e lstrlenA 15640->15641 15642 407fb7 15641->15642 15669 407a95 RegOpenKeyExA 15642->15669 15644->15183 15646 40783d LookupAccountNameA 15645->15646 15652 407a8d 15645->15652 15647 407874 GetLengthSid GetFileSecurityA 15646->15647 15646->15652 15648 4078a8 GetSecurityDescriptorOwner 15647->15648 15647->15652 15649 4078c5 EqualSid 15648->15649 15650 40791d GetSecurityDescriptorDacl 15648->15650 15649->15650 15651 4078dc LocalAlloc 15649->15651 15650->15652 15663 407941 15650->15663 15651->15650 15653 4078ef InitializeSecurityDescriptor 15651->15653 15652->15638 15655 407916 LocalFree 15653->15655 15656 4078fb SetSecurityDescriptorOwner 15653->15656 15654 40795b GetAce 15654->15663 15655->15650 15656->15655 15657 40790b SetFileSecurityA 15656->15657 15657->15655 15658 407980 EqualSid 15658->15663 15659 407a3d 15659->15652 15662 407a43 LocalAlloc 15659->15662 15660 4079be EqualSid 15660->15663 15661 40799d DeleteAce 15661->15663 15662->15652 15664 407a56 InitializeSecurityDescriptor 15662->15664 15663->15652 15663->15654 15663->15658 15663->15659 15663->15660 15663->15661 15665 407a62 SetSecurityDescriptorDacl 15664->15665 15666 407a86 LocalFree 15664->15666 15665->15666 15667 407a73 SetFileSecurityA 15665->15667 15666->15652 15667->15666 15668 407a83 15667->15668 15668->15666 15670 407acb GetUserNameA 15669->15670 15671 407ac4 15669->15671 15672 407da7 RegCloseKey 15670->15672 15673 407aed LookupAccountNameA 15670->15673 15671->15644 15672->15671 15673->15672 15674 407b24 RegGetKeySecurity 15673->15674 15674->15672 15675 407b49 GetSecurityDescriptorOwner 15674->15675 15676 407b63 EqualSid 15675->15676 15677 407bb8 GetSecurityDescriptorDacl 15675->15677 15676->15677 15679 407b74 LocalAlloc 15676->15679 15678 407da6 15677->15678 15686 407bdc 15677->15686 15678->15672 15679->15677 15680 407b8a InitializeSecurityDescriptor 15679->15680 15682 407bb1 LocalFree 15680->15682 15683 407b96 SetSecurityDescriptorOwner 15680->15683 15681 407bf8 GetAce 15681->15686 15682->15677 15683->15682 15684 407ba6 RegSetKeySecurity 15683->15684 15684->15682 15685 407c1d EqualSid 15685->15686 15686->15678 15686->15681 15686->15685 15687 407cd9 15686->15687 15688 407c5f EqualSid 15686->15688 15689 407c3a DeleteAce 15686->15689 15687->15678 15690 407d5a LocalAlloc 15687->15690 15691 407cf2 RegOpenKeyExA 15687->15691 15688->15686 15689->15686 15690->15678 15692 407d70 InitializeSecurityDescriptor 15690->15692 15691->15690 15697 407d0f 15691->15697 15693 407d7c SetSecurityDescriptorDacl 15692->15693 15694 407d9f LocalFree 15692->15694 15693->15694 15695 407d8c RegSetKeySecurity 15693->15695 15694->15678 15695->15694 15696 407d9c 15695->15696 15696->15694 15698 407d43 RegSetValueExA 15697->15698 15698->15690 15699 407d54 15698->15699 15699->15690 15700->15203 15702 40dd05 6 API calls 15701->15702 15705 40e65f 15702->15705 15703 40e6a5 15704 40ebcc 4 API calls 15703->15704 15710 40e6f5 15703->15710 15706 40e6b0 15704->15706 15705->15703 15707 40e68c lstrcmpA 15705->15707 15708 40e6b7 15706->15708 15709 40e6e0 lstrcpynA 15706->15709 15706->15710 15707->15705 15708->15205 15709->15710 15710->15708 15711 40e71d lstrcmpA 15710->15711 15711->15710 15712->15211 15714 40c525 15713->15714 15718 40c532 15713->15718 15715 40ec2e codecvt 4 API calls 15714->15715 15714->15718 15715->15718 15716 40c548 15719 40e7ff lstrcmpiA 15716->15719 15726 40c54f 15716->15726 15718->15716 15865 40e7ff 15718->15865 15720 40c615 15719->15720 15721 40ebcc 4 API calls 15720->15721 15720->15726 15721->15726 15722 40c5d1 15724 40ebcc 4 API calls 15722->15724 15724->15726 15725 40e819 11 API calls 15727 40c5b7 15725->15727 15726->15224 15728 40f04e 4 API calls 15727->15728 15729 40c5bf 15728->15729 15729->15716 15729->15722 15731 402692 inet_addr 15730->15731 15732 40268e 15730->15732 15731->15732 15733 40269e gethostbyname 15731->15733 15734 40f428 15732->15734 15733->15732 15868 40f315 15734->15868 15739 40c8d2 15737->15739 15738 40c907 15738->15226 15739->15738 15740 40c517 23 API calls 15739->15740 15740->15738 15741 40f43e 15742 40f473 recv 15741->15742 15743 40f458 15742->15743 15744 40f47c 15742->15744 15743->15742 15743->15744 15744->15242 15746 40c670 15745->15746 15747 40c67d 15745->15747 15748 40ebcc 4 API calls 15746->15748 15749 40ebcc 4 API calls 15747->15749 15750 40c699 15747->15750 15748->15747 15749->15750 15751 40c6f3 15750->15751 15752 40c73c send 15750->15752 15751->15255 15751->15319 15752->15751 15754 40c770 15753->15754 15755 40c77d 15753->15755 15756 40ebcc 4 API calls 15754->15756 15757 40c799 15755->15757 15758 40ebcc 4 API calls 15755->15758 15756->15755 15759 40c7b5 15757->15759 15761 40ebcc 4 API calls 15757->15761 15758->15757 15760 40f43e recv 15759->15760 15762 40c7cb 15760->15762 15761->15759 15763 40f43e recv 15762->15763 15764 40c7d3 15762->15764 15763->15764 15764->15319 15881 407db7 15765->15881 15768 40f04e 4 API calls 15770 407e4c 15768->15770 15769 40f04e 4 API calls 15771 407e96 15769->15771 15772 40f04e 4 API calls 15770->15772 15773 407e70 15770->15773 15771->15319 15772->15773 15773->15769 15773->15771 15775 406ec3 2 API calls 15774->15775 15776 407fdd 15775->15776 15777 4073ff 17 API calls 15776->15777 15786 4080c2 CreateProcessA 15776->15786 15778 407fff 15777->15778 15779 407809 21 API calls 15778->15779 15778->15786 15780 40804d 15779->15780 15781 40ef1e lstrlenA 15780->15781 15780->15786 15782 40809e 15781->15782 15783 40ef1e lstrlenA 15782->15783 15784 4080af 15783->15784 15785 407a95 24 API calls 15784->15785 15785->15786 15786->15307 15786->15308 15788 407db7 2 API calls 15787->15788 15789 407eb8 15788->15789 15790 40f04e 4 API calls 15789->15790 15791 407ece DeleteFileA 15790->15791 15791->15319 15793 40dd05 6 API calls 15792->15793 15794 40e31d 15793->15794 15885 40e177 15794->15885 15796 40e326 15796->15279 15798 4031f3 15797->15798 15799 4031ec 15797->15799 15800 40ebcc 4 API calls 15798->15800 15799->15319 15801 4031fc 15800->15801 15801->15799 15808 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15801->15808 15809 40344d 15801->15809 15811 40344b 15801->15811 15813 403141 lstrcmpiA 15801->15813 15911 4030fa GetTickCount 15801->15911 15802 403459 15805 40f04e 4 API calls 15802->15805 15803 40349d 15804 40ec2e codecvt 4 API calls 15803->15804 15804->15799 15806 40345f 15805->15806 15807 4030fa 4 API calls 15806->15807 15807->15799 15808->15801 15810 40ec2e codecvt 4 API calls 15809->15810 15810->15811 15811->15802 15811->15803 15813->15801 15815 4030fa 4 API calls 15814->15815 15816 403c1a 15815->15816 15817 403ce6 15816->15817 15916 403a72 15816->15916 15817->15319 15820 403a72 9 API calls 15821 403c5e 15820->15821 15821->15817 15822 403a72 9 API calls 15821->15822 15823 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15821->15823 15822->15821 15823->15821 15825 403a10 15824->15825 15826 4030fa 4 API calls 15825->15826 15827 403a1a 15826->15827 15827->15319 15829 40dd05 6 API calls 15828->15829 15830 40e7be 15829->15830 15830->15319 15832 40c105 15831->15832 15833 40c07e wsprintfA 15831->15833 15832->15319 15925 40bfce GetTickCount wsprintfA 15833->15925 15835 40c0ef 15926 40bfce GetTickCount wsprintfA 15835->15926 15838 407047 15837->15838 15839 406f88 LookupAccountNameA 15837->15839 15838->15319 15841 407025 15839->15841 15842 406fcb 15839->15842 15843 406edd 5 API calls 15841->15843 15844 406fdb ConvertSidToStringSidA 15842->15844 15845 40702a wsprintfA 15843->15845 15844->15841 15846 406ff1 15844->15846 15845->15838 15847 407013 LocalFree 15846->15847 15847->15841 15849 40dd05 6 API calls 15848->15849 15850 40e85c 15849->15850 15851 40dd84 lstrcmpiA 15850->15851 15852 40e867 15851->15852 15853 40e885 lstrcpyA 15852->15853 15927 4024a5 15852->15927 15930 40dd69 15853->15930 15859 407db7 2 API calls 15858->15859 15860 407de1 15859->15860 15861 40f04e 4 API calls 15860->15861 15864 407e16 15860->15864 15862 407df2 15861->15862 15863 40f04e 4 API calls 15862->15863 15862->15864 15863->15864 15864->15319 15866 40dd84 lstrcmpiA 15865->15866 15867 40c58e 15866->15867 15867->15716 15867->15722 15867->15725 15869 40ca1d 15868->15869 15870 40f33b 15868->15870 15869->15239 15869->15741 15871 40f347 htons socket 15870->15871 15872 40f382 ioctlsocket 15871->15872 15873 40f374 closesocket 15871->15873 15874 40f3aa connect select 15872->15874 15875 40f39d 15872->15875 15873->15869 15874->15869 15876 40f3f2 __WSAFDIsSet 15874->15876 15877 40f39f closesocket 15875->15877 15876->15877 15878 40f403 ioctlsocket 15876->15878 15877->15869 15880 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15878->15880 15880->15869 15882 407dc8 InterlockedExchange 15881->15882 15883 407dc0 Sleep 15882->15883 15884 407dd4 15882->15884 15883->15882 15884->15768 15884->15773 15886 40e184 15885->15886 15887 40e2e4 15886->15887 15888 40e223 15886->15888 15901 40dfe2 15886->15901 15887->15796 15888->15887 15890 40dfe2 8 API calls 15888->15890 15894 40e23c 15890->15894 15891 40e1be 15891->15888 15892 40dbcf 3 API calls 15891->15892 15895 40e1d6 15892->15895 15893 40e21a CloseHandle 15893->15888 15894->15887 15905 40e095 RegCreateKeyExA 15894->15905 15895->15888 15895->15893 15896 40e1f9 WriteFile 15895->15896 15896->15893 15898 40e213 15896->15898 15898->15893 15899 40e2a3 15899->15887 15900 40e095 4 API calls 15899->15900 15900->15887 15902 40dffc 15901->15902 15904 40e024 15901->15904 15903 40db2e 8 API calls 15902->15903 15902->15904 15903->15904 15904->15891 15906 40e172 15905->15906 15909 40e0c0 15905->15909 15906->15899 15907 40e13d 15908 40e14e RegDeleteValueA RegCloseKey 15907->15908 15908->15906 15909->15907 15910 40e115 RegSetValueExA 15909->15910 15910->15907 15910->15909 15912 403122 InterlockedExchange 15911->15912 15913 40312e 15912->15913 15914 40310f GetTickCount 15912->15914 15913->15801 15914->15913 15915 40311a Sleep 15914->15915 15915->15912 15917 40f04e 4 API calls 15916->15917 15924 403a83 15917->15924 15918 403ac1 15918->15817 15918->15820 15919 403be6 15922 40ec2e codecvt 4 API calls 15919->15922 15920 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15921 403bc0 15920->15921 15921->15919 15921->15920 15922->15918 15923 403b66 lstrlenA 15923->15918 15923->15924 15924->15918 15924->15921 15924->15923 15925->15835 15926->15832 15928 402419 4 API calls 15927->15928 15929 4024b6 15928->15929 15929->15853 15931 40dd79 lstrlenA 15930->15931 15931->15319 15933 404084 15932->15933 15934 40407d 15932->15934 15935 403ecd 6 API calls 15933->15935 15936 40408f 15935->15936 15937 404000 3 API calls 15936->15937 15939 404095 15937->15939 15938 404130 15940 403ecd 6 API calls 15938->15940 15939->15938 15944 403f18 4 API calls 15939->15944 15941 404159 CreateNamedPipeA 15940->15941 15942 404167 Sleep 15941->15942 15943 404188 ConnectNamedPipe 15941->15943 15942->15938 15945 404176 CloseHandle 15942->15945 15947 404195 GetLastError 15943->15947 15957 4041ab 15943->15957 15946 4040da 15944->15946 15945->15943 15948 403f8c 4 API calls 15946->15948 15949 40425e DisconnectNamedPipe 15947->15949 15947->15957 15950 4040ec 15948->15950 15949->15943 15951 404127 CloseHandle 15950->15951 15952 404101 15950->15952 15951->15938 15954 403f18 4 API calls 15952->15954 15953 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15953->15957 15955 40411c ExitProcess 15954->15955 15956 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15956->15957 15957->15943 15957->15949 15957->15953 15957->15956 15958 40426a CloseHandle CloseHandle 15957->15958 15959 40e318 23 API calls 15958->15959 15960 40427b 15959->15960 15960->15960 15962 408791 15961->15962 15963 40879f 15961->15963 15965 40f04e 4 API calls 15962->15965 15964 4087bc 15963->15964 15966 40f04e 4 API calls 15963->15966 15967 40e819 11 API calls 15964->15967 15965->15963 15966->15964 15968 4087d7 15967->15968 15975 408803 15968->15975 15982 4026b2 gethostbyaddr 15968->15982 15970 4087eb 15972 40e8a1 30 API calls 15970->15972 15970->15975 15972->15975 15976 40e819 11 API calls 15975->15976 15977 4088a0 Sleep 15975->15977 15979 4026b2 2 API calls 15975->15979 15980 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15975->15980 15981 40e8a1 30 API calls 15975->15981 15987 40c4d6 15975->15987 15990 40c4e2 15975->15990 15993 402011 15975->15993 16028 408328 15975->16028 15976->15975 15977->15975 15979->15975 15980->15975 15981->15975 15983 4026fb 15982->15983 15984 4026cd 15982->15984 15983->15970 15985 4026e1 inet_ntoa 15984->15985 15986 4026de 15984->15986 15985->15986 15986->15970 16080 40c2dc 15987->16080 15991 40c2dc 141 API calls 15990->15991 15992 40c4ec 15991->15992 15992->15975 15994 402020 15993->15994 15995 40202e 15993->15995 15996 40f04e 4 API calls 15994->15996 15997 40204b 15995->15997 15999 40f04e 4 API calls 15995->15999 15996->15995 15998 40206e GetTickCount 15997->15998 16000 40f04e 4 API calls 15997->16000 16001 402090 15998->16001 16002 4020db GetTickCount 15998->16002 15999->15997 16004 402068 16000->16004 16005 4020d4 GetTickCount 16001->16005 16009 402684 2 API calls 16001->16009 16017 4020ce 16001->16017 16415 401978 16001->16415 16003 402132 GetTickCount GetTickCount 16002->16003 16014 4020e7 16002->16014 16006 40f04e 4 API calls 16003->16006 16004->15998 16005->16002 16008 402159 16006->16008 16007 40212b GetTickCount 16007->16003 16011 40e854 13 API calls 16008->16011 16025 4021b4 16008->16025 16009->16001 16013 40218e 16011->16013 16012 40f04e 4 API calls 16016 4021d1 16012->16016 16018 40e819 11 API calls 16013->16018 16014->16007 16019 401978 15 API calls 16014->16019 16020 402125 16014->16020 16420 402ef8 16014->16420 16021 4021f2 16016->16021 16022 40ea84 30 API calls 16016->16022 16017->16005 16023 40219c 16018->16023 16019->16014 16020->16007 16021->15975 16024 4021ec 16022->16024 16023->16025 16428 401c5f 16023->16428 16026 40f04e 4 API calls 16024->16026 16025->16012 16026->16021 16029 407dd6 6 API calls 16028->16029 16030 40833c 16029->16030 16031 408340 16030->16031 16032 406ec3 2 API calls 16030->16032 16031->15975 16033 40834f 16032->16033 16034 40835c 16033->16034 16039 40846b 16033->16039 16035 4073ff 17 API calls 16034->16035 16036 408373 16035->16036 16036->16031 16057 4083ea RegOpenKeyExA 16036->16057 16067 408450 16036->16067 16037 408626 GetTempPathA 16069 408638 16037->16069 16038 40675c 21 API calls 16042 4085df 16038->16042 16040 4084a7 RegOpenKeyExA 16039->16040 16039->16067 16043 4084c0 RegQueryValueExA 16040->16043 16045 40852f 16040->16045 16042->16037 16051 408762 16042->16051 16042->16069 16046 408521 RegCloseKey 16043->16046 16050 4084dd 16043->16050 16044 4086ad 16048 407e2f 6 API calls 16044->16048 16044->16051 16047 408564 RegOpenKeyExA 16045->16047 16059 4085a5 16045->16059 16046->16045 16049 408573 RegSetValueExA RegCloseKey 16047->16049 16047->16059 16060 4086bb 16048->16060 16049->16059 16050->16046 16052 40ebcc 4 API calls 16050->16052 16051->16031 16054 40ec2e codecvt 4 API calls 16051->16054 16056 4084f0 16052->16056 16053 40875b DeleteFileA 16053->16051 16054->16031 16056->16046 16058 4084f8 RegQueryValueExA 16056->16058 16061 4083fd RegQueryValueExA 16057->16061 16057->16067 16058->16046 16062 408515 16058->16062 16063 40ec2e codecvt 4 API calls 16059->16063 16059->16067 16060->16053 16068 4086e0 lstrcpyA lstrlenA 16060->16068 16064 40842d RegSetValueExA 16061->16064 16065 40841e 16061->16065 16066 40ec2e codecvt 4 API calls 16062->16066 16063->16067 16070 408447 RegCloseKey 16064->16070 16065->16064 16065->16070 16071 40851d 16066->16071 16067->16038 16067->16042 16072 407fcf 64 API calls 16068->16072 16500 406ba7 IsBadCodePtr 16069->16500 16070->16067 16071->16046 16073 408719 CreateProcessA 16072->16073 16074 40873d CloseHandle CloseHandle 16073->16074 16075 40874f 16073->16075 16074->16051 16076 407ee6 64 API calls 16075->16076 16077 408754 16076->16077 16078 407ead 6 API calls 16077->16078 16079 40875a 16078->16079 16079->16053 16096 40a4c7 GetTickCount 16080->16096 16083 40c45e 16088 40c4d2 16083->16088 16089 40c4ab InterlockedIncrement CreateThread 16083->16089 16084 40c300 GetTickCount 16086 40c337 16084->16086 16085 40c326 16085->16086 16087 40c32b GetTickCount 16085->16087 16086->16083 16091 40c363 GetTickCount 16086->16091 16087->16086 16088->15975 16089->16088 16090 40c4cb CloseHandle 16089->16090 16101 40b535 16089->16101 16090->16088 16091->16083 16092 40c373 16091->16092 16093 40c378 GetTickCount 16092->16093 16094 40c37f 16092->16094 16093->16094 16095 40c43b GetTickCount 16094->16095 16095->16083 16097 40a4f7 InterlockedExchange 16096->16097 16098 40a500 16097->16098 16099 40a4e4 GetTickCount 16097->16099 16098->16083 16098->16084 16098->16085 16099->16098 16100 40a4ef Sleep 16099->16100 16100->16097 16102 40b566 16101->16102 16103 40ebcc 4 API calls 16102->16103 16104 40b587 16103->16104 16105 40ebcc 4 API calls 16104->16105 16152 40b590 16105->16152 16106 40bdcd InterlockedDecrement 16107 40bde2 16106->16107 16109 40ec2e codecvt 4 API calls 16107->16109 16110 40bdea 16109->16110 16112 40ec2e codecvt 4 API calls 16110->16112 16111 40bdb7 Sleep 16111->16152 16113 40bdf2 16112->16113 16115 40be05 16113->16115 16116 40ec2e codecvt 4 API calls 16113->16116 16114 40bdcc 16114->16106 16116->16115 16117 40ebed 8 API calls 16117->16152 16120 40b6b6 lstrlenA 16120->16152 16121 4030b5 2 API calls 16121->16152 16122 40e819 11 API calls 16122->16152 16123 40b6ed lstrcpyA 16176 405ce1 16123->16176 16126 40b731 lstrlenA 16126->16152 16127 40b71f lstrcmpA 16127->16126 16127->16152 16128 40b772 GetTickCount 16128->16152 16129 40bd49 InterlockedIncrement 16273 40a628 16129->16273 16132 40b7ce InterlockedIncrement 16186 40acd7 16132->16186 16133 4038f0 6 API calls 16133->16152 16134 40bc5b InterlockedIncrement 16134->16152 16137 40b912 GetTickCount 16137->16152 16138 40b932 GetTickCount 16141 40bc6d InterlockedIncrement 16138->16141 16138->16152 16139 40bcdc closesocket 16139->16152 16140 40b826 InterlockedIncrement 16140->16128 16141->16152 16142 405ce1 22 API calls 16142->16152 16144 40a7c1 22 API calls 16144->16152 16146 40bba6 InterlockedIncrement 16146->16152 16148 40bc4c closesocket 16148->16152 16151 40ba71 wsprintfA 16207 40a7c1 16151->16207 16152->16106 16152->16111 16152->16114 16152->16117 16152->16120 16152->16121 16152->16122 16152->16123 16152->16126 16152->16127 16152->16128 16152->16129 16152->16132 16152->16133 16152->16134 16152->16137 16152->16138 16152->16139 16152->16140 16152->16142 16152->16144 16152->16146 16152->16148 16152->16151 16154 40ab81 lstrcpynA InterlockedIncrement 16152->16154 16155 40ef1e lstrlenA 16152->16155 16156 405ded 12 API calls 16152->16156 16158 403e10 16152->16158 16161 403e4f 16152->16161 16164 40384f 16152->16164 16184 40a7a3 inet_ntoa 16152->16184 16191 40abee 16152->16191 16203 401feb GetTickCount 16152->16203 16204 40a688 16152->16204 16227 403cfb 16152->16227 16230 40b3c5 16152->16230 16261 40ab81 16152->16261 16154->16152 16155->16152 16156->16152 16159 4030fa 4 API calls 16158->16159 16160 403e1d 16159->16160 16160->16152 16162 4030fa 4 API calls 16161->16162 16163 403e5c 16162->16163 16163->16152 16165 4030fa 4 API calls 16164->16165 16167 403863 16165->16167 16166 4038b2 16166->16152 16167->16166 16168 4038b9 16167->16168 16169 403889 16167->16169 16282 4035f9 16168->16282 16276 403718 16169->16276 16174 4035f9 6 API calls 16174->16166 16175 403718 6 API calls 16175->16166 16177 405cf4 16176->16177 16178 405cec 16176->16178 16180 404bd1 4 API calls 16177->16180 16288 404bd1 GetTickCount 16178->16288 16181 405d02 16180->16181 16293 405472 16181->16293 16185 40a7b9 16184->16185 16185->16152 16187 40f315 14 API calls 16186->16187 16188 40aceb 16187->16188 16189 40acff 16188->16189 16190 40f315 14 API calls 16188->16190 16189->16152 16190->16189 16192 40abfb 16191->16192 16196 40ac65 16192->16196 16356 402f22 16192->16356 16194 40f315 14 API calls 16194->16196 16195 40ac8a 16195->16152 16196->16194 16196->16195 16197 40ac6f 16196->16197 16198 40ab81 2 API calls 16197->16198 16199 40ac81 16198->16199 16364 4038f0 16199->16364 16200 402684 2 API calls 16202 40ac23 16200->16202 16202->16196 16202->16200 16203->16152 16378 40a63d 16204->16378 16206 40a696 16206->16152 16208 40a87d lstrlenA send 16207->16208 16209 40a7df 16207->16209 16210 40a899 16208->16210 16211 40a8bf 16208->16211 16209->16208 16216 40a7fa wsprintfA 16209->16216 16217 40a80a 16209->16217 16219 40a8f2 16209->16219 16214 40a8a5 wsprintfA 16210->16214 16220 40a89e 16210->16220 16212 40a8c4 send 16211->16212 16211->16219 16215 40a8d8 wsprintfA 16212->16215 16212->16219 16213 40a978 recv 16213->16219 16221 40a982 16213->16221 16214->16220 16215->16220 16216->16217 16217->16208 16218 40a9b0 wsprintfA 16218->16220 16219->16213 16219->16218 16219->16221 16220->16152 16221->16220 16222 4030b5 2 API calls 16221->16222 16223 40ab05 16222->16223 16224 40e819 11 API calls 16223->16224 16225 40ab17 16224->16225 16226 40a7a3 inet_ntoa 16225->16226 16226->16220 16228 4030fa 4 API calls 16227->16228 16229 403d0b 16228->16229 16229->16152 16231 405ce1 22 API calls 16230->16231 16232 40b3e6 16231->16232 16233 405ce1 22 API calls 16232->16233 16235 40b404 16233->16235 16234 40b440 16236 40ef7c 3 API calls 16234->16236 16235->16234 16237 40ef7c 3 API calls 16235->16237 16238 40b458 wsprintfA 16236->16238 16239 40b42b 16237->16239 16241 40ef7c 3 API calls 16238->16241 16240 40ef7c 3 API calls 16239->16240 16240->16234 16242 40b480 16241->16242 16243 40ef7c 3 API calls 16242->16243 16244 40b493 16243->16244 16245 40ef7c 3 API calls 16244->16245 16246 40b4bb 16245->16246 16383 40ad89 GetLocalTime SystemTimeToFileTime 16246->16383 16250 40b4cc 16251 40ef7c 3 API calls 16250->16251 16252 40b4dd 16251->16252 16253 40b211 7 API calls 16252->16253 16254 40b4ec 16253->16254 16255 40ef7c 3 API calls 16254->16255 16256 40b4fd 16255->16256 16257 40b211 7 API calls 16256->16257 16258 40b509 16257->16258 16259 40ef7c 3 API calls 16258->16259 16260 40b51a 16259->16260 16260->16152 16262 40ab8c 16261->16262 16264 40abe9 GetTickCount 16261->16264 16263 40aba8 lstrcpynA 16262->16263 16262->16264 16265 40abe1 InterlockedIncrement 16262->16265 16263->16262 16266 40a51d 16264->16266 16265->16262 16267 40a4c7 4 API calls 16266->16267 16268 40a52c 16267->16268 16269 40a542 GetTickCount 16268->16269 16271 40a539 GetTickCount 16268->16271 16269->16271 16272 40a56c 16271->16272 16272->16152 16274 40a4c7 4 API calls 16273->16274 16275 40a633 16274->16275 16275->16152 16277 40f04e 4 API calls 16276->16277 16279 40372a 16277->16279 16278 403847 16278->16166 16278->16175 16279->16278 16280 4037b3 GetCurrentThreadId 16279->16280 16280->16279 16281 4037c8 GetCurrentThreadId 16280->16281 16281->16279 16283 40f04e 4 API calls 16282->16283 16284 40360c 16283->16284 16285 4036da GetCurrentThreadId 16284->16285 16286 4036f1 16284->16286 16285->16286 16287 4036e5 GetCurrentThreadId 16285->16287 16286->16166 16286->16174 16287->16286 16289 404bff InterlockedExchange 16288->16289 16290 404c08 16289->16290 16291 404bec GetTickCount 16289->16291 16290->16177 16291->16290 16292 404bf7 Sleep 16291->16292 16292->16289 16312 404763 16293->16312 16295 40548a 16296 405b58 16295->16296 16303 404ae6 8 API calls 16295->16303 16307 40558d lstrcpynA 16295->16307 16308 405a9f lstrcpyA 16295->16308 16309 405935 lstrcpynA 16295->16309 16310 405472 13 API calls 16295->16310 16311 4058e7 lstrcpyA 16295->16311 16316 404ae6 16295->16316 16320 40ef7c lstrlenA lstrlenA lstrlenA 16295->16320 16322 404699 16296->16322 16299 404763 lstrlenA 16300 405b6e 16299->16300 16343 404f9f 16300->16343 16302 405b79 16302->16152 16303->16295 16305 405549 lstrlenA 16305->16295 16307->16295 16308->16295 16309->16295 16310->16295 16311->16295 16314 40477a 16312->16314 16313 404859 16313->16295 16314->16313 16315 40480d lstrlenA 16314->16315 16315->16314 16317 404af3 16316->16317 16319 404b03 16316->16319 16318 40ebed 8 API calls 16317->16318 16318->16319 16319->16305 16321 40efb4 16320->16321 16321->16295 16348 4045b3 16322->16348 16325 4045b3 7 API calls 16326 4046c6 16325->16326 16327 4045b3 7 API calls 16326->16327 16328 4046d8 16327->16328 16329 4045b3 7 API calls 16328->16329 16330 4046ea 16329->16330 16331 4045b3 7 API calls 16330->16331 16332 4046ff 16331->16332 16333 4045b3 7 API calls 16332->16333 16334 404711 16333->16334 16335 4045b3 7 API calls 16334->16335 16336 404723 16335->16336 16337 40ef7c 3 API calls 16336->16337 16338 404735 16337->16338 16339 40ef7c 3 API calls 16338->16339 16340 40474a 16339->16340 16341 40ef7c 3 API calls 16340->16341 16342 40475c 16341->16342 16342->16299 16344 404fac 16343->16344 16346 404fb0 16343->16346 16344->16302 16345 404ffd 16345->16302 16346->16345 16347 404fd5 IsBadCodePtr 16346->16347 16347->16346 16349 4045c1 16348->16349 16350 4045c8 16348->16350 16351 40ebcc 4 API calls 16349->16351 16352 40ebcc 4 API calls 16350->16352 16354 4045e1 16350->16354 16351->16350 16352->16354 16353 404691 16353->16325 16354->16353 16355 40ef7c 3 API calls 16354->16355 16355->16354 16371 402d21 GetModuleHandleA 16356->16371 16359 402fcf GetProcessHeap HeapFree 16363 402f44 16359->16363 16360 402f4f 16362 402f6b GetProcessHeap HeapFree 16360->16362 16361 402f85 16361->16359 16361->16361 16362->16363 16363->16202 16365 403900 16364->16365 16366 403980 16364->16366 16367 4030fa 4 API calls 16365->16367 16366->16195 16370 40390a 16367->16370 16368 40391b GetCurrentThreadId 16368->16370 16369 403939 GetCurrentThreadId 16369->16370 16370->16366 16370->16368 16370->16369 16372 402d46 LoadLibraryA 16371->16372 16373 402d5b GetProcAddress 16371->16373 16372->16373 16375 402d54 16372->16375 16373->16375 16377 402d6b 16373->16377 16374 402d97 GetProcessHeap HeapAlloc 16374->16375 16374->16377 16375->16360 16375->16361 16375->16363 16376 402db5 lstrcpynA 16376->16377 16377->16374 16377->16375 16377->16376 16379 40a645 16378->16379 16380 40a64d 16378->16380 16379->16206 16381 40a66e 16380->16381 16382 40a65e GetTickCount 16380->16382 16381->16206 16382->16381 16384 40adbf 16383->16384 16408 40ad08 gethostname 16384->16408 16387 4030b5 2 API calls 16388 40add3 16387->16388 16389 40a7a3 inet_ntoa 16388->16389 16392 40ade4 16388->16392 16389->16392 16390 40ae85 wsprintfA 16391 40ef7c 3 API calls 16390->16391 16393 40aebb 16391->16393 16392->16390 16394 40ae36 wsprintfA wsprintfA 16392->16394 16396 40ef7c 3 API calls 16393->16396 16395 40ef7c 3 API calls 16394->16395 16395->16392 16397 40aed2 16396->16397 16398 40b211 16397->16398 16399 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16398->16399 16400 40b2af GetLocalTime 16398->16400 16401 40b2d2 16399->16401 16400->16401 16402 40b2d9 SystemTimeToFileTime 16401->16402 16403 40b31c GetTimeZoneInformation 16401->16403 16404 40b2ec 16402->16404 16405 40b33a wsprintfA 16403->16405 16406 40b312 FileTimeToSystemTime 16404->16406 16405->16250 16406->16403 16409 40ad71 16408->16409 16414 40ad26 lstrlenA 16408->16414 16411 40ad85 16409->16411 16412 40ad79 lstrcpyA 16409->16412 16411->16387 16412->16411 16413 40ad68 lstrlenA 16413->16409 16414->16409 16414->16413 16416 40f428 14 API calls 16415->16416 16417 40198a 16416->16417 16418 401990 closesocket 16417->16418 16419 401998 16417->16419 16418->16419 16419->16001 16421 402d21 6 API calls 16420->16421 16422 402f01 16421->16422 16425 402f0f 16422->16425 16436 402df2 GetModuleHandleA 16422->16436 16424 402684 2 API calls 16426 402f1d 16424->16426 16425->16424 16427 402f1f 16425->16427 16426->16014 16427->16014 16430 401c80 16428->16430 16429 401d1c 16433 401d47 wsprintfA 16429->16433 16430->16429 16431 401cc2 wsprintfA 16430->16431 16434 401d79 16430->16434 16432 402684 2 API calls 16431->16432 16432->16430 16435 402684 2 API calls 16433->16435 16434->16025 16435->16434 16437 402e10 LoadLibraryA 16436->16437 16438 402e0b 16436->16438 16439 402e17 16437->16439 16438->16437 16438->16439 16440 402ef1 16439->16440 16441 402e28 GetProcAddress 16439->16441 16440->16425 16441->16440 16442 402e3e GetProcessHeap HeapAlloc 16441->16442 16444 402e62 16442->16444 16443 402ede GetProcessHeap HeapFree 16443->16440 16444->16440 16444->16443 16445 402e7f htons inet_addr 16444->16445 16446 402ea5 gethostbyname 16444->16446 16448 402ceb 16444->16448 16445->16444 16445->16446 16446->16444 16449 402cf2 16448->16449 16451 402d1c 16449->16451 16452 402d0e Sleep 16449->16452 16453 402a62 GetProcessHeap HeapAlloc 16449->16453 16451->16444 16452->16449 16452->16451 16454 402a92 16453->16454 16455 402a99 socket 16453->16455 16454->16449 16456 402cd3 GetProcessHeap HeapFree 16455->16456 16457 402ab4 16455->16457 16456->16454 16457->16456 16471 402abd 16457->16471 16458 402adb htons 16473 4026ff 16458->16473 16460 402b04 select 16460->16471 16461 402ca4 16462 402cb3 GetProcessHeap HeapFree closesocket 16461->16462 16462->16454 16463 402b3f recv 16463->16471 16464 402b66 htons 16464->16461 16464->16471 16465 402b87 htons 16465->16461 16465->16471 16468 402bf3 GetProcessHeap HeapAlloc 16468->16471 16469 402c17 htons 16488 402871 16469->16488 16471->16458 16471->16460 16471->16461 16471->16462 16471->16463 16471->16464 16471->16465 16471->16468 16471->16469 16472 402c4d GetProcessHeap HeapFree 16471->16472 16480 402923 16471->16480 16492 402904 16471->16492 16472->16471 16474 40271d 16473->16474 16475 402717 16473->16475 16477 40272b GetTickCount htons 16474->16477 16476 40ebcc 4 API calls 16475->16476 16476->16474 16478 4027cc htons htons sendto 16477->16478 16479 40278a 16477->16479 16478->16471 16479->16478 16481 402944 16480->16481 16483 40293d 16480->16483 16496 402816 htons 16481->16496 16483->16471 16484 402950 16484->16483 16485 402871 htons 16484->16485 16486 4029bd htons htons htons 16484->16486 16485->16484 16486->16483 16487 4029f6 GetProcessHeap HeapAlloc 16486->16487 16487->16483 16487->16484 16489 4028e3 16488->16489 16491 402889 16488->16491 16489->16471 16490 4028c3 htons 16490->16489 16490->16491 16491->16489 16491->16490 16493 402921 16492->16493 16494 402908 16492->16494 16493->16471 16495 402909 GetProcessHeap HeapFree 16494->16495 16495->16493 16495->16495 16497 40286b 16496->16497 16498 402836 16496->16498 16497->16484 16498->16497 16499 40285c htons 16498->16499 16499->16497 16499->16498 16501 406bc0 16500->16501 16502 406bbc 16500->16502 16503 40ebcc 4 API calls 16501->16503 16505 406bd4 16501->16505 16502->16044 16504 406be4 16503->16504 16504->16505 16506 406c07 CreateFileA 16504->16506 16507 406bfc 16504->16507 16505->16044 16509 406c34 WriteFile 16506->16509 16510 406c2a 16506->16510 16508 40ec2e codecvt 4 API calls 16507->16508 16508->16505 16512 406c49 CloseHandle DeleteFileA 16509->16512 16513 406c5a CloseHandle 16509->16513 16511 40ec2e codecvt 4 API calls 16510->16511 16511->16505 16512->16510 16514 40ec2e codecvt 4 API calls 16513->16514 16514->16505 14849 630005 14854 63092b GetPEB 14849->14854 14851 630030 14856 63003c 14851->14856 14855 630972 14854->14855 14855->14851 14857 630049 14856->14857 14871 630e0f SetErrorMode SetErrorMode 14857->14871 14862 630265 14863 6302ce VirtualProtect 14862->14863 14865 63030b 14863->14865 14864 630439 VirtualFree 14869 6304be 14864->14869 14870 6305f4 LoadLibraryA 14864->14870 14865->14864 14866 6304e3 LoadLibraryA 14866->14869 14868 6308c7 14869->14866 14869->14870 14870->14868 14872 630223 14871->14872 14873 630d90 14872->14873 14874 630dad 14873->14874 14875 630dbb GetPEB 14874->14875 14876 630238 VirtualAlloc 14874->14876 14875->14876 14876->14862 14831 4a2098 14834 4a20a8 14831->14834 14835 4a20b7 14834->14835 14838 4a2848 14835->14838 14839 4a2863 14838->14839 14840 4a286c CreateToolhelp32Snapshot 14839->14840 14841 4a2888 Module32First 14839->14841 14840->14839 14840->14841 14842 4a20a7 14841->14842 14843 4a2897 14841->14843 14845 4a2507 14843->14845 14846 4a2532 14845->14846 14847 4a2543 VirtualAlloc 14846->14847 14848 4a257b 14846->14848 14847->14848
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                        • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                        • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                        • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                      • ExitProcess.KERNEL32 ref: 00409C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                      • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                      • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                      • wsprintfA.USER32 ref: 0040A0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                        • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                        • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                      • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                      • DeleteFileA.KERNEL32(C:\Users\user\Desktop\I5vhb7vJPS.exe), ref: 0040A407
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                      • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                      • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                      • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\I5vhb7vJPS.exe$C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$D$P$\$jjcfhqgg
                                                                                      • API String ID: 2089075347-1809632314
                                                                                      • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                      • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                      • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                      • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                      • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                      • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                      • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                      • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                      • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 286 4074a2-4074b1 call 406cad 283->286 287 407714-40771d RegCloseKey 283->287 285 407804-407808 284->285 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                      • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                      • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                      • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                      • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 386 63003c-630047 387 630049 386->387 388 63004c-630263 call 630a3f call 630e0f call 630d90 VirtualAlloc 386->388 387->388 403 630265-630289 call 630a69 388->403 404 63028b-630292 388->404 408 6302ce-6303c2 VirtualProtect call 630cce call 630ce7 403->408 405 6302a1-6302b0 404->405 407 6302b2-6302cc 405->407 405->408 407->405 415 6303d1-6303e0 408->415 416 6303e2-630437 call 630ce7 415->416 417 630439-6304b8 VirtualFree 415->417 416->415 419 6305f4-6305fe 417->419 420 6304be-6304cd 417->420 422 630604-63060d 419->422 423 63077f-630789 419->423 421 6304d3-6304dd 420->421 421->419 427 6304e3-630505 LoadLibraryA 421->427 422->423 428 630613-630637 422->428 425 6307a6-6307b0 423->425 426 63078b-6307a3 423->426 430 6307b6-6307cb 425->430 431 63086e-6308be LoadLibraryA 425->431 426->425 432 630517-630520 427->432 433 630507-630515 427->433 434 63063e-630648 428->434 435 6307d2-6307d5 430->435 438 6308c7-6308f9 431->438 436 630526-630547 432->436 433->436 434->423 437 63064e-63065a 434->437 439 6307d7-6307e0 435->439 440 630824-630833 435->440 441 63054d-630550 436->441 437->423 442 630660-63066a 437->442 443 630902-63091d 438->443 444 6308fb-630901 438->444 445 6307e2 439->445 446 6307e4-630822 439->446 450 630839-63083c 440->450 447 6305e0-6305ef 441->447 448 630556-63056b 441->448 449 63067a-630689 442->449 444->443 445->440 446->435 447->421 451 63056f-63057a 448->451 452 63056d 448->452 453 630750-63077a 449->453 454 63068f-6306b2 449->454 450->431 455 63083e-630847 450->455 457 63059b-6305bb 451->457 458 63057c-630599 451->458 452->447 453->434 459 6306b4-6306ed 454->459 460 6306ef-6306fc 454->460 461 63084b-63086c 455->461 462 630849 455->462 469 6305bd-6305db 457->469 458->469 459->460 463 63074b 460->463 464 6306fe-630748 460->464 461->450 462->431 463->449 464->463 469->441
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0063024D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID: cess$kernel32.dll
                                                                                      • API String ID: 4275171209-1230238691
                                                                                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction ID: 8f69342a498a25bf33f9362e99804d6d805f6cc08e10f7a952bbbdd345a8224a
                                                                                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                      • Instruction Fuzzy Hash: AF527874A00229DFDB64CF58C995BA8BBB1BF09314F1480D9E90DAB351DB30AE89DF54

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                                      APIs
                                                                                      • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                      • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                      • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                      • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                      • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2098669666-2746444292
                                                                                      • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                      • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                      • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 502 404059-40405c 500->502 503 404052 501->503 504 404037-40403a 501->504 505 404054-404056 502->505 503->505 504->503 506 40403c-40403f 504->506 506->502 507 404041-404050 Sleep 506->507 507->499 507->503
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                      • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 408151869-0
                                                                                      • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                      • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                      • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                      Control-flow Graph

                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                      • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                      • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                      • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID:
                                                                                      • API String ID: 2370142434-0
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 519 4a2848-4a2861 520 4a2863-4a2865 519->520 521 4a286c-4a2878 CreateToolhelp32Snapshot 520->521 522 4a2867 520->522 523 4a287a-4a2880 521->523 524 4a2888-4a2895 Module32First 521->524 522->521 523->524 530 4a2882-4a2886 523->530 525 4a289e-4a28a6 524->525 526 4a2897-4a2898 call 4a2507 524->526 531 4a289d 526->531 530->520 530->524 531->525
                                                                                      APIs
                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004A2870
                                                                                      • Module32First.KERNEL32(00000000,00000224), ref: 004A2890
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756464706.000000000049E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0049E000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_49e000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                      • String ID:
                                                                                      • API String ID: 3833638111-0
                                                                                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction ID: f5fdba7060cbfd2bc63eb72bed9c07068ad8b5ba766cc4bdabdd82abffd30ff0
                                                                                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                      • Instruction Fuzzy Hash: EBF0C2311003156BE7203BFDAA8CA6F76E8AF5A764F10062EF642911C0CBB8E8055664

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 532 630e0f-630e24 SetErrorMode * 2 533 630e26 532->533 534 630e2b-630e2c 532->534 533->534
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000400,?,?,00630223,?,?), ref: 00630E19
                                                                                      • SetErrorMode.KERNELBASE(00000000,?,?,00630223,?,?), ref: 00630E1E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorMode
                                                                                      • String ID:
                                                                                      • API String ID: 2340568224-0
                                                                                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction ID: 4b3f2dadeb50f47f9dffb3410bc12ca49dcb814039e7263dfb2ecc5297b295b0
                                                                                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                      • Instruction Fuzzy Hash: 9ED0123124512877D7003A94DC09BCD7B1CDF05B62F008411FB0DD9180C770994046E5

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 535 406dc2-406dd5 536 406e33-406e35 535->536 537 406dd7-406df1 call 406cc9 call 40ef00 535->537 542 406df4-406df9 537->542 542->542 543 406dfb-406e00 542->543 544 406e02-406e22 GetVolumeInformationA 543->544 545 406e24 543->545 544->545 546 406e2e 544->546 545->546 546->536
                                                                                      APIs
                                                                                        • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                        • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                        • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                        • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                      • String ID:
                                                                                      • API String ID: 1823874839-0
                                                                                      • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                      • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                      • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 547 409892-4098c0 548 4098c2-4098c5 547->548 549 4098d9 547->549 548->549 551 4098c7-4098d7 548->551 550 4098e0-4098f1 SetServiceStatus 549->550 551->550
                                                                                      APIs
                                                                                      • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ServiceStatus
                                                                                      • String ID:
                                                                                      • API String ID: 3969395364-0
                                                                                      • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                      • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                      • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                      • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 552 4a2507-4a2541 call 4a281a 555 4a258f 552->555 556 4a2543-4a2576 VirtualAlloc call 4a2594 552->556 555->555 558 4a257b-4a258d 556->558 558->555
                                                                                      APIs
                                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 004A2558
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756464706.000000000049E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0049E000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_49e000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual
                                                                                      • String ID:
                                                                                      • API String ID: 4275171209-0
                                                                                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction ID: 759f0846f8835942c98649e0a8f44c42249d4900c90d0777b9c83076a7089925
                                                                                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                      • Instruction Fuzzy Hash: 89113C79A00208FFDB01DF98CA85E99BBF5AF08350F058095F9489B362D375EA50EF84

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 559 4098f2-4098f4 560 4098f6-409902 call 404280 559->560 563 409904-409913 Sleep 560->563 564 409917 560->564 563->560 565 409915 563->565 566 409919-409942 call 402544 call 40977c 564->566 567 40995e-409960 564->567 565->564 571 409947-409957 call 40ee2a 566->571 571->567
                                                                                      APIs
                                                                                        • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                      • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3100162736-0
                                                                                      • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                      • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                      • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                      • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000), ref: 006365F6
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00636610
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00636631
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00636652
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction ID: 5bad7fdd52d554cae1eae1fe8eda0c1382e109d6d69530795b6882f4ba48f2be
                                                                                      • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                      • Instruction Fuzzy Hash: BC115171600218BFDB219F65DC46F9B3FA9EB057A5F108034FA09A7251D7B1DD4086A4
                                                                                      APIs
                                                                                      • ExitProcess.KERNEL32 ref: 00639E6D
                                                                                      • lstrcpy.KERNEL32(?,00000000), ref: 00639FE1
                                                                                      • lstrcat.KERNEL32(?,?), ref: 00639FF2
                                                                                      • lstrcat.KERNEL32(?,0041070C), ref: 0063A004
                                                                                      • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0063A054
                                                                                      • DeleteFileA.KERNEL32(?), ref: 0063A09F
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0063A0D6
                                                                                      • lstrcpy.KERNEL32 ref: 0063A12F
                                                                                      • lstrlen.KERNEL32(00000022), ref: 0063A13C
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 00639F13
                                                                                        • Part of subcall function 00637029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00637081
                                                                                        • Part of subcall function 00636F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ddwzbkaa,00637043), ref: 00636F4E
                                                                                        • Part of subcall function 00636F30: GetProcAddress.KERNEL32(00000000), ref: 00636F55
                                                                                        • Part of subcall function 00636F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00636F7B
                                                                                        • Part of subcall function 00636F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00636F92
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0063A1A2
                                                                                      • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0063A1C5
                                                                                      • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0063A214
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0063A21B
                                                                                      • GetDriveTypeA.KERNEL32(?), ref: 0063A265
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0063A29F
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 0063A2C5
                                                                                      • lstrcat.KERNEL32(?,00000022), ref: 0063A2D9
                                                                                      • lstrcat.KERNEL32(?,00410A34), ref: 0063A2F4
                                                                                      • wsprintfA.USER32 ref: 0063A31D
                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 0063A345
                                                                                      • lstrcat.KERNEL32(?,?), ref: 0063A364
                                                                                      • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0063A387
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0063A398
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0063A1D1
                                                                                        • Part of subcall function 00639966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0063999D
                                                                                        • Part of subcall function 00639966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 006399BD
                                                                                        • Part of subcall function 00639966: RegCloseKey.ADVAPI32(?), ref: 006399C6
                                                                                      • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0063A3DB
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0063A3E2
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 0063A41D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                      • String ID: "$"$"$D$P$\
                                                                                      • API String ID: 1653845638-2605685093
                                                                                      • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction ID: 004cfa5f0f547e74694f3e89fe23c81aca41e03a637ba42b0df4c0efa34ac21d
                                                                                      • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                      • Instruction Fuzzy Hash: 16F153B1D40259AFDF11DBA0CC49EEF7BBDAB08304F0440AAF645E2151E7B58A85CFA5
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                      • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                      • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                      • wsprintfA.USER32 ref: 0040B3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                      • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$D
                                                                                      • API String ID: 2976863881-3478025276
                                                                                      • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                      • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                      • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00637D21
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00637D46
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00637D7D
                                                                                      • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00637DA2
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00637DC0
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00637DD1
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00637DE5
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00637DF3
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00637E03
                                                                                      • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00637E12
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00637E19
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00637E35
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$D
                                                                                      • API String ID: 2976863881-3478025276
                                                                                      • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction ID: 6e3f48ecac669917def4e4b7361602fdd4ae7414a53102948d186a8c8a6f3d58
                                                                                      • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                      • Instruction Fuzzy Hash: 78A131B1900219AFDF21DFA1DD48FEEBBB9FB08300F148069F515E6250DB759A85CBA4
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                      • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                      • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040A7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                      • wsprintfA.USER32 ref: 0040A8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                      • wsprintfA.USER32 ref: 0040A8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                      • wsprintfA.USER32 ref: 0040A9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                      • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                      • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                      • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                      • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00637A96
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00637ACD
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 00637ADF
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00637B01
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00637B1F
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00637B39
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00637B4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00637B58
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00637B68
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00637B77
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00637B7E
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00637B9A
                                                                                      • GetAce.ADVAPI32(?,?,?), ref: 00637BCA
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00637BF1
                                                                                      • DeleteAce.ADVAPI32(?,?), ref: 00637C0A
                                                                                      • EqualSid.ADVAPI32(?,?), ref: 00637C2C
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 00637CB1
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00637CBF
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00637CD0
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00637CE0
                                                                                      • LocalFree.KERNEL32(00000000), ref: 00637CEE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction ID: 2777732776f2b663c83719a6f685171ed4a96a91360503122fc8cd2e2c1b8299
                                                                                      • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                      • Instruction Fuzzy Hash: D4814CB190421AAFDB21CFA5DD84FEEBBB9AF08304F14806AE505E6250D7759A41CBA4
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                      • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                      • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                      • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$localcfg
                                                                                      • API String ID: 237177642-230564873
                                                                                      • Opcode ID: e56aa1dd170c8f00fbf59b9ba8cc7407dc25a627227ec8cef7c3cf2c020b1006
                                                                                      • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                      • Opcode Fuzzy Hash: e56aa1dd170c8f00fbf59b9ba8cc7407dc25a627227ec8cef7c3cf2c020b1006
                                                                                      • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-179334549
                                                                                      • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                      • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                      • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                      • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                      • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                        • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                      • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                      • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 835516345-270533642
                                                                                      • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                      • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                      • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0063865A
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0063867B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 006386A8
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 006386B1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: "$C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe
                                                                                      • API String ID: 237177642-143310522
                                                                                      • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction ID: a18becb90527f311f467a174d3446e6361bbc5c70b801adc32c65c389fe62b62
                                                                                      • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                      • Instruction Fuzzy Hash: BCC1A3B1D00249BEEB11ABA4DD86EEF7B7EEB05300F144079F504E7191EB714E948BA5
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                      • htons.WS2_32(00000000), ref: 00402ADB
                                                                                      • select.WS2_32 ref: 00402B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                      • htons.WS2_32(?), ref: 00402B71
                                                                                      • htons.WS2_32(?), ref: 00402B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                      • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                      • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 00631601
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 006317D8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $<$@$D
                                                                                      • API String ID: 1628651668-1974347203
                                                                                      • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction ID: caf068128540a797aff35b05673888e39df15d97756dd447b1f92ccaa41d67af
                                                                                      • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                      • Instruction Fuzzy Hash: AEF18EB15083419FD720CF64C888BABB7E6FB8A305F10892DF5959B390D7B4D944CBA6
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006376D9
                                                                                      • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00637757
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0063778F
                                                                                      • ___ascii_stricmp.LIBCMT ref: 006378B4
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0063794E
                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0063796D
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0063797E
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 006379AC
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00637A56
                                                                                        • Part of subcall function 0063F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0063772A,?), ref: 0063F414
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 006379F6
                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00637A4D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction ID: 57b2417277589b53b9b4f3a2c5b74244d83629d32dfa0540b7e528a7101182fd
                                                                                      • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                      • Instruction Fuzzy Hash: D1C1B4B2904209AFDB21DBA4DC45FEE7BBAEF45310F1041A5F504E6291EB71DE84CBA4
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                                      • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                                        • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"
                                                                                      • API String ID: 4293430545-3817095088
                                                                                      • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                      • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                      • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                      APIs
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00632CED
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 00632D07
                                                                                      • htons.WS2_32(00000000), ref: 00632D42
                                                                                      • select.WS2_32 ref: 00632D8F
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 00632DB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00632E62
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 127016686-0
                                                                                      • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction ID: d71569b7471ba7dbebee5f49c3f3236771afe35fb4fd1cd00a3cbb7167fba193
                                                                                      • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                      • Instruction Fuzzy Hash: 5061DC71904306ABC320AF64DC19BABBBE9EF88741F15481DF98496261D7B498808BE6
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                        • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                        • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                        • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                        • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                        • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                      • wsprintfA.USER32 ref: 0040AEA5
                                                                                        • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                      • wsprintfA.USER32 ref: 0040AE4F
                                                                                      • wsprintfA.USER32 ref: 0040AE5E
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                      • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                      • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                      • htons.WS2_32(00000035), ref: 00402E88
                                                                                      • inet_addr.WS2_32(?), ref: 00402E93
                                                                                      • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                      • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                      • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                      • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                      • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                                      • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                                      • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 2622201749-0
                                                                                      • Opcode ID: 3e11a711921d160b0f1aac263f823a8e39ac5cf0b0624a850b45692c28cf4611
                                                                                      • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                      • Opcode Fuzzy Hash: 3e11a711921d160b0f1aac263f823a8e39ac5cf0b0624a850b45692c28cf4611
                                                                                      • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                      • wsprintfA.USER32 ref: 004093CE
                                                                                      • wsprintfA.USER32 ref: 0040940C
                                                                                      • wsprintfA.USER32 ref: 0040948D
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: runas
                                                                                      • API String ID: 3696105349-4000483414
                                                                                      • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                      • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                      • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 0040B467
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                        • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-2340906255
                                                                                      • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                      • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                      • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00402078
                                                                                      • GetTickCount.KERNEL32 ref: 004020D4
                                                                                      • GetTickCount.KERNEL32 ref: 004020DB
                                                                                      • GetTickCount.KERNEL32 ref: 0040212B
                                                                                      • GetTickCount.KERNEL32 ref: 00402132
                                                                                      • GetTickCount.KERNEL32 ref: 00402142
                                                                                        • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                        • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                        • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                        • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                        • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-1522128867
                                                                                      • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                      • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                      • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                      APIs
                                                                                      • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                      • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                      • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                      • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                      • ExitProcess.KERNEL32 ref: 00404121
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2404124870-0
                                                                                      • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                      • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                      • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                      APIs
                                                                                        • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                        • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                      • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                      • GetTickCount.KERNEL32 ref: 0040C363
                                                                                      • GetTickCount.KERNEL32 ref: 0040C378
                                                                                      • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                      • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                      • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                      • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00633068
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00633078
                                                                                      • GetProcAddress.KERNEL32(00000000,00410408), ref: 00633095
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 006330B6
                                                                                      • htons.WS2_32(00000035), ref: 006330EF
                                                                                      • inet_addr.WS2_32(?), ref: 006330FA
                                                                                      • gethostbyname.WS2_32(?), ref: 0063310D
                                                                                      • HeapFree.KERNEL32(00000000), ref: 0063314D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: iphlpapi.dll
                                                                                      • API String ID: 2869546040-3565520932
                                                                                      • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction ID: b7ce875e1c3804ed96ec611f1493cc241e1cd41100721c13529a808386e9a7d6
                                                                                      • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                      • Instruction Fuzzy Hash: E131C831A0021AABDF119BB89C48AEE77B9EF04761F148225F518E7390DB74DE41CBD8
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?), ref: 006395A7
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006395D5
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 006395DC
                                                                                      • wsprintfA.USER32 ref: 00639635
                                                                                      • wsprintfA.USER32 ref: 00639673
                                                                                      • wsprintfA.USER32 ref: 006396F4
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00639758
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0063978D
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006397D8
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID:
                                                                                      • API String ID: 3696105349-0
                                                                                      • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction ID: 2cf3711e6ba9614781d0edf08d5aca55e179651d3d9362ce0c60e4abaa18d653
                                                                                      • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                      • Instruction Fuzzy Hash: 49A16EB1900208AFEB21DFA0DC45FDA3BAEEB45741F10402AFA15D6291E7B5D984CFE5
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 3560063639-3847274415
                                                                                      • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                      • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                      • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-1625972887
                                                                                      • Opcode ID: b366c7dbd41046e3dcbc2770e1e20e14b6b6a067fcbdbe8acda447745b45d8a3
                                                                                      • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                      • Opcode Fuzzy Hash: b366c7dbd41046e3dcbc2770e1e20e14b6b6a067fcbdbe8acda447745b45d8a3
                                                                                      • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                      • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                      • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3188212458-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 006367C3
                                                                                      • htonl.WS2_32(?), ref: 006367DF
                                                                                      • htonl.WS2_32(?), ref: 006367EE
                                                                                      • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 006368F1
                                                                                      • ExitProcess.KERNEL32 ref: 006369BC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Processhtonl$CurrentExitHugeRead
                                                                                      • String ID: except_info$localcfg
                                                                                      • API String ID: 1150517154-3605449297
                                                                                      • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction ID: 487d61afac9911c8e3119cac0c6cc6c50e0df2cd76b304932b20fe69bf254791
                                                                                      • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                      • Instruction Fuzzy Hash: 46615F71940208AFDB609FB4DC45FEA77E9FB08300F24806AFA6DD2161DA7599948F64
                                                                                      APIs
                                                                                      • htons.WS2_32(0063CC84), ref: 0063F5B4
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 0063F5CE
                                                                                      • closesocket.WS2_32(00000000), ref: 0063F5DC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction ID: fbb37f92a1887dfc506eb2834564df2f2675315ea6eb1172945980f5c984c5e0
                                                                                      • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                      • Instruction Fuzzy Hash: 0E317C72900119ABDB10DFA5DC89DEF7BBDEF89310F10456AF915D3250E7708A818BE4
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                      • wsprintfA.USER32 ref: 00407036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                      • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                      • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                      • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(?), ref: 00632FA1
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 00632FB1
                                                                                      • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00632FC8
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00633000
                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 00633007
                                                                                      • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00633032
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                      • String ID: dnsapi.dll
                                                                                      • API String ID: 1242400761-3175542204
                                                                                      • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction ID: 09bd20ff1261e82c14aa8b3b1ff62c2aa991749292e49c384c2c148e94a11313
                                                                                      • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                      • Instruction Fuzzy Hash: 2E21A17194022ABBCB219B94DC48AEEBBBDEF08B10F104425F901E7250D7B49E818BE4
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                      • API String ID: 1082366364-3395550214
                                                                                      • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                      • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                      • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00639A18
                                                                                      • GetThreadContext.KERNEL32(?,?), ref: 00639A52
                                                                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00639A60
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00639A98
                                                                                      • SetThreadContext.KERNEL32(?,00010002), ref: 00639AB5
                                                                                      • ResumeThread.KERNEL32(?), ref: 00639AC2
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction ID: f16c523d8f30c708e29e5b5262efa8797f83da662ca81704527373645ea4fd55
                                                                                      • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                      • Instruction Fuzzy Hash: A9213BB1E01219BBDB119BA1DC09EEF7BBDEF04750F404161BA19E1150EBB58A44CFE4
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(004102D8), ref: 00631C18
                                                                                      • LoadLibraryA.KERNEL32(004102C8), ref: 00631C26
                                                                                      • GetProcessHeap.KERNEL32 ref: 00631C84
                                                                                      • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00631C9D
                                                                                      • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00631CC1
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000), ref: 00631D02
                                                                                      • FreeLibrary.KERNEL32(?), ref: 00631D0B
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                      • String ID:
                                                                                      • API String ID: 2324436984-0
                                                                                      • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction ID: 3899c8cf5ed2b32c0721cc75b8e5540f9dd6f976ca5e8542a9eaf957208c760e
                                                                                      • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                      • Instruction Fuzzy Hash: E7312D32E00219BFCB119FE4DC888FEBBBAEF46751F24447AE501A6210D7B54E81DB94
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00636CE4
                                                                                      • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00636D22
                                                                                      • GetLastError.KERNEL32 ref: 00636DA7
                                                                                      • CloseHandle.KERNEL32(?), ref: 00636DB5
                                                                                      • GetLastError.KERNEL32 ref: 00636DD6
                                                                                      • DeleteFileA.KERNEL32(?), ref: 00636DE7
                                                                                      • GetLastError.KERNEL32 ref: 00636DFD
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3873183294-0
                                                                                      • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction ID: 2dacb412cf5f19b4460555e6b34a913a4c1b92cde5b804d142421098fc2c2847
                                                                                      • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                      • Instruction Fuzzy Hash: 2A31E376A00249BFCB01DFA4DD44ADEBF7AEF48310F14C069F251E3261D7708A558BA5
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\ddwzbkaa,00637043), ref: 00636F4E
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00636F55
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00636F7B
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00636F92
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$\\.\pipe\ddwzbkaa
                                                                                      • API String ID: 1082366364-3028914379
                                                                                      • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction ID: 4e013b21d21e1265f7aa8448c92996ccea994c831464a8427d3a17fe41b836e0
                                                                                      • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                      • Instruction Fuzzy Hash: 572138A174434079F7325731AC8DFFB2E5E8B52750F1880A9F404D6291DBD988D682ED
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen
                                                                                      • String ID: $localcfg
                                                                                      • API String ID: 1659193697-2018645984
                                                                                      • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                      • Instruction ID: 0a8a9b341f2e02b6c2333f677700e02bd50ff02f37b7fb33f02f2d9eccbefb32
                                                                                      • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                                      • Instruction Fuzzy Hash: 57713E71A00304AADF219BD8DC85FEE776BDF01305F24402AF985A61D1DB629DC4A7DB
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                        • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                      • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: c9a4f3360f0ec0b24f46105819ecfa8917bdd6cc8a04f69e855d7cbac4ae1cac
                                                                                      • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                      • Opcode Fuzzy Hash: c9a4f3360f0ec0b24f46105819ecfa8917bdd6cc8a04f69e855d7cbac4ae1cac
                                                                                      • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                      APIs
                                                                                        • Part of subcall function 0063DF6C: GetCurrentThreadId.KERNEL32 ref: 0063DFBA
                                                                                      • lstrcmp.KERNEL32(00410178,00000000), ref: 0063E8FA
                                                                                      • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00636128), ref: 0063E950
                                                                                      • lstrcmp.KERNEL32(?,00000008), ref: 0063E989
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 2920362961-1846390581
                                                                                      • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction ID: 506cf07032fb1c3084202cf507d4ec6e24393995c84631ba72cab76013d24748
                                                                                      • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                      • Instruction Fuzzy Hash: C631AB31600705DFCB718F24C884BAA7BE6EB15320F10892AE596876D1D372EC80CBE5
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: d87e0b72e5304b15b60de58b433867665bba5b378fd0a2a845332a8b1083ea26
                                                                                      • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                      • Opcode Fuzzy Hash: d87e0b72e5304b15b60de58b433867665bba5b378fd0a2a845332a8b1083ea26
                                                                                      • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction ID: e1635f87c0701c0d05f4a137682593c4615a3ab26afd32af38becf3028019055
                                                                                      • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                      • Instruction Fuzzy Hash: 89214D7A208115BFDB109B60EC49EDF3FAEDB49361F208425F502D1091EB759A4496B8
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                      • wsprintfA.USER32 ref: 004090E9
                                                                                      • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                      • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                      • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?), ref: 006392E2
                                                                                      • wsprintfA.USER32 ref: 00639350
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00639375
                                                                                      • lstrlen.KERNEL32(?,?,00000000), ref: 00639389
                                                                                      • WriteFile.KERNEL32(00000000,?,00000000), ref: 00639394
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0063939B
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction ID: 84c997330be89b13e3387bb249c11eb0940619c65fe9dff3e5ea2270b2c945e3
                                                                                      • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                      • Instruction Fuzzy Hash: B21184B17401147BE7606731EC0EFEF3A6EDBC8B10F008069BB09E5091EEB54E4586B8
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                      • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                      • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                      • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                      • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                      • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0063C6B4
                                                                                      • InterlockedIncrement.KERNEL32(0063C74B), ref: 0063C715
                                                                                      • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0063C747), ref: 0063C728
                                                                                      • CloseHandle.KERNEL32(00000000,?,0063C747,00413588,00638A77), ref: 0063C733
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1026198776-1857712256
                                                                                      • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction ID: bbdeb712fddf54ce3f67991934c075547a24758b0f0ff920aa6ab823eac5a6bf
                                                                                      • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                      • Instruction Fuzzy Hash: D3517DB1A01B418FC7648F69C9C552ABBEAFB49310F50593EE18BD7AA0D774F840CB90
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                                        • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                                        • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                                        • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                                        • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                                        • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                                        • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                        • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe
                                                                                      • API String ID: 124786226-1358119261
                                                                                      • Opcode ID: 8781cc80798eaab6ab2ab52eb8b2e9b1a7ed9e2d2e26398b609dffa5b131493d
                                                                                      • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                      • Opcode Fuzzy Hash: 8781cc80798eaab6ab2ab52eb8b2e9b1a7ed9e2d2e26398b609dffa5b131493d
                                                                                      • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0063E50A,00000000,00000000,00000000,00020106,00000000,0063E50A,00000000,000000E4), ref: 0063E319
                                                                                      • RegSetValueExA.ADVAPI32(0063E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0063E38E
                                                                                      • RegDeleteValueA.ADVAPI32(0063E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dc), ref: 0063E3BF
                                                                                      • RegCloseKey.ADVAPI32(0063E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dc,0063E50A), ref: 0063E3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID: Dc
                                                                                      • API String ID: 2667537340-2761895551
                                                                                      • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction ID: bb53dc9b2a09723c03d69832ca0aafdb54d6d47eee161eceb7e17376365d4404
                                                                                      • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                      • Instruction Fuzzy Hash: 3D212C71A0021DABEF209FA5EC89EEE7F7AEF08750F048065F904A6151E6729A54D7E0
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 006371E1
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00637228
                                                                                      • LocalFree.KERNEL32(?,?,?), ref: 00637286
                                                                                      • wsprintfA.USER32 ref: 0063729D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                      • String ID: |
                                                                                      • API String ID: 2539190677-2343686810
                                                                                      • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction ID: b5db6882a6b2bdbaaf1f1d776709ad3b8b7d2d21e27e2cdbc9457fa624ddd895
                                                                                      • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                      • Instruction Fuzzy Hash: 443138B2A04208BBCB11DFA8DC45ADA7BBDEF04314F148066F859DB201EA75DB488B94
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                      • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                      • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                      • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                      • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1586453840-0
                                                                                      • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                      • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                      • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                      • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0063B51A
                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0063B529
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0063B548
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 0063B590
                                                                                      • wsprintfA.USER32 ref: 0063B61E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 4026320513-0
                                                                                      • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction ID: b9a1181937ab5563bde3209f79e38162392356868bbfe48ef7be3ad1fad697f1
                                                                                      • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                      • Instruction Fuzzy Hash: CC5110B1D0021CAACF14DFD5D8895EEBBB9BF48314F10816AF605A6150E7B84AC9CFD8
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                      • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 1371578007-0
                                                                                      • Opcode ID: 1db0d5f7b6064e75062ff8bfce8a29c92980ee15a886d8a0a9dbcd83443ad8e7
                                                                                      • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                      • Opcode Fuzzy Hash: 1db0d5f7b6064e75062ff8bfce8a29c92980ee15a886d8a0a9dbcd83443ad8e7
                                                                                      • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: cdb262ec370b426fde57d6ad7dac50f94a445bc2c3cf148f8403119d86b986b8
                                                                                      • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                      • Opcode Fuzzy Hash: cdb262ec370b426fde57d6ad7dac50f94a445bc2c3cf148f8403119d86b986b8
                                                                                      • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                      APIs
                                                                                      • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00636303
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0063632A
                                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 006363B1
                                                                                      • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00636405
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: HugeRead$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 3498078134-0
                                                                                      • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction ID: 2029a4bd38f5b4aa6a49df95dbca38b330be382006f9199d71943928c10ce274
                                                                                      • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                      • Instruction Fuzzy Hash: C4413871A00209BBEB14CF58C884AA9B7FAEF04358F28C169F916D7391E771ED51CB90
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                      • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                      • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                      • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                      APIs
                                                                                        • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                        • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                        • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                      • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                      • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: A$ A
                                                                                      • API String ID: 3343386518-686259309
                                                                                      • Opcode ID: 1d609f471070ccbafc6f86b9a6aefc5b8cbc94f88b448cd9269418e4962c22b1
                                                                                      • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                      • Opcode Fuzzy Hash: 1d609f471070ccbafc6f86b9a6aefc5b8cbc94f88b448cd9269418e4962c22b1
                                                                                      • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040272E
                                                                                      • htons.WS2_32(00000001), ref: 00402752
                                                                                      • htons.WS2_32(0000000F), ref: 004027D5
                                                                                      • htons.WS2_32(00000001), ref: 004027E3
                                                                                      • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                        • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                        • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1802437671-0
                                                                                      • Opcode ID: c2476777da6022415cc9760e0eaf9e2b6e18cfe20a0c667cff75e655e9f5f1fe
                                                                                      • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                      • Opcode Fuzzy Hash: c2476777da6022415cc9760e0eaf9e2b6e18cfe20a0c667cff75e655e9f5f1fe
                                                                                      • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                      • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                      • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                      • CharToOemA.USER32(?,?), ref: 00409174
                                                                                      • wsprintfA.USER32 ref: 004091A9
                                                                                        • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                        • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                        • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                        • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                        • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                        • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                      • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                      • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006393C6
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 006393CD
                                                                                      • CharToOemA.USER32(?,?), ref: 006393DB
                                                                                      • wsprintfA.USER32 ref: 00639410
                                                                                        • Part of subcall function 006392CB: GetTempPathA.KERNEL32(00000400,?), ref: 006392E2
                                                                                        • Part of subcall function 006392CB: wsprintfA.USER32 ref: 00639350
                                                                                        • Part of subcall function 006392CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00639375
                                                                                        • Part of subcall function 006392CB: lstrlen.KERNEL32(?,?,00000000), ref: 00639389
                                                                                        • Part of subcall function 006392CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00639394
                                                                                        • Part of subcall function 006392CB: CloseHandle.KERNEL32(00000000), ref: 0063939B
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00639448
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction ID: f5299a3414e2ed35a774fd839f4184be02e05f7c37c4f07de4f6ce1e50ca6dfa
                                                                                      • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                      • Instruction Fuzzy Hash: D2018CF69001187BDB20A7619D89EDF3A7CDB85701F0000A6BB09E2080EAB49AC58FB5
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                      • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                      • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                      • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 2574300362-1087626847
                                                                                      • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                      • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                      • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2777991786-2393279970
                                                                                      • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                      • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                      • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *p@
                                                                                      • API String ID: 3429775523-2474123842
                                                                                      • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                      • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                      • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg$u6A
                                                                                      • API String ID: 1594361348-1940331995
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 804fbe3d119bc6b9e3cbf64d1916f936c30dfded86631fefde7783e696738a97
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 7BE012306055129FDB509B2CF848AD677E6EF4A330F058595F454D72A0C774DCC19794
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 006369E5
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 00636A26
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000), ref: 00636A3A
                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 00636BD8
                                                                                        • Part of subcall function 0063EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00631DCF,?), ref: 0063EEA8
                                                                                        • Part of subcall function 0063EE95: HeapFree.KERNEL32(00000000), ref: 0063EEAF
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 3384756699-0
                                                                                      • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction ID: 1003b99c299bcc470d3bc9513d8c20dfffeaa75b652ee2b8d6ba2c88d41a901a
                                                                                      • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                      • Instruction Fuzzy Hash: 8871F671900219BFDB109FA4CC80AEEBBBAFF04354F10856AF515E6290D7319E92DFA4
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                      • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                      • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                      • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                      • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                      • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID:
                                                                                      • API String ID: 2667537340-0
                                                                                      • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                      • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                      • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                      • GetLastError.KERNEL32 ref: 00403F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                      • GetLastError.KERNEL32 ref: 00403FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006341AB
                                                                                      • GetLastError.KERNEL32 ref: 006341B5
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 006341C6
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006341D9
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction ID: bd7d0cb4826c0380b350c0f7976a2c459ed566241eb8c8444bd8fbecce3bcb0a
                                                                                      • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                      • Instruction Fuzzy Hash: A301087691110AAFDF01DF90ED84BEF7BADEB18355F108061F901E2150DB70EAA48BB6
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0063421F
                                                                                      • GetLastError.KERNEL32 ref: 00634229
                                                                                      • WaitForSingleObject.KERNEL32(?,?), ref: 0063423A
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0063424D
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction ID: ea0e4a60dc2a2aea748a822de16fd9911a8b21fffb54ca1089c97e6233bca0eb
                                                                                      • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                      • Instruction Fuzzy Hash: 9601A572511109ABDF01DF90ED84BEFBBADEB08355F108461F901E2150DBB4AA549BB6
                                                                                      APIs
                                                                                      • lstrcmp.KERNEL32(?,80000009), ref: 0063E066
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp
                                                                                      • String ID: A$ A$ A
                                                                                      • API String ID: 1534048567-1846390581
                                                                                      • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction ID: 319506441815592787c3c3e43c601c06b878116238e8dbed647dc99161b248b7
                                                                                      • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                      • Instruction Fuzzy Hash: 40F06831200701DBCB24CF15D884AC2B7EAFB15321F44862BE154D32A0D3B5E8A4CBA1
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                      • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                      • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                      • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                      • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                      • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                      • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                      • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                      • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                      • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                      • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                      • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 00403103
                                                                                      • GetTickCount.KERNEL32 ref: 0040310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                      • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                      • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000001,Dc,00000000,00000000,00000000), ref: 0063E470
                                                                                      • CloseHandle.KERNEL32(00000001,00000003), ref: 0063E484
                                                                                        • Part of subcall function 0063E2FC: RegCreateKeyExA.ADVAPI32(80000001,0063E50A,00000000,00000000,00000000,00020106,00000000,0063E50A,00000000,000000E4), ref: 0063E319
                                                                                        • Part of subcall function 0063E2FC: RegSetValueExA.ADVAPI32(0063E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0063E38E
                                                                                        • Part of subcall function 0063E2FC: RegDeleteValueA.ADVAPI32(0063E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dc), ref: 0063E3BF
                                                                                        • Part of subcall function 0063E2FC: RegCloseKey.ADVAPI32(0063E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Dc,0063E50A), ref: 0063E3C8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                      • String ID: Dc
                                                                                      • API String ID: 4151426672-2761895551
                                                                                      • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction ID: 3956e9f66ceec0aab3c86f4087a83a0d4b38aa8e0e0825810b9df1f262608b10
                                                                                      • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                      • Instruction Fuzzy Hash: 8741A971D00214BAEB206B558C46FEB3B6DEB14764F148029F909942D2E7B7CA50DAF5
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 006383C6
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00638477
                                                                                        • Part of subcall function 006369C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 006369E5
                                                                                        • Part of subcall function 006369C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00636A26
                                                                                        • Part of subcall function 006369C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00636A3A
                                                                                        • Part of subcall function 0063EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00631DCF,?), ref: 0063EEA8
                                                                                        • Part of subcall function 0063EE95: HeapFree.KERNEL32(00000000), ref: 0063EEAF
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe
                                                                                      • API String ID: 359188348-1358119261
                                                                                      • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction ID: 82086fe14c70087d536ee5b5f1b6e800340864b6e75d77224dd258a1d0b820f0
                                                                                      • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                      • Instruction Fuzzy Hash: 094163B290020ABFEB10EBA49D81DFF77BEEB04340F14446AF514D7552FAB15A948BE4
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 0063AFFF
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0063B00D
                                                                                        • Part of subcall function 0063AF6F: gethostname.WS2_32(?,00000080), ref: 0063AF83
                                                                                        • Part of subcall function 0063AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0063AFE6
                                                                                        • Part of subcall function 0063331C: gethostname.WS2_32(?,00000080), ref: 0063333F
                                                                                        • Part of subcall function 0063331C: gethostbyname.WS2_32(?), ref: 00633349
                                                                                        • Part of subcall function 0063AA0A: inet_ntoa.WS2_32(00000000), ref: 0063AA10
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %OUTLOOK_BND_
                                                                                      • API String ID: 1981676241-3684217054
                                                                                      • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                      • Instruction ID: c72cb7477f4de11094ba0d93acb51bcf1b48bf78bea79c20f94a0b09fd737b50
                                                                                      • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                                      • Instruction Fuzzy Hash: 3141557290020CABDF65EFA0DC46EEF3BADFF04304F14442AF92492152EB75D6548B98
                                                                                      APIs
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00639536
                                                                                      • Sleep.KERNEL32(000001F4), ref: 0063955D
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShellSleep
                                                                                      • String ID:
                                                                                      • API String ID: 4194306370-3916222277
                                                                                      • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction ID: e07ffa353155b858ca51d2482f7625e1041f4ad3da78268cb7474ef9caf19269
                                                                                      • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                      • Instruction Fuzzy Hash: 9241F5719043846EEB379B68D8897E63BE69B02324F1441A5D48297393D6F44DC2CFB1
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                      • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,k@
                                                                                      • API String ID: 3934441357-1053005162
                                                                                      • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                      • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                      • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 0063B9D9
                                                                                      • InterlockedIncrement.KERNEL32(00413648), ref: 0063BA3A
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 0063BA94
                                                                                      • GetTickCount.KERNEL32 ref: 0063BB79
                                                                                      • GetTickCount.KERNEL32 ref: 0063BB99
                                                                                      • InterlockedIncrement.KERNEL32(?), ref: 0063BE15
                                                                                      • closesocket.WS2_32(00000000), ref: 0063BEB4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountIncrementInterlockedTick$closesocket
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 1869671989-2903620461
                                                                                      • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction ID: ffb68590f6ec7f3ab0fd45189ab9f4dac5b1b3f41cf5ef3752f03ee71f6983c8
                                                                                      • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                      • Instruction Fuzzy Hash: 9531AE71900248DFDF25DFA8DC85AED77BAEB48700F20506AFB2482261DB70DA85CF94
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                      • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                      • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                        • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                      • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                      • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                      APIs
                                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 006370BC
                                                                                      • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 006370F4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountLookupUser
                                                                                      • String ID: |
                                                                                      • API String ID: 2370142434-2343686810
                                                                                      • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction ID: a2df3d1bf388b35915737aca290f8920978acbef24d4a8176c8f5043041f687e
                                                                                      • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                      • Instruction Fuzzy Hash: 50110CB390411CEBDF21CFD4DC84ADEB7BEAB05711F1841A6E501E6190D6709B88DBA0
                                                                                      APIs
                                                                                        • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                        • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2777991786-1857712256
                                                                                      • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                      • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                      • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                      • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                      • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                      • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                      • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                      • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                      APIs
                                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(jjcfhqgg,Function_00009867), ref: 0040996C
                                                                                        • Part of subcall function 00409892: SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                        • Part of subcall function 004098F2: Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                      • String ID: hK$jjcfhqgg
                                                                                      • API String ID: 1317371667-1757453468
                                                                                      • Opcode ID: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                      • Instruction ID: 8090f714d00e8c700c7feefac428721607cdcb0429ac14865b211bf96103553c
                                                                                      • Opcode Fuzzy Hash: ca430b9e4608bea333335a69787ed6bca2f17ce8de0e46e285fa1f472da398df
                                                                                      • Instruction Fuzzy Hash: 55F054F2550308AEE2106F616D87B537548A711349F08C03FB919693D3EBBD4D44822D
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                      • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                      • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                      • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                      • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                      • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                      APIs
                                                                                        • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                        • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756328515.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_400000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                      • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                      • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                      • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                      APIs
                                                                                        • Part of subcall function 00632F88: GetModuleHandleA.KERNEL32(?), ref: 00632FA1
                                                                                        • Part of subcall function 00632F88: LoadLibraryA.KERNEL32(?), ref: 00632FB1
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006331DA
                                                                                      • HeapFree.KERNEL32(00000000), ref: 006331E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 0000000B.00000002.1756575185.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_11_2_630000_wzsddmnn.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction ID: cf28a9256ad9dd1a5ff7ebf0d7e1705ccf8cef8eabd759ddb77bc01ff8e995ba
                                                                                      • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                      • Instruction Fuzzy Hash: 7C51AA3190025AAFCB059F68D8889EAB776FF15300F1481A8EC9687311E732DB59CBD4

                                                                                      Execution Graph

                                                                                      Execution Coverage:15%
                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                      Signature Coverage:0.7%
                                                                                      Total number of Nodes:1806
                                                                                      Total number of Limit Nodes:18
                                                                                      execution_graph 7915 4c5e4d 7920 4c5048 7915->7920 7921 4c4bd1 4 API calls 7920->7921 7922 4c5056 7921->7922 7923 4cec2e codecvt 4 API calls 7922->7923 7924 4c508b 7922->7924 7923->7924 8062 4c5e0d 8065 4c50dc 8062->8065 8064 4c5e20 8066 4c4bd1 4 API calls 8065->8066 8067 4c50f2 8066->8067 8068 4c4ae6 8 API calls 8067->8068 8074 4c50ff 8068->8074 8069 4c5130 8071 4c4ae6 8 API calls 8069->8071 8070 4c4ae6 8 API calls 8072 4c5110 lstrcmpA 8070->8072 8073 4c5138 8071->8073 8072->8069 8072->8074 8076 4c513e 8073->8076 8077 4c516e 8073->8077 8078 4c4ae6 8 API calls 8073->8078 8074->8069 8074->8070 8075 4c4ae6 8 API calls 8074->8075 8075->8074 8076->8064 8077->8076 8079 4c4ae6 8 API calls 8077->8079 8080 4c515e 8078->8080 8081 4c51b6 8079->8081 8080->8077 8083 4c4ae6 8 API calls 8080->8083 8108 4c4a3d 8081->8108 8083->8077 8085 4c4ae6 8 API calls 8086 4c51c7 8085->8086 8087 4c4ae6 8 API calls 8086->8087 8088 4c51d7 8087->8088 8089 4c4ae6 8 API calls 8088->8089 8090 4c51e7 8089->8090 8090->8076 8091 4c4ae6 8 API calls 8090->8091 8092 4c5219 8091->8092 8093 4c4ae6 8 API calls 8092->8093 8094 4c5227 8093->8094 8095 4c4ae6 8 API calls 8094->8095 8096 4c524f lstrcpyA 8095->8096 8097 4c4ae6 8 API calls 8096->8097 8099 4c5263 8097->8099 8098 4c4ae6 8 API calls 8100 4c5315 8098->8100 8099->8098 8101 4c4ae6 8 API calls 8100->8101 8102 4c5323 8101->8102 8103 4c4ae6 8 API calls 8102->8103 8105 4c5331 8103->8105 8104 4c4ae6 8 API calls 8104->8105 8105->8076 8105->8104 8106 4c4ae6 8 API calls 8105->8106 8107 4c5351 lstrcmpA 8106->8107 8107->8076 8107->8105 8109 4c4a4a 8108->8109 8115 4c4a53 8108->8115 8110 4cebed 8 API calls 8109->8110 8110->8115 8111 4c4a78 8113 4c4a8e 8111->8113 8114 4c4aa3 8111->8114 8112 4cebed 8 API calls 8112->8111 8116 4c4a9b 8113->8116 8117 4cec2e codecvt 4 API calls 8113->8117 8114->8116 8118 4cebed 8 API calls 8114->8118 8115->8111 8115->8112 8116->8085 8117->8116 8118->8116 8119 4c4c0d 8120 4c4ae6 8 API calls 8119->8120 8121 4c4c17 8120->8121 7925 4ce749 7926 4cdd05 6 API calls 7925->7926 7927 4ce751 7926->7927 7928 4ce781 lstrcmpA 7927->7928 7929 4ce799 7927->7929 7928->7927 7930 4c444a 7931 4c4458 7930->7931 7932 4c446a 7931->7932 7934 4c1940 7931->7934 7935 4cec2e codecvt 4 API calls 7934->7935 7936 4c1949 7935->7936 7936->7932 8135 4cf304 8138 4cf26d setsockopt setsockopt setsockopt setsockopt setsockopt 8135->8138 8137 4cf312 8138->8137 8139 4c5b84 IsBadWritePtr 8140 4c5b99 8139->8140 8141 4c5b9d 8139->8141 8142 4c4bd1 4 API calls 8141->8142 8143 4c5bcc 8142->8143 8144 4c5472 18 API calls 8143->8144 8145 4c5be5 8144->8145 8146 4c5c05 IsBadWritePtr 8147 4c5ca6 8146->8147 8148 4c5c24 IsBadWritePtr 8146->8148 8148->8147 8149 4c5c32 8148->8149 8150 4c5c82 8149->8150 8151 4c4bd1 4 API calls 8149->8151 8152 4c4bd1 4 API calls 8150->8152 8151->8150 8153 4c5c90 8152->8153 8154 4c5472 18 API calls 8153->8154 8154->8147 8155 4cf483 WSAStartup 8156 4c5099 8157 4c4bd1 4 API calls 8156->8157 8158 4c50a2 8157->8158 7937 4c195b 7938 4c196b 7937->7938 7939 4c1971 7937->7939 7940 4cec2e codecvt 4 API calls 7938->7940 7940->7939 8159 4c8314 8160 4c675c 21 API calls 8159->8160 8161 4c8324 8160->8161 7941 4c8c51 7942 4c8c86 7941->7942 7943 4c8c5d 7941->7943 7944 4c8c8b lstrcmpA 7942->7944 7954 4c8c7b 7942->7954 7947 4c8c7d 7943->7947 7948 4c8c6e 7943->7948 7945 4c8c9e 7944->7945 7944->7954 7946 4c8cad 7945->7946 7949 4cec2e codecvt 4 API calls 7945->7949 7953 4cebcc 4 API calls 7946->7953 7946->7954 7963 4c8bb3 7947->7963 7955 4c8be7 7948->7955 7949->7946 7953->7954 7956 4c8bf2 7955->7956 7962 4c8c2a 7955->7962 7957 4c8bb3 6 API calls 7956->7957 7958 4c8bf8 7957->7958 7967 4c6410 7958->7967 7960 4c8c01 7960->7962 7982 4c6246 7960->7982 7962->7954 7964 4c8bbc 7963->7964 7966 4c8be4 7963->7966 7965 4c6246 6 API calls 7964->7965 7964->7966 7965->7966 7968 4c641e 7967->7968 7969 4c6421 7967->7969 7968->7960 7970 4c643a 7969->7970 7971 4c643e VirtualAlloc 7969->7971 7970->7960 7972 4c645b VirtualAlloc 7971->7972 7973 4c6472 7971->7973 7972->7973 7981 4c64fb 7972->7981 7974 4cebcc 4 API calls 7973->7974 7975 4c6479 7974->7975 7975->7981 7992 4c6069 7975->7992 7978 4c64da 7980 4c6246 6 API calls 7978->7980 7978->7981 7980->7981 7981->7960 7983 4c6252 7982->7983 7991 4c62b3 7982->7991 7984 4c6297 7983->7984 7985 4c628f 7983->7985 7988 4c6281 FreeLibrary 7983->7988 7986 4c62ad 7984->7986 7987 4c62a0 VirtualFree 7984->7987 7989 4cec2e codecvt 4 API calls 7985->7989 7990 4cec2e codecvt 4 API calls 7986->7990 7987->7986 7988->7983 7989->7984 7990->7991 7991->7962 7993 4c6090 IsBadReadPtr 7992->7993 7994 4c6089 7992->7994 7993->7994 7999 4c60aa 7993->7999 7994->7978 8002 4c5f3f 7994->8002 7995 4c60c0 LoadLibraryA 7995->7994 7995->7999 7996 4cebed 8 API calls 7996->7999 7997 4cebcc 4 API calls 7997->7999 7998 4c6191 IsBadReadPtr 7998->7994 7998->7999 7999->7994 7999->7995 7999->7996 7999->7997 7999->7998 8000 4c6155 GetProcAddress 7999->8000 8001 4c6141 GetProcAddress 7999->8001 8000->7999 8001->7999 8003 4c5fe6 8002->8003 8005 4c5f61 8002->8005 8003->7978 8004 4c5fbf VirtualProtect 8004->8003 8004->8005 8005->8003 8005->8004 8162 4c6511 wsprintfA IsBadReadPtr 8163 4c674e 8162->8163 8164 4c656a htonl htonl wsprintfA wsprintfA 8162->8164 8165 4ce318 23 API calls 8163->8165 8169 4c65f3 8164->8169 8166 4c6753 ExitProcess 8165->8166 8167 4c668a GetCurrentProcess StackWalk64 8168 4c66a0 wsprintfA 8167->8168 8167->8169 8170 4c66ba 8168->8170 8169->8167 8169->8168 8171 4c6652 wsprintfA 8169->8171 8172 4c6712 wsprintfA 8170->8172 8173 4c66ed wsprintfA 8170->8173 8174 4c66da wsprintfA 8170->8174 8171->8169 8175 4ce8a1 30 API calls 8172->8175 8173->8170 8174->8173 8176 4c6739 8175->8176 8177 4ce318 23 API calls 8176->8177 8178 4c6741 8177->8178 8006 4c43d2 8007 4c43e0 8006->8007 8008 4c43ef 8007->8008 8009 4c1940 4 API calls 8007->8009 8009->8008 8179 4c4e92 GetTickCount 8180 4c4ec0 InterlockedExchange 8179->8180 8181 4c4ead GetTickCount 8180->8181 8182 4c4ec9 8180->8182 8181->8182 8183 4c4eb8 Sleep 8181->8183 8183->8180 8010 4c5453 8015 4c543a 8010->8015 8016 4c5048 8 API calls 8015->8016 8017 4c544b 8016->8017 8018 4c4ed3 8023 4c4c9a 8018->8023 8025 4c4ca9 8023->8025 8026 4c4cd8 8023->8026 8024 4cec2e codecvt 4 API calls 8024->8026 8025->8024 8184 4c5d93 IsBadWritePtr 8185 4c5da8 8184->8185 8187 4c5ddc 8184->8187 8185->8187 8188 4c5389 8185->8188 8189 4c4bd1 4 API calls 8188->8189 8190 4c53a5 8189->8190 8191 4c4ae6 8 API calls 8190->8191 8194 4c53ad 8191->8194 8192 4c4ae6 8 API calls 8192->8194 8193 4c5407 8193->8187 8194->8192 8194->8193 8195 4c5029 8200 4c4a02 8195->8200 8201 4c4a18 8200->8201 8202 4c4a12 8200->8202 8203 4c4a26 8201->8203 8205 4cec2e codecvt 4 API calls 8201->8205 8204 4cec2e codecvt 4 API calls 8202->8204 8206 4c4a34 8203->8206 8207 4cec2e codecvt 4 API calls 8203->8207 8204->8201 8205->8203 8207->8206 6143 4c9a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6259 4cec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6143->6259 6145 4c9a95 6146 4c9aa3 GetModuleHandleA GetModuleFileNameA 6145->6146 6152 4ca3cc 6145->6152 6157 4c9ac4 6146->6157 6147 4ca41c CreateThread WSAStartup 6260 4ce52e 6147->6260 7334 4c405e CreateEventA 6147->7334 6148 4ca406 DeleteFileA 6151 4ca40d 6148->6151 6148->6152 6150 4c9afd GetCommandLineA 6153 4c9b22 6150->6153 6151->6147 6152->6147 6152->6148 6152->6151 6155 4ca3ed GetLastError 6152->6155 6163 4c9c0c 6153->6163 6170 4c9b47 6153->6170 6154 4ca445 6279 4ceaaf 6154->6279 6155->6151 6158 4ca3f8 Sleep 6155->6158 6157->6150 6158->6148 6159 4ca44d 6283 4c1d96 6159->6283 6161 4ca457 6331 4c80c9 6161->6331 6523 4c96aa 6163->6523 6174 4c9b96 lstrlenA 6170->6174 6180 4c9b58 6170->6180 6171 4c9c39 6175 4ca167 GetModuleHandleA GetModuleFileNameA 6171->6175 6529 4c4280 CreateEventA 6171->6529 6172 4ca1d2 6176 4ca1e3 GetCommandLineA 6172->6176 6174->6180 6178 4ca189 6175->6178 6179 4c9c05 ExitProcess 6175->6179 6202 4ca205 6176->6202 6178->6179 6187 4ca1b2 GetDriveTypeA 6178->6187 6180->6179 6482 4c675c 6180->6482 6187->6179 6189 4ca1c5 6187->6189 6630 4c9145 GetModuleHandleA GetModuleFileNameA CharToOemA 6189->6630 6190 4c675c 21 API calls 6192 4c9c79 6190->6192 6192->6175 6197 4c9e3e 6192->6197 6198 4c9ca0 GetTempPathA 6192->6198 6194 4c9bff 6194->6179 6195 4ca491 6196 4ca49f GetTickCount 6195->6196 6199 4ca4be Sleep 6195->6199 6205 4ca4b7 GetTickCount 6195->6205 6378 4cc913 6195->6378 6196->6195 6196->6199 6209 4c9e6b GetEnvironmentVariableA 6197->6209 6211 4c9e04 6197->6211 6198->6197 6201 4c9cba 6198->6201 6199->6195 6555 4c99d2 lstrcpyA 6201->6555 6206 4ca285 lstrlenA 6202->6206 6220 4ca239 6202->6220 6205->6199 6206->6220 6210 4c9e7d 6209->6210 6209->6211 6212 4c99d2 16 API calls 6210->6212 6625 4cec2e 6211->6625 6214 4c9e9d 6212->6214 6214->6211 6218 4c9eb0 lstrcpyA lstrlenA 6214->6218 6215 4c9d5f 6569 4c6cc9 6215->6569 6217 4ca3c2 6642 4c98f2 6217->6642 6219 4c9ef4 6218->6219 6223 4c6dc2 6 API calls 6219->6223 6227 4c9f03 6219->6227 6220->6220 6638 4c6ec3 6220->6638 6223->6227 6224 4ca39d StartServiceCtrlDispatcherA 6224->6217 6225 4c9d72 lstrcpyA lstrcatA lstrcatA 6229 4c9cf6 6225->6229 6226 4ca3c7 6226->6152 6228 4c9f32 RegOpenKeyExA 6227->6228 6231 4c9f48 RegSetValueExA RegCloseKey 6228->6231 6234 4c9f70 6228->6234 6578 4c9326 6229->6578 6230 4ca35f 6230->6217 6230->6224 6231->6234 6239 4c9f9d GetModuleHandleA GetModuleFileNameA 6234->6239 6235 4c9dde GetFileAttributesExA 6236 4c9e0c DeleteFileA 6235->6236 6237 4c9df7 6235->6237 6236->6197 6237->6211 6615 4c96ff 6237->6615 6241 4ca093 6239->6241 6242 4c9fc2 6239->6242 6243 4ca103 CreateProcessA 6241->6243 6244 4ca0a4 wsprintfA 6241->6244 6242->6241 6248 4c9ff1 GetDriveTypeA 6242->6248 6245 4ca13a 6243->6245 6246 4ca12a DeleteFileA 6243->6246 6621 4c2544 6244->6621 6245->6211 6252 4c96ff 3 API calls 6245->6252 6246->6245 6248->6241 6250 4ca00d 6248->6250 6254 4ca02d lstrcatA 6250->6254 6252->6211 6255 4ca046 6254->6255 6256 4ca064 lstrcatA 6255->6256 6257 4ca052 lstrcatA 6255->6257 6256->6241 6258 4ca081 lstrcatA 6256->6258 6257->6256 6258->6241 6259->6145 6649 4cdd05 GetTickCount 6260->6649 6262 4ce538 6657 4cdbcf 6262->6657 6264 4ce544 6265 4ce555 GetFileSize 6264->6265 6269 4ce5b8 6264->6269 6266 4ce566 6265->6266 6267 4ce5b1 CloseHandle 6265->6267 6681 4cdb2e 6266->6681 6267->6269 6667 4ce3ca RegOpenKeyExA 6269->6667 6271 4ce576 ReadFile 6271->6267 6273 4ce58d 6271->6273 6685 4ce332 6273->6685 6274 4ce5f2 6277 4ce629 6274->6277 6278 4ce3ca 19 API calls 6274->6278 6277->6154 6278->6277 6280 4ceabe 6279->6280 6282 4ceaba 6279->6282 6281 4cdd05 6 API calls 6280->6281 6280->6282 6281->6282 6282->6159 6284 4cee2a 6283->6284 6285 4c1db4 GetVersionExA 6284->6285 6286 4c1dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6285->6286 6288 4c1e24 6286->6288 6289 4c1e16 GetCurrentProcess 6286->6289 6743 4ce819 6288->6743 6289->6288 6291 4c1e3d 6292 4ce819 11 API calls 6291->6292 6293 4c1e4e 6292->6293 6294 4c1e77 6293->6294 6784 4cdf70 6293->6784 6750 4cea84 6294->6750 6297 4c1e6c 6299 4cdf70 12 API calls 6297->6299 6299->6294 6300 4ce819 11 API calls 6301 4c1e93 6300->6301 6754 4c199c inet_addr LoadLibraryA 6301->6754 6304 4ce819 11 API calls 6305 4c1eb9 6304->6305 6306 4c1ed8 6305->6306 6307 4cf04e 4 API calls 6305->6307 6308 4ce819 11 API calls 6306->6308 6309 4c1ec9 6307->6309 6310 4c1eee 6308->6310 6311 4cea84 30 API calls 6309->6311 6312 4c1f0a 6310->6312 6768 4c1b71 6310->6768 6311->6306 6313 4ce819 11 API calls 6312->6313 6315 4c1f23 6313->6315 6317 4c1f3f 6315->6317 6772 4c1bdf 6315->6772 6316 4c1efd 6318 4cea84 30 API calls 6316->6318 6320 4ce819 11 API calls 6317->6320 6318->6312 6322 4c1f5e 6320->6322 6324 4c1f77 6322->6324 6325 4cea84 30 API calls 6322->6325 6323 4cea84 30 API calls 6323->6317 6780 4c30b5 6324->6780 6325->6324 6328 4c6ec3 2 API calls 6330 4c1f8e GetTickCount 6328->6330 6330->6161 6332 4c6ec3 2 API calls 6331->6332 6333 4c80eb 6332->6333 6334 4c80ef 6333->6334 6335 4c80f9 6333->6335 6838 4c7ee6 6334->6838 6851 4c704c 6335->6851 6338 4c80f4 6340 4c675c 21 API calls 6338->6340 6350 4c8269 CreateThread 6338->6350 6339 4c8110 6339->6338 6341 4c8156 RegOpenKeyExA 6339->6341 6343 4c8244 6340->6343 6342 4c816d RegQueryValueExA 6341->6342 6346 4c8216 6341->6346 6344 4c818d 6342->6344 6345 4c81f7 6342->6345 6348 4cec2e codecvt 4 API calls 6343->6348 6343->6350 6344->6345 6351 4cebcc 4 API calls 6344->6351 6347 4c820d RegCloseKey 6345->6347 6349 4cec2e codecvt 4 API calls 6345->6349 6346->6338 6347->6346 6348->6350 6356 4c81dd 6349->6356 6357 4c5e6c 6350->6357 7312 4c877e 6350->7312 6352 4c81a0 6351->6352 6352->6347 6353 4c81aa RegQueryValueExA 6352->6353 6353->6345 6354 4c81c4 6353->6354 6355 4cebcc 4 API calls 6354->6355 6355->6356 6356->6347 6953 4cec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6357->6953 6359 4c5e71 6954 4ce654 6359->6954 6361 4c5ec1 6362 4c3132 6361->6362 6363 4cdf70 12 API calls 6362->6363 6364 4c313b 6363->6364 6365 4cc125 6364->6365 6965 4cec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6365->6965 6367 4cc12d 6368 4ce654 13 API calls 6367->6368 6369 4cc2bd 6368->6369 6370 4ce654 13 API calls 6369->6370 6371 4cc2c9 6370->6371 6372 4ce654 13 API calls 6371->6372 6373 4ca47a 6372->6373 6374 4c8db1 6373->6374 6375 4c8dbc 6374->6375 6376 4ce654 13 API calls 6375->6376 6377 4c8dec Sleep 6376->6377 6377->6195 6379 4cc92f 6378->6379 6380 4cc93c 6379->6380 6977 4cc517 6379->6977 6382 4cca2b 6380->6382 6383 4ce819 11 API calls 6380->6383 6382->6195 6384 4cc96a 6383->6384 6385 4ce819 11 API calls 6384->6385 6386 4cc97d 6385->6386 6387 4ce819 11 API calls 6386->6387 6388 4cc990 6387->6388 6389 4cc9aa 6388->6389 6390 4cebcc 4 API calls 6388->6390 6389->6382 6966 4c2684 6389->6966 6390->6389 6395 4cca26 6994 4cc8aa 6395->6994 6398 4cca44 6399 4cca4b closesocket 6398->6399 6400 4cca83 6398->6400 6399->6395 6401 4cea84 30 API calls 6400->6401 6402 4ccaac 6401->6402 6403 4cf04e 4 API calls 6402->6403 6404 4ccab2 6403->6404 6405 4cea84 30 API calls 6404->6405 6406 4ccaca 6405->6406 6407 4cea84 30 API calls 6406->6407 6408 4ccad9 6407->6408 6998 4cc65c 6408->6998 6411 4ccb60 closesocket 6411->6382 6413 4cdad2 closesocket 6414 4ce318 23 API calls 6413->6414 6415 4cdae0 6414->6415 6415->6382 6416 4cdf4c 20 API calls 6438 4ccb70 6416->6438 6421 4cc65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6421->6438 6422 4ce654 13 API calls 6422->6438 6425 4cf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6425->6438 6429 4cea84 30 API calls 6429->6438 6430 4cd569 closesocket Sleep 7045 4ce318 6430->7045 6431 4cd815 wsprintfA 6431->6438 6432 4ccc1c GetTempPathA 6432->6438 6433 4cc517 23 API calls 6433->6438 6435 4c7ead 6 API calls 6435->6438 6436 4ce8a1 30 API calls 6436->6438 6437 4cd582 ExitProcess 6438->6413 6438->6416 6438->6421 6438->6422 6438->6425 6438->6429 6438->6430 6438->6431 6438->6432 6438->6433 6438->6435 6438->6436 6439 4ccfe3 GetSystemDirectoryA 6438->6439 6440 4ccfad GetEnvironmentVariableA 6438->6440 6441 4c675c 21 API calls 6438->6441 6442 4cd027 GetSystemDirectoryA 6438->6442 6443 4cd105 lstrcatA 6438->6443 6444 4cef1e lstrlenA 6438->6444 6445 4ccc9f CreateFileA 6438->6445 6446 4cec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6438->6446 6448 4cd15b CreateFileA 6438->6448 6453 4cd149 SetFileAttributesA 6438->6453 6454 4cd36e GetEnvironmentVariableA 6438->6454 6455 4cd1bf SetFileAttributesA 6438->6455 6456 4c8e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6438->6456 6458 4cd22d GetEnvironmentVariableA 6438->6458 6459 4cd3af lstrcatA 6438->6459 6461 4cd3f2 CreateFileA 6438->6461 6463 4c7fcf 64 API calls 6438->6463 6469 4cd3e0 SetFileAttributesA 6438->6469 6470 4cd26e lstrcatA 6438->6470 6472 4cd4b1 CreateProcessA 6438->6472 6474 4cd2b1 CreateFileA 6438->6474 6475 4c7ee6 64 API calls 6438->6475 6476 4cd452 SetFileAttributesA 6438->6476 6479 4cd29f SetFileAttributesA 6438->6479 6481 4cd31d SetFileAttributesA 6438->6481 7006 4cc75d 6438->7006 7018 4c7e2f 6438->7018 7040 4c7ead 6438->7040 7050 4c31d0 6438->7050 7067 4c3c09 6438->7067 7077 4c3a00 6438->7077 7081 4ce7b4 6438->7081 7084 4cc06c 6438->7084 7090 4c6f5f GetUserNameA 6438->7090 7101 4ce854 6438->7101 7111 4c7dd6 6438->7111 6439->6438 6440->6438 6441->6438 6442->6438 6443->6438 6444->6438 6445->6438 6447 4cccc6 WriteFile 6445->6447 6446->6438 6449 4ccdcc CloseHandle 6447->6449 6450 4ccced CloseHandle 6447->6450 6448->6438 6451 4cd182 WriteFile CloseHandle 6448->6451 6449->6438 6457 4ccd2f 6450->6457 6451->6438 6452 4ccd16 wsprintfA 6452->6457 6453->6448 6454->6438 6455->6438 6456->6438 6457->6452 7027 4c7fcf 6457->7027 6458->6438 6459->6438 6459->6461 6461->6438 6464 4cd415 WriteFile CloseHandle 6461->6464 6463->6438 6464->6438 6465 4ccda5 6468 4c7ee6 64 API calls 6465->6468 6466 4ccd81 WaitForSingleObject CloseHandle CloseHandle 6467 4cf04e 4 API calls 6466->6467 6467->6465 6471 4ccdbd DeleteFileA 6468->6471 6469->6461 6470->6438 6470->6474 6471->6438 6472->6438 6473 4cd4e8 CloseHandle CloseHandle 6472->6473 6473->6438 6474->6438 6477 4cd2d8 WriteFile CloseHandle 6474->6477 6475->6438 6476->6438 6477->6438 6479->6474 6481->6438 6483 4c677a SetFileAttributesA 6482->6483 6484 4c6784 CreateFileA 6482->6484 6483->6484 6485 4c67a4 CreateFileA 6484->6485 6486 4c67b5 6484->6486 6485->6486 6487 4c67ba SetFileAttributesA 6486->6487 6488 4c67c5 6486->6488 6487->6488 6489 4c67cf GetFileSize 6488->6489 6490 4c6977 6488->6490 6491 4c67e5 6489->6491 6509 4c6965 6489->6509 6490->6179 6510 4c6a60 CreateFileA 6490->6510 6493 4c67ed ReadFile 6491->6493 6491->6509 6492 4c696e FindCloseChangeNotification 6492->6490 6494 4c6811 SetFilePointer 6493->6494 6493->6509 6495 4c682a ReadFile 6494->6495 6494->6509 6496 4c6848 SetFilePointer 6495->6496 6495->6509 6497 4c6867 6496->6497 6496->6509 6498 4c6878 ReadFile 6497->6498 6499 4c68d5 6497->6499 6500 4c68d0 6498->6500 6503 4c6891 6498->6503 6499->6492 6501 4cebcc 4 API calls 6499->6501 6500->6499 6502 4c68f8 6501->6502 6504 4c6900 SetFilePointer 6502->6504 6502->6509 6503->6498 6503->6500 6505 4c690d ReadFile 6504->6505 6506 4c695a 6504->6506 6505->6506 6507 4c6922 6505->6507 6508 4cec2e codecvt 4 API calls 6506->6508 6507->6492 6508->6509 6509->6492 6511 4c6b8c GetLastError 6510->6511 6512 4c6a8f GetDiskFreeSpaceA 6510->6512 6513 4c6b86 6511->6513 6514 4c6ac5 6512->6514 6521 4c6ad7 6512->6521 6513->6194 7196 4ceb0e 6514->7196 6518 4c6b56 CloseHandle 6518->6513 6520 4c6b65 GetLastError CloseHandle 6518->6520 6519 4c6b36 GetLastError CloseHandle 6522 4c6b7f DeleteFileA 6519->6522 6520->6522 7200 4c6987 6521->7200 6522->6513 6524 4c96b9 6523->6524 6525 4c73ff 17 API calls 6524->6525 6526 4c96e2 6525->6526 6527 4c96f7 6526->6527 6528 4c704c 16 API calls 6526->6528 6527->6171 6527->6172 6528->6527 6530 4c429d 6529->6530 6531 4c42a5 6529->6531 6530->6175 6530->6190 7206 4c3ecd 6531->7206 6533 4c42b0 7210 4c4000 6533->7210 6535 4c42b6 6535->6530 6536 4c43c1 CloseHandle 6535->6536 7216 4c3f18 WriteFile 6535->7216 6536->6530 6541 4c43ba CloseHandle 6541->6536 6542 4c4318 6543 4c3f18 4 API calls 6542->6543 6544 4c4331 6543->6544 6545 4c3f18 4 API calls 6544->6545 6546 4c434a 6545->6546 6547 4cebcc 4 API calls 6546->6547 6548 4c4350 6547->6548 6549 4c3f18 4 API calls 6548->6549 6550 4c4389 6549->6550 6551 4cec2e codecvt 4 API calls 6550->6551 6552 4c438f 6551->6552 6553 4c3f8c 4 API calls 6552->6553 6554 4c439f CloseHandle CloseHandle 6553->6554 6554->6530 6556 4c99eb 6555->6556 6557 4c9a2f lstrcatA 6556->6557 6558 4cee2a 6557->6558 6559 4c9a4b lstrcatA 6558->6559 6560 4c6a60 13 API calls 6559->6560 6561 4c9a60 6560->6561 6561->6197 6561->6229 6562 4c6dc2 6561->6562 6563 4c6dd7 6562->6563 6564 4c6e33 6562->6564 6565 4c6cc9 5 API calls 6563->6565 6564->6215 6566 4c6ddc 6565->6566 6566->6566 6567 4c6e02 GetVolumeInformationA 6566->6567 6568 4c6e24 6566->6568 6567->6568 6568->6564 6570 4c6cdc GetModuleHandleA GetProcAddress 6569->6570 6575 4c6d8b 6569->6575 6571 4c6cfd 6570->6571 6572 4c6d12 GetSystemDirectoryA 6570->6572 6571->6572 6571->6575 6573 4c6d1e 6572->6573 6574 4c6d27 GetWindowsDirectoryA 6572->6574 6573->6574 6573->6575 6577 4c6d42 6574->6577 6575->6225 6576 4cef1e lstrlenA 6576->6575 6577->6576 7224 4c1910 6578->7224 6581 4c934a GetModuleHandleA GetModuleFileNameA 6583 4c937f 6581->6583 6584 4c93d9 6583->6584 6585 4c93a4 6583->6585 6586 4c9401 wsprintfA 6584->6586 6587 4c93c3 wsprintfA 6585->6587 6588 4c9415 6586->6588 6587->6588 6591 4c6cc9 5 API calls 6588->6591 6611 4c94a0 6588->6611 6589 4c6edd 5 API calls 6590 4c94ac 6589->6590 6592 4c962f 6590->6592 6594 4c94e8 RegOpenKeyExA 6590->6594 6593 4c9439 6591->6593 6596 4c9646 6592->6596 7239 4c1820 6592->7239 6602 4cef1e lstrlenA 6593->6602 6597 4c94fb 6594->6597 6598 4c9502 6594->6598 6607 4c95d6 6596->6607 7245 4c91eb 6596->7245 6597->6592 6600 4c958a 6597->6600 6601 4c951f RegQueryValueExA 6598->6601 6600->6596 6603 4c9593 6600->6603 6604 4c9539 6601->6604 6605 4c9530 6601->6605 6606 4c9462 6602->6606 6603->6607 7226 4cf0e4 6603->7226 6609 4c9556 RegQueryValueExA 6604->6609 6608 4c956e RegCloseKey 6605->6608 6610 4c947e wsprintfA 6606->6610 6607->6235 6607->6236 6608->6597 6609->6605 6609->6608 6610->6611 6611->6589 6613 4c95bb 6613->6607 7233 4c18e0 6613->7233 6616 4c2544 6615->6616 6617 4c972d RegOpenKeyExA 6616->6617 6618 4c9740 6617->6618 6620 4c9765 6617->6620 6619 4c974f RegDeleteValueA RegCloseKey 6618->6619 6619->6620 6620->6211 6622 4c2554 lstrcatA 6621->6622 6623 4cee2a 6622->6623 6624 4ca0ec lstrcatA 6623->6624 6624->6243 6626 4ca15d 6625->6626 6627 4cec37 6625->6627 6626->6175 6626->6179 6628 4ceba0 codecvt 2 API calls 6627->6628 6629 4cec3d GetProcessHeap RtlFreeHeap 6628->6629 6629->6626 6631 4c2544 6630->6631 6632 4c919e wsprintfA 6631->6632 6633 4c91bb 6632->6633 7283 4c9064 GetTempPathA 6633->7283 6636 4c91d5 ShellExecuteA 6637 4c91e7 6636->6637 6637->6194 6639 4c6ed5 6638->6639 6640 4c6ecc 6638->6640 6639->6230 6641 4c6e36 2 API calls 6640->6641 6641->6639 6643 4c98f6 6642->6643 6644 4c4280 30 API calls 6643->6644 6645 4c9904 Sleep 6643->6645 6646 4c9915 6643->6646 6644->6643 6645->6643 6645->6646 6648 4c9947 6646->6648 7290 4c977c 6646->7290 6648->6226 6650 4cdd41 InterlockedExchange 6649->6650 6651 4cdd4a 6650->6651 6652 4cdd20 GetCurrentThreadId 6650->6652 6654 4cdd53 GetCurrentThreadId 6651->6654 6653 4cdd2e GetTickCount 6652->6653 6652->6654 6655 4cdd4c 6653->6655 6656 4cdd39 Sleep 6653->6656 6654->6262 6655->6654 6656->6650 6658 4cdbf0 6657->6658 6690 4cdb67 GetEnvironmentVariableA 6658->6690 6660 4cdc19 6661 4cdcda 6660->6661 6662 4cdb67 3 API calls 6660->6662 6661->6264 6663 4cdc5c 6662->6663 6663->6661 6664 4cdb67 3 API calls 6663->6664 6665 4cdc9b 6664->6665 6665->6661 6666 4cdb67 3 API calls 6665->6666 6666->6661 6668 4ce528 6667->6668 6669 4ce3f4 6667->6669 6668->6274 6670 4ce434 RegQueryValueExA 6669->6670 6671 4ce51d RegCloseKey 6670->6671 6672 4ce458 6670->6672 6671->6668 6673 4ce46e RegQueryValueExA 6672->6673 6673->6672 6674 4ce488 6673->6674 6674->6671 6675 4cdb2e 8 API calls 6674->6675 6676 4ce499 6675->6676 6676->6671 6677 4ce4b9 RegQueryValueExA 6676->6677 6678 4ce4e8 6676->6678 6677->6676 6677->6678 6678->6671 6679 4ce332 14 API calls 6678->6679 6680 4ce513 6679->6680 6680->6671 6682 4cdb3a 6681->6682 6683 4cdb55 6681->6683 6694 4cebed 6682->6694 6683->6267 6683->6271 6712 4cf04e SystemTimeToFileTime GetSystemTimeAsFileTime 6685->6712 6687 4ce3be 6687->6267 6688 4ce342 6688->6687 6715 4cde24 6688->6715 6691 4cdbca 6690->6691 6692 4cdb89 lstrcpyA CreateFileA 6690->6692 6691->6660 6692->6660 6695 4cebf6 6694->6695 6696 4cec01 6694->6696 6703 4cebcc GetProcessHeap RtlAllocateHeap 6695->6703 6706 4ceba0 6696->6706 6704 4ceb74 2 API calls 6703->6704 6705 4cebe8 6704->6705 6705->6683 6707 4cebbf GetProcessHeap RtlReAllocateHeap 6706->6707 6708 4ceba7 GetProcessHeap HeapSize 6706->6708 6709 4ceb74 6707->6709 6708->6707 6710 4ceb93 6709->6710 6711 4ceb7b GetProcessHeap HeapSize 6709->6711 6710->6683 6711->6710 6726 4ceb41 6712->6726 6714 4cf0b7 6714->6688 6716 4cde3a 6715->6716 6723 4cde4e 6716->6723 6735 4cdd84 6716->6735 6719 4cde9e 6720 4cebed 8 API calls 6719->6720 6719->6723 6724 4cdef6 6720->6724 6721 4cde76 6739 4cddcf 6721->6739 6723->6688 6724->6723 6725 4cddcf lstrcmpA 6724->6725 6725->6723 6727 4ceb4a 6726->6727 6728 4ceb61 6726->6728 6731 4ceae4 6727->6731 6728->6714 6730 4ceb54 6730->6714 6730->6728 6732 4ceaed LoadLibraryA 6731->6732 6733 4ceb02 GetProcAddress 6731->6733 6732->6733 6734 4ceb01 6732->6734 6733->6730 6734->6730 6736 4cdd96 6735->6736 6738 4cddc5 6735->6738 6737 4cddad lstrcmpiA 6736->6737 6736->6738 6737->6736 6737->6738 6738->6719 6738->6721 6740 4cdddd 6739->6740 6742 4cde20 6739->6742 6741 4cddfa lstrcmpA 6740->6741 6740->6742 6741->6740 6742->6723 6744 4cdd05 6 API calls 6743->6744 6745 4ce821 6744->6745 6746 4cdd84 lstrcmpiA 6745->6746 6747 4ce82c 6746->6747 6748 4ce844 6747->6748 6793 4c2480 6747->6793 6748->6291 6751 4cea98 6750->6751 6802 4ce8a1 6751->6802 6753 4c1e84 6753->6300 6755 4c19d5 GetProcAddress GetProcAddress GetProcAddress 6754->6755 6758 4c19ce 6754->6758 6756 4c1a04 6755->6756 6757 4c1ab3 FreeLibrary 6755->6757 6756->6757 6759 4c1a14 GetBestInterface GetProcessHeap 6756->6759 6757->6758 6758->6304 6759->6758 6760 4c1a2e HeapAlloc 6759->6760 6760->6758 6761 4c1a42 GetAdaptersInfo 6760->6761 6762 4c1a62 6761->6762 6763 4c1a52 HeapReAlloc 6761->6763 6764 4c1a69 GetAdaptersInfo 6762->6764 6765 4c1aa1 FreeLibrary 6762->6765 6763->6762 6764->6765 6767 4c1a75 HeapFree 6764->6767 6765->6758 6767->6765 6830 4c1ac3 LoadLibraryA 6768->6830 6771 4c1bcf 6771->6316 6773 4c1ac3 13 API calls 6772->6773 6774 4c1c09 6773->6774 6775 4c1c0d GetComputerNameA 6774->6775 6776 4c1c5a 6774->6776 6777 4c1c1f 6775->6777 6778 4c1c45 GetVolumeInformationA 6775->6778 6776->6323 6777->6778 6779 4c1c41 6777->6779 6778->6776 6779->6776 6781 4cee2a 6780->6781 6782 4c30d0 gethostname gethostbyname 6781->6782 6783 4c1f82 6782->6783 6783->6328 6783->6330 6785 4cdd05 6 API calls 6784->6785 6786 4cdf7c 6785->6786 6787 4cdd84 lstrcmpiA 6786->6787 6792 4cdf89 6787->6792 6788 4cdfc4 6788->6297 6789 4cddcf lstrcmpA 6789->6792 6790 4cec2e codecvt 4 API calls 6790->6792 6791 4cdd84 lstrcmpiA 6791->6792 6792->6788 6792->6789 6792->6790 6792->6791 6796 4c2419 lstrlenA 6793->6796 6795 4c2491 6795->6748 6797 4c243d lstrlenA 6796->6797 6798 4c2474 6796->6798 6799 4c244e lstrcmpiA 6797->6799 6800 4c2464 lstrlenA 6797->6800 6798->6795 6799->6800 6801 4c245c 6799->6801 6800->6797 6800->6798 6801->6798 6801->6800 6803 4cdd05 6 API calls 6802->6803 6804 4ce8b4 6803->6804 6805 4cdd84 lstrcmpiA 6804->6805 6806 4ce8c0 6805->6806 6807 4ce8c8 lstrcpynA 6806->6807 6808 4ce90a 6806->6808 6810 4ce8f5 6807->6810 6809 4c2419 4 API calls 6808->6809 6818 4cea27 6808->6818 6811 4ce926 lstrlenA lstrlenA 6809->6811 6823 4cdf4c 6810->6823 6812 4ce94c lstrlenA 6811->6812 6813 4ce96a 6811->6813 6812->6813 6817 4cebcc 4 API calls 6813->6817 6813->6818 6815 4ce901 6816 4cdd84 lstrcmpiA 6815->6816 6816->6808 6819 4ce98f 6817->6819 6818->6753 6819->6818 6820 4cdf4c 20 API calls 6819->6820 6821 4cea1e 6820->6821 6822 4cec2e codecvt 4 API calls 6821->6822 6822->6818 6824 4cdd05 6 API calls 6823->6824 6825 4cdf51 6824->6825 6826 4cf04e 4 API calls 6825->6826 6827 4cdf58 6826->6827 6828 4cde24 10 API calls 6827->6828 6829 4cdf63 6828->6829 6829->6815 6831 4c1ae2 GetProcAddress 6830->6831 6835 4c1b68 GetComputerNameA GetVolumeInformationA 6830->6835 6832 4c1af5 6831->6832 6831->6835 6833 4c1b1c GetAdaptersAddresses 6832->6833 6834 4cebed 8 API calls 6832->6834 6836 4c1b29 6832->6836 6833->6832 6833->6836 6834->6832 6835->6771 6836->6835 6837 4cec2e codecvt 4 API calls 6836->6837 6837->6835 6839 4c6ec3 2 API calls 6838->6839 6840 4c7ef4 6839->6840 6850 4c7fc9 6840->6850 6874 4c73ff 6840->6874 6842 4c7f16 6842->6850 6894 4c7809 GetUserNameA 6842->6894 6844 4c7f63 6844->6850 6918 4cef1e lstrlenA 6844->6918 6847 4cef1e lstrlenA 6848 4c7fb7 6847->6848 6920 4c7a95 RegOpenKeyExA 6848->6920 6850->6338 6852 4c7073 6851->6852 6853 4c70b9 RegOpenKeyExA 6852->6853 6854 4c70d0 6853->6854 6868 4c71b8 6853->6868 6855 4c6dc2 6 API calls 6854->6855 6858 4c70d5 6855->6858 6856 4c719b RegEnumValueA 6857 4c71af RegCloseKey 6856->6857 6856->6858 6857->6868 6858->6856 6860 4c71d0 6858->6860 6951 4cf1a5 lstrlenA 6858->6951 6861 4c7205 RegCloseKey 6860->6861 6862 4c7227 6860->6862 6861->6868 6863 4c728e RegCloseKey 6862->6863 6864 4c72b8 ___ascii_stricmp 6862->6864 6863->6868 6865 4c72cd RegCloseKey 6864->6865 6866 4c72dd 6864->6866 6865->6868 6867 4c7311 RegCloseKey 6866->6867 6869 4c7335 6866->6869 6867->6868 6868->6339 6870 4c73d5 RegCloseKey 6869->6870 6872 4c737e GetFileAttributesExA 6869->6872 6873 4c7397 6869->6873 6871 4c73e4 6870->6871 6872->6873 6873->6870 6875 4c741b 6874->6875 6876 4c6dc2 6 API calls 6875->6876 6877 4c743f 6876->6877 6878 4c7469 RegOpenKeyExA 6877->6878 6879 4c77f9 6878->6879 6890 4c7487 ___ascii_stricmp 6878->6890 6879->6842 6880 4c7703 RegEnumKeyA 6881 4c7714 RegCloseKey 6880->6881 6880->6890 6881->6879 6882 4cf1a5 lstrlenA 6882->6890 6883 4c74d2 RegOpenKeyExA 6883->6890 6884 4c772c 6886 4c774b 6884->6886 6887 4c7742 RegCloseKey 6884->6887 6885 4c7521 RegQueryValueExA 6885->6890 6889 4c77ec RegCloseKey 6886->6889 6887->6886 6888 4c76e4 RegCloseKey 6888->6890 6889->6879 6890->6880 6890->6882 6890->6883 6890->6884 6890->6885 6890->6888 6891 4c7769 6890->6891 6893 4c777e GetFileAttributesExA 6890->6893 6892 4c77e3 RegCloseKey 6891->6892 6892->6889 6893->6891 6895 4c783d LookupAccountNameA 6894->6895 6901 4c7a8d 6894->6901 6896 4c7874 GetLengthSid GetFileSecurityA 6895->6896 6895->6901 6897 4c78a8 GetSecurityDescriptorOwner 6896->6897 6896->6901 6898 4c791d GetSecurityDescriptorDacl 6897->6898 6899 4c78c5 EqualSid 6897->6899 6898->6901 6912 4c7941 6898->6912 6899->6898 6900 4c78dc LocalAlloc 6899->6900 6900->6898 6902 4c78ef InitializeSecurityDescriptor 6900->6902 6901->6844 6903 4c78fb SetSecurityDescriptorOwner 6902->6903 6904 4c7916 LocalFree 6902->6904 6903->6904 6906 4c790b SetFileSecurityA 6903->6906 6904->6898 6905 4c795b GetAce 6905->6912 6906->6904 6907 4c7980 EqualSid 6907->6912 6908 4c7a3d 6908->6901 6911 4c7a43 LocalAlloc 6908->6911 6909 4c79be EqualSid 6909->6912 6910 4c799d DeleteAce 6910->6912 6911->6901 6913 4c7a56 InitializeSecurityDescriptor 6911->6913 6912->6901 6912->6905 6912->6907 6912->6908 6912->6909 6912->6910 6914 4c7a86 LocalFree 6913->6914 6915 4c7a62 SetSecurityDescriptorDacl 6913->6915 6914->6901 6915->6914 6916 4c7a73 SetFileSecurityA 6915->6916 6916->6914 6917 4c7a83 6916->6917 6917->6914 6919 4c7fa6 6918->6919 6919->6847 6921 4c7acb GetUserNameA 6920->6921 6922 4c7ac4 6920->6922 6923 4c7aed LookupAccountNameA 6921->6923 6924 4c7da7 RegCloseKey 6921->6924 6922->6850 6923->6924 6925 4c7b24 RegGetKeySecurity 6923->6925 6924->6922 6925->6924 6926 4c7b49 GetSecurityDescriptorOwner 6925->6926 6927 4c7bb8 GetSecurityDescriptorDacl 6926->6927 6928 4c7b63 EqualSid 6926->6928 6929 4c7da6 6927->6929 6943 4c7bdc 6927->6943 6928->6927 6930 4c7b74 LocalAlloc 6928->6930 6929->6924 6930->6927 6931 4c7b8a InitializeSecurityDescriptor 6930->6931 6932 4c7b96 SetSecurityDescriptorOwner 6931->6932 6933 4c7bb1 LocalFree 6931->6933 6932->6933 6935 4c7ba6 RegSetKeySecurity 6932->6935 6933->6927 6934 4c7bf8 GetAce 6934->6943 6935->6933 6936 4c7c1d EqualSid 6936->6943 6937 4c7cd9 6937->6929 6940 4c7d5a LocalAlloc 6937->6940 6942 4c7cf2 RegOpenKeyExA 6937->6942 6938 4c7c5f EqualSid 6938->6943 6939 4c7c3a DeleteAce 6939->6943 6940->6929 6941 4c7d70 InitializeSecurityDescriptor 6940->6941 6944 4c7d7c SetSecurityDescriptorDacl 6941->6944 6945 4c7d9f LocalFree 6941->6945 6942->6940 6948 4c7d0f 6942->6948 6943->6929 6943->6934 6943->6936 6943->6937 6943->6938 6943->6939 6944->6945 6946 4c7d8c RegSetKeySecurity 6944->6946 6945->6929 6946->6945 6947 4c7d9c 6946->6947 6947->6945 6949 4c7d43 RegSetValueExA 6948->6949 6949->6940 6950 4c7d54 6949->6950 6950->6940 6952 4cf1c3 6951->6952 6952->6858 6953->6359 6955 4cdd05 6 API calls 6954->6955 6958 4ce65f 6955->6958 6956 4ce6a5 6957 4cebcc 4 API calls 6956->6957 6961 4ce6f5 6956->6961 6960 4ce6b0 6957->6960 6958->6956 6959 4ce68c lstrcmpA 6958->6959 6959->6958 6960->6961 6963 4ce6b7 6960->6963 6964 4ce6e0 lstrcpynA 6960->6964 6962 4ce71d lstrcmpA 6961->6962 6961->6963 6962->6961 6963->6361 6964->6961 6965->6367 6967 4c268e 6966->6967 6968 4c2692 inet_addr 6966->6968 6970 4cf428 6967->6970 6968->6967 6969 4c269e gethostbyname 6968->6969 6969->6967 7118 4cf315 6970->7118 6973 4cf43e 6974 4cf473 recv 6973->6974 6975 4cf47c 6974->6975 6976 4cf458 6974->6976 6975->6398 6976->6974 6976->6975 6978 4cc532 6977->6978 6979 4cc525 6977->6979 6980 4cc548 6978->6980 7131 4ce7ff 6978->7131 6979->6978 6981 4cec2e codecvt 4 API calls 6979->6981 6983 4ce7ff lstrcmpiA 6980->6983 6992 4cc54f 6980->6992 6981->6978 6984 4cc615 6983->6984 6985 4cebcc 4 API calls 6984->6985 6984->6992 6985->6992 6987 4cc5d1 6989 4cebcc 4 API calls 6987->6989 6988 4ce819 11 API calls 6990 4cc5b7 6988->6990 6989->6992 6991 4cf04e 4 API calls 6990->6991 6993 4cc5bf 6991->6993 6992->6380 6993->6980 6993->6987 6995 4cc8d2 6994->6995 6996 4cc907 6995->6996 6997 4cc517 23 API calls 6995->6997 6996->6382 6997->6996 6999 4cc670 6998->6999 7002 4cc67d 6998->7002 7000 4cebcc 4 API calls 6999->7000 7000->7002 7001 4cebcc 4 API calls 7004 4cc699 7001->7004 7002->7001 7002->7004 7003 4cc6f3 7003->6411 7003->6438 7004->7003 7005 4cc73c send 7004->7005 7005->7003 7007 4cc770 7006->7007 7008 4cc77d 7006->7008 7010 4cebcc 4 API calls 7007->7010 7009 4cc799 7008->7009 7011 4cebcc 4 API calls 7008->7011 7012 4cc7b5 7009->7012 7013 4cebcc 4 API calls 7009->7013 7010->7008 7011->7009 7014 4cf43e recv 7012->7014 7013->7012 7015 4cc7cb 7014->7015 7016 4cf43e recv 7015->7016 7017 4cc7d3 7015->7017 7016->7017 7017->6438 7134 4c7db7 7018->7134 7021 4cf04e 4 API calls 7023 4c7e4c 7021->7023 7022 4c7e96 7022->6438 7025 4cf04e 4 API calls 7023->7025 7026 4c7e70 7023->7026 7024 4cf04e 4 API calls 7024->7022 7025->7026 7026->7022 7026->7024 7028 4c6ec3 2 API calls 7027->7028 7029 4c7fdd 7028->7029 7030 4c73ff 17 API calls 7029->7030 7039 4c80c2 CreateProcessA 7029->7039 7031 4c7fff 7030->7031 7032 4c7809 21 API calls 7031->7032 7031->7039 7033 4c804d 7032->7033 7034 4cef1e lstrlenA 7033->7034 7033->7039 7035 4c809e 7034->7035 7036 4cef1e lstrlenA 7035->7036 7037 4c80af 7036->7037 7038 4c7a95 24 API calls 7037->7038 7038->7039 7039->6465 7039->6466 7041 4c7db7 2 API calls 7040->7041 7042 4c7eb8 7041->7042 7043 4cf04e 4 API calls 7042->7043 7044 4c7ece DeleteFileA 7043->7044 7044->6438 7046 4cdd05 6 API calls 7045->7046 7047 4ce31d 7046->7047 7138 4ce177 7047->7138 7049 4ce326 7049->6437 7051 4c31ec 7050->7051 7052 4c31f3 7050->7052 7051->6438 7053 4cebcc 4 API calls 7052->7053 7066 4c31fc 7053->7066 7054 4c349d 7057 4cec2e codecvt 4 API calls 7054->7057 7055 4c3459 7056 4cf04e 4 API calls 7055->7056 7058 4c345f 7056->7058 7057->7051 7059 4c30fa 4 API calls 7058->7059 7059->7051 7060 4cebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7060->7066 7061 4c344d 7062 4cec2e codecvt 4 API calls 7061->7062 7063 4c344b 7062->7063 7063->7054 7063->7055 7065 4c3141 lstrcmpiA 7065->7066 7066->7051 7066->7060 7066->7061 7066->7063 7066->7065 7164 4c30fa GetTickCount 7066->7164 7068 4c30fa 4 API calls 7067->7068 7069 4c3c1a 7068->7069 7070 4c3ce6 7069->7070 7169 4c3a72 7069->7169 7070->6438 7073 4c3a72 9 API calls 7075 4c3c5e 7073->7075 7074 4c3a72 9 API calls 7074->7075 7075->7070 7075->7074 7076 4cec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7075->7076 7076->7075 7078 4c3a10 7077->7078 7079 4c30fa 4 API calls 7078->7079 7080 4c3a1a 7079->7080 7080->6438 7082 4cdd05 6 API calls 7081->7082 7083 4ce7be 7082->7083 7083->6438 7085 4cc07e wsprintfA 7084->7085 7086 4cc105 7084->7086 7178 4cbfce GetTickCount wsprintfA 7085->7178 7086->6438 7088 4cc0ef 7179 4cbfce GetTickCount wsprintfA 7088->7179 7091 4c6f88 LookupAccountNameA 7090->7091 7092 4c7047 7090->7092 7094 4c7025 7091->7094 7095 4c6fcb 7091->7095 7092->6438 7180 4c6edd 7094->7180 7097 4c6fdb ConvertSidToStringSidA 7095->7097 7097->7094 7099 4c6ff1 7097->7099 7100 4c7013 LocalFree 7099->7100 7100->7094 7102 4cdd05 6 API calls 7101->7102 7103 4ce85c 7102->7103 7104 4cdd84 lstrcmpiA 7103->7104 7105 4ce867 7104->7105 7106 4ce885 lstrcpyA 7105->7106 7191 4c24a5 7105->7191 7194 4cdd69 7106->7194 7112 4c7db7 2 API calls 7111->7112 7113 4c7de1 7112->7113 7114 4c7e16 7113->7114 7115 4cf04e 4 API calls 7113->7115 7114->6438 7116 4c7df2 7115->7116 7116->7114 7117 4cf04e 4 API calls 7116->7117 7117->7114 7119 4cf33b 7118->7119 7127 4cca1d 7118->7127 7120 4cf347 htons socket 7119->7120 7121 4cf374 closesocket 7120->7121 7122 4cf382 ioctlsocket 7120->7122 7121->7127 7123 4cf39d 7122->7123 7124 4cf3aa connect select 7122->7124 7125 4cf39f closesocket 7123->7125 7126 4cf3f2 __WSAFDIsSet 7124->7126 7124->7127 7125->7127 7126->7125 7128 4cf403 ioctlsocket 7126->7128 7127->6395 7127->6973 7130 4cf26d setsockopt setsockopt setsockopt setsockopt setsockopt 7128->7130 7130->7127 7132 4cdd84 lstrcmpiA 7131->7132 7133 4cc58e 7132->7133 7133->6980 7133->6987 7133->6988 7135 4c7dc8 InterlockedExchange 7134->7135 7136 4c7dd4 7135->7136 7137 4c7dc0 Sleep 7135->7137 7136->7021 7136->7026 7137->7135 7140 4ce184 7138->7140 7139 4ce2e4 7139->7049 7140->7139 7141 4ce223 7140->7141 7154 4cdfe2 7140->7154 7141->7139 7143 4cdfe2 8 API calls 7141->7143 7146 4ce23c 7143->7146 7144 4ce1be 7144->7141 7145 4cdbcf 3 API calls 7144->7145 7147 4ce1d6 7145->7147 7146->7139 7158 4ce095 RegCreateKeyExA 7146->7158 7147->7141 7148 4ce21a CloseHandle 7147->7148 7149 4ce1f9 WriteFile 7147->7149 7148->7141 7149->7148 7151 4ce213 7149->7151 7151->7148 7152 4ce2a3 7152->7139 7153 4ce095 4 API calls 7152->7153 7153->7139 7155 4cdffc 7154->7155 7157 4ce024 7154->7157 7156 4cdb2e 8 API calls 7155->7156 7155->7157 7156->7157 7157->7144 7159 4ce172 7158->7159 7160 4ce0c0 7158->7160 7159->7152 7162 4ce115 RegSetValueExA 7160->7162 7163 4ce13d 7160->7163 7161 4ce14e RegDeleteValueA RegCloseKey 7161->7159 7162->7160 7162->7163 7163->7161 7165 4c3122 InterlockedExchange 7164->7165 7166 4c312e 7165->7166 7167 4c310f GetTickCount 7165->7167 7166->7066 7167->7166 7168 4c311a Sleep 7167->7168 7168->7165 7170 4cf04e 4 API calls 7169->7170 7177 4c3a83 7170->7177 7171 4c3ac1 7171->7070 7171->7073 7172 4c3be6 7174 4cec2e codecvt 4 API calls 7172->7174 7173 4c3bc0 7173->7172 7175 4cec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7173->7175 7174->7171 7175->7173 7176 4c3b66 lstrlenA 7176->7171 7176->7177 7177->7171 7177->7173 7177->7176 7178->7088 7179->7086 7181 4c6f55 wsprintfA 7180->7181 7182 4c6eef AllocateAndInitializeSid 7180->7182 7181->7092 7183 4c6f1c CheckTokenMembership 7182->7183 7184 4c6f44 7182->7184 7185 4c6f2e 7183->7185 7186 4c6f3b FreeSid 7183->7186 7184->7181 7188 4c6e36 GetUserNameW 7184->7188 7185->7186 7186->7184 7189 4c6e5f LookupAccountNameW 7188->7189 7190 4c6e97 7188->7190 7189->7190 7190->7181 7192 4c2419 4 API calls 7191->7192 7193 4c24b6 7192->7193 7193->7106 7195 4cdd79 lstrlenA 7194->7195 7195->6438 7197 4ceb21 7196->7197 7198 4ceb17 7196->7198 7197->6521 7199 4ceae4 2 API calls 7198->7199 7199->7197 7201 4c69b9 WriteFile 7200->7201 7203 4c6a3c 7201->7203 7205 4c69ff 7201->7205 7203->6518 7203->6519 7204 4c6a10 WriteFile 7204->7203 7204->7205 7205->7203 7205->7204 7207 4c3edc 7206->7207 7208 4c3ee2 7206->7208 7209 4c6dc2 6 API calls 7207->7209 7208->6533 7209->7208 7211 4c400b CreateFileA 7210->7211 7212 4c402c GetLastError 7211->7212 7214 4c4052 7211->7214 7213 4c4037 7212->7213 7212->7214 7213->7214 7215 4c4041 Sleep 7213->7215 7214->6535 7215->7211 7215->7214 7217 4c3f7c 7216->7217 7218 4c3f4e GetLastError 7216->7218 7220 4c3f8c ReadFile 7217->7220 7218->7217 7219 4c3f5b WaitForSingleObject GetOverlappedResult 7218->7219 7219->7217 7221 4c3fc2 GetLastError 7220->7221 7223 4c3ff0 7220->7223 7222 4c3fcf WaitForSingleObject GetOverlappedResult 7221->7222 7221->7223 7222->7223 7223->6541 7223->6542 7225 4c1924 GetVersionExA 7224->7225 7225->6581 7227 4cf0ed 7226->7227 7228 4cf0f1 7226->7228 7227->6613 7229 4cf119 7228->7229 7230 4cf0fa lstrlenA SysAllocStringByteLen 7228->7230 7231 4cf11c MultiByteToWideChar 7229->7231 7230->7231 7232 4cf117 7230->7232 7231->7232 7232->6613 7234 4c1820 17 API calls 7233->7234 7235 4c18f2 7234->7235 7236 4c18f9 7235->7236 7250 4c1280 7235->7250 7236->6607 7238 4c1908 7238->6607 7262 4c1000 7239->7262 7241 4c1839 7242 4c183d 7241->7242 7243 4c1851 GetCurrentProcess 7241->7243 7242->6596 7244 4c1864 7243->7244 7244->6596 7246 4c920e 7245->7246 7249 4c9308 7245->7249 7247 4c92f1 Sleep 7246->7247 7248 4c92bf ShellExecuteA 7246->7248 7246->7249 7247->7246 7248->7246 7248->7249 7249->6607 7251 4c12e1 7250->7251 7251->7251 7252 4c16f9 GetLastError 7251->7252 7260 4c13a8 7251->7260 7253 4c1699 7252->7253 7253->7238 7254 4c1570 lstrlenW 7254->7260 7255 4c15be GetStartupInfoW 7255->7260 7256 4c15ff CreateProcessWithLogonW 7257 4c16bf GetLastError 7256->7257 7258 4c163f WaitForSingleObject 7256->7258 7257->7253 7259 4c1659 CloseHandle 7258->7259 7258->7260 7259->7260 7260->7253 7260->7254 7260->7255 7260->7256 7261 4c1668 CloseHandle 7260->7261 7261->7260 7263 4c100d LoadLibraryA 7262->7263 7273 4c1023 7262->7273 7264 4c1021 7263->7264 7263->7273 7264->7241 7265 4c10b5 GetProcAddress 7266 4c127b 7265->7266 7267 4c10d1 GetProcAddress 7265->7267 7266->7241 7267->7266 7268 4c10f0 GetProcAddress 7267->7268 7268->7266 7269 4c1110 GetProcAddress 7268->7269 7269->7266 7270 4c1130 GetProcAddress 7269->7270 7270->7266 7271 4c114f GetProcAddress 7270->7271 7271->7266 7272 4c116f GetProcAddress 7271->7272 7272->7266 7274 4c118f GetProcAddress 7272->7274 7273->7265 7282 4c10ae 7273->7282 7274->7266 7275 4c11ae GetProcAddress 7274->7275 7275->7266 7276 4c11ce GetProcAddress 7275->7276 7276->7266 7277 4c11ee GetProcAddress 7276->7277 7277->7266 7278 4c1209 GetProcAddress 7277->7278 7278->7266 7279 4c1225 GetProcAddress 7278->7279 7279->7266 7280 4c1241 GetProcAddress 7279->7280 7280->7266 7281 4c125c GetProcAddress 7280->7281 7281->7266 7282->7241 7284 4c908d 7283->7284 7285 4c90e2 wsprintfA 7284->7285 7286 4cee2a 7285->7286 7287 4c90fd CreateFileA 7286->7287 7288 4c913f 7287->7288 7289 4c911a lstrlenA WriteFile CloseHandle 7287->7289 7288->6636 7288->6637 7289->7288 7291 4cee2a 7290->7291 7292 4c9794 CreateProcessA 7291->7292 7293 4c97bb 7292->7293 7294 4c97c2 7292->7294 7293->6648 7295 4c97d4 GetThreadContext 7294->7295 7296 4c97f5 7295->7296 7297 4c9801 7295->7297 7298 4c97f6 TerminateProcess 7296->7298 7304 4c637c 7297->7304 7298->7293 7300 4c9816 7300->7298 7301 4c981e WriteProcessMemory 7300->7301 7301->7296 7302 4c983b SetThreadContext 7301->7302 7302->7296 7303 4c9858 ResumeThread 7302->7303 7303->7293 7305 4c638a GetModuleHandleA VirtualAlloc 7304->7305 7306 4c6386 7304->7306 7307 4c63f5 7305->7307 7308 4c63b6 7305->7308 7306->7300 7307->7300 7309 4c63be VirtualAllocEx 7308->7309 7309->7307 7310 4c63d6 7309->7310 7311 4c63df WriteProcessMemory 7310->7311 7311->7307 7313 4c879f 7312->7313 7314 4c8791 7312->7314 7316 4c87bc 7313->7316 7317 4cf04e 4 API calls 7313->7317 7315 4cf04e 4 API calls 7314->7315 7315->7313 7318 4ce819 11 API calls 7316->7318 7317->7316 7319 4c87d7 7318->7319 7329 4c8803 7319->7329 7467 4c26b2 gethostbyaddr 7319->7467 7322 4c87eb 7324 4ce8a1 30 API calls 7322->7324 7322->7329 7324->7329 7327 4cf04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7327->7329 7328 4ce819 11 API calls 7328->7329 7329->7327 7329->7328 7330 4c88a0 Sleep 7329->7330 7331 4c26b2 2 API calls 7329->7331 7333 4ce8a1 30 API calls 7329->7333 7364 4c8cee 7329->7364 7372 4cc4d6 7329->7372 7375 4cc4e2 7329->7375 7378 4c2011 7329->7378 7413 4c8328 7329->7413 7330->7329 7331->7329 7333->7329 7335 4c407d 7334->7335 7336 4c4084 7334->7336 7337 4c3ecd 6 API calls 7336->7337 7338 4c408f 7337->7338 7339 4c4000 3 API calls 7338->7339 7340 4c4095 7339->7340 7341 4c4130 7340->7341 7342 4c40c0 7340->7342 7343 4c3ecd 6 API calls 7341->7343 7347 4c3f18 4 API calls 7342->7347 7344 4c4159 CreateNamedPipeA 7343->7344 7345 4c4188 ConnectNamedPipe 7344->7345 7346 4c4167 Sleep 7344->7346 7350 4c4195 GetLastError 7345->7350 7360 4c41ab 7345->7360 7346->7341 7348 4c4176 CloseHandle 7346->7348 7349 4c40da 7347->7349 7348->7345 7352 4c3f8c 4 API calls 7349->7352 7351 4c425e DisconnectNamedPipe 7350->7351 7350->7360 7351->7345 7353 4c40ec 7352->7353 7354 4c4127 CloseHandle 7353->7354 7355 4c4101 7353->7355 7354->7341 7357 4c3f18 4 API calls 7355->7357 7356 4c3f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7356->7360 7358 4c411c ExitProcess 7357->7358 7359 4c3f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7359->7360 7360->7345 7360->7351 7360->7356 7360->7359 7361 4c426a CloseHandle CloseHandle 7360->7361 7362 4ce318 23 API calls 7361->7362 7363 4c427b 7362->7363 7363->7363 7365 4c8dae 7364->7365 7366 4c8d02 GetTickCount 7364->7366 7365->7329 7366->7365 7369 4c8d19 7366->7369 7367 4c8da1 GetTickCount 7367->7365 7369->7367 7371 4c8d89 7369->7371 7472 4ca677 7369->7472 7475 4ca688 7369->7475 7371->7367 7483 4cc2dc 7372->7483 7376 4cc2dc 142 API calls 7375->7376 7377 4cc4ec 7376->7377 7377->7329 7379 4c202e 7378->7379 7380 4c2020 7378->7380 7382 4c204b 7379->7382 7384 4cf04e 4 API calls 7379->7384 7381 4cf04e 4 API calls 7380->7381 7381->7379 7383 4c206e GetTickCount 7382->7383 7385 4cf04e 4 API calls 7382->7385 7386 4c20db GetTickCount 7383->7386 7397 4c2090 7383->7397 7384->7382 7388 4c2068 7385->7388 7387 4c2132 GetTickCount GetTickCount 7386->7387 7400 4c20e7 7386->7400 7391 4cf04e 4 API calls 7387->7391 7388->7383 7389 4c20d4 GetTickCount 7389->7386 7390 4c212b GetTickCount 7390->7387 7393 4c2159 7391->7393 7392 4c2684 2 API calls 7392->7397 7394 4c21b4 7393->7394 7396 4ce854 13 API calls 7393->7396 7398 4cf04e 4 API calls 7394->7398 7399 4c218e 7396->7399 7397->7389 7397->7392 7403 4c20ce 7397->7403 7823 4c1978 7397->7823 7402 4c21d1 7398->7402 7404 4ce819 11 API calls 7399->7404 7400->7390 7405 4c1978 15 API calls 7400->7405 7406 4c2125 7400->7406 7813 4c2ef8 7400->7813 7407 4c21f2 7402->7407 7409 4cea84 30 API calls 7402->7409 7403->7389 7408 4c219c 7404->7408 7405->7400 7406->7390 7407->7329 7408->7394 7828 4c1c5f 7408->7828 7410 4c21ec 7409->7410 7411 4cf04e 4 API calls 7410->7411 7411->7407 7414 4c7dd6 6 API calls 7413->7414 7415 4c833c 7414->7415 7416 4c8340 7415->7416 7417 4c6ec3 2 API calls 7415->7417 7416->7329 7418 4c834f 7417->7418 7419 4c835c 7418->7419 7423 4c846b 7418->7423 7420 4c73ff 17 API calls 7419->7420 7421 4c8373 7420->7421 7421->7416 7447 4c83ea RegOpenKeyExA 7421->7447 7452 4c8450 7421->7452 7422 4c675c 21 API calls 7426 4c85df 7422->7426 7427 4c84a7 RegOpenKeyExA 7423->7427 7423->7452 7424 4c8626 GetTempPathA 7425 4c8638 7424->7425 7459 4c8671 7425->7459 7426->7424 7437 4c8768 7426->7437 7426->7459 7430 4c84c0 RegQueryValueExA 7427->7430 7432 4c852f 7427->7432 7429 4c86ad 7431 4c8762 7429->7431 7434 4c7e2f 6 API calls 7429->7434 7433 4c8521 RegCloseKey 7430->7433 7436 4c84dd 7430->7436 7431->7437 7435 4c8564 RegOpenKeyExA 7432->7435 7445 4c85a5 7432->7445 7433->7432 7446 4c86bb 7434->7446 7438 4c8573 RegSetValueExA RegCloseKey 7435->7438 7435->7445 7436->7433 7441 4cebcc 4 API calls 7436->7441 7437->7416 7440 4cec2e codecvt 4 API calls 7437->7440 7438->7445 7439 4c875b DeleteFileA 7439->7431 7440->7416 7442 4c84f0 7441->7442 7442->7433 7444 4c84f8 RegQueryValueExA 7442->7444 7444->7433 7448 4c8515 7444->7448 7449 4cec2e codecvt 4 API calls 7445->7449 7445->7452 7446->7439 7453 4c86e0 lstrcpyA lstrlenA 7446->7453 7450 4c83fd RegQueryValueExA 7447->7450 7447->7452 7451 4cec2e codecvt 4 API calls 7448->7451 7449->7452 7454 4c842d RegSetValueExA 7450->7454 7455 4c841e 7450->7455 7457 4c851d 7451->7457 7452->7422 7452->7426 7458 4c7fcf 64 API calls 7453->7458 7456 4c8447 RegCloseKey 7454->7456 7455->7454 7455->7456 7456->7452 7457->7433 7460 4c8719 CreateProcessA 7458->7460 7900 4c6ba7 IsBadCodePtr 7459->7900 7461 4c873d CloseHandle CloseHandle 7460->7461 7462 4c874f 7460->7462 7461->7437 7463 4c7ee6 64 API calls 7462->7463 7464 4c8754 7463->7464 7465 4c7ead 6 API calls 7464->7465 7466 4c875a 7465->7466 7466->7439 7468 4c26cd 7467->7468 7469 4c26fb 7467->7469 7470 4c26de 7468->7470 7471 4c26e1 inet_ntoa 7468->7471 7469->7322 7470->7322 7471->7470 7478 4ca63d 7472->7478 7474 4ca685 7474->7369 7476 4ca63d GetTickCount 7475->7476 7477 4ca696 7476->7477 7477->7369 7479 4ca64d 7478->7479 7480 4ca645 7478->7480 7481 4ca65e GetTickCount 7479->7481 7482 4ca66e 7479->7482 7480->7474 7481->7482 7482->7474 7500 4ca4c7 GetTickCount 7483->7500 7486 4cc47a 7491 4cc4ab InterlockedIncrement CreateThread 7486->7491 7492 4cc4d2 7486->7492 7487 4cc326 7489 4cc337 7487->7489 7490 4cc32b GetTickCount 7487->7490 7488 4cc300 GetTickCount 7488->7489 7489->7486 7494 4cc363 GetTickCount 7489->7494 7490->7489 7491->7492 7493 4cc4cb CloseHandle 7491->7493 7505 4cb535 7491->7505 7492->7329 7493->7492 7494->7486 7495 4cc373 7494->7495 7496 4cc378 GetTickCount 7495->7496 7497 4cc37f 7495->7497 7496->7497 7498 4cc43b GetTickCount 7497->7498 7499 4cc45e 7498->7499 7499->7486 7501 4ca4f7 InterlockedExchange 7500->7501 7502 4ca4e4 GetTickCount 7501->7502 7503 4ca500 7501->7503 7502->7503 7504 4ca4ef Sleep 7502->7504 7503->7486 7503->7487 7503->7488 7504->7501 7506 4cb566 7505->7506 7507 4cebcc 4 API calls 7506->7507 7508 4cb587 7507->7508 7509 4cebcc 4 API calls 7508->7509 7553 4cb590 7509->7553 7510 4cbdcd InterlockedDecrement 7511 4cbde2 7510->7511 7513 4cec2e codecvt 4 API calls 7511->7513 7514 4cbdea 7513->7514 7516 4cec2e codecvt 4 API calls 7514->7516 7515 4cbdb7 Sleep 7515->7553 7517 4cbdf2 7516->7517 7518 4cbe05 7517->7518 7520 4cec2e codecvt 4 API calls 7517->7520 7519 4cbdcc 7519->7510 7520->7518 7521 4cebed 8 API calls 7521->7553 7524 4cb6b6 lstrlenA 7524->7553 7525 4c30b5 2 API calls 7525->7553 7526 4ce819 11 API calls 7526->7553 7527 4cb6ed lstrcpyA 7580 4c5ce1 7527->7580 7530 4cb71f lstrcmpA 7531 4cb731 lstrlenA 7530->7531 7530->7553 7531->7553 7532 4cb772 GetTickCount 7532->7553 7533 4cbd49 InterlockedIncrement 7674 4ca628 7533->7674 7536 4cb7ce InterlockedIncrement 7590 4cacd7 7536->7590 7537 4c38f0 6 API calls 7537->7553 7538 4cbc5b InterlockedIncrement 7538->7553 7541 4cb912 GetTickCount 7541->7553 7542 4cb826 InterlockedIncrement 7542->7532 7543 4cbcdc closesocket 7543->7553 7544 4cb932 GetTickCount 7545 4cbc6d InterlockedIncrement 7544->7545 7544->7553 7545->7553 7547 4cbba6 InterlockedIncrement 7547->7553 7550 4ca7c1 22 API calls 7550->7553 7551 4cbc4c closesocket 7551->7553 7553->7510 7553->7515 7553->7519 7553->7521 7553->7524 7553->7525 7553->7526 7553->7527 7553->7530 7553->7531 7553->7532 7553->7533 7553->7536 7553->7537 7553->7538 7553->7541 7553->7542 7553->7543 7553->7544 7553->7547 7553->7550 7553->7551 7554 4cba71 wsprintfA 7553->7554 7555 4c5ded 12 API calls 7553->7555 7557 4c5ce1 22 API calls 7553->7557 7559 4cab81 lstrcpynA InterlockedIncrement 7553->7559 7560 4cef1e lstrlenA 7553->7560 7561 4ca688 GetTickCount 7553->7561 7562 4c3e10 7553->7562 7565 4c3e4f 7553->7565 7568 4c384f 7553->7568 7588 4ca7a3 inet_ntoa 7553->7588 7595 4cabee 7553->7595 7607 4c1feb GetTickCount 7553->7607 7628 4c3cfb 7553->7628 7631 4cb3c5 7553->7631 7662 4cab81 7553->7662 7608 4ca7c1 7554->7608 7555->7553 7557->7553 7559->7553 7560->7553 7561->7553 7563 4c30fa 4 API calls 7562->7563 7564 4c3e1d 7563->7564 7564->7553 7566 4c30fa 4 API calls 7565->7566 7567 4c3e5c 7566->7567 7567->7553 7569 4c30fa 4 API calls 7568->7569 7571 4c3863 7569->7571 7570 4c38b2 7570->7553 7571->7570 7572 4c38b9 7571->7572 7573 4c3889 7571->7573 7683 4c35f9 7572->7683 7677 4c3718 7573->7677 7578 4c3718 6 API calls 7578->7570 7579 4c35f9 6 API calls 7579->7570 7581 4c5cec 7580->7581 7582 4c5cf4 7580->7582 7689 4c4bd1 GetTickCount 7581->7689 7584 4c4bd1 4 API calls 7582->7584 7585 4c5d02 7584->7585 7694 4c5472 7585->7694 7589 4ca7b9 7588->7589 7589->7553 7591 4cf315 14 API calls 7590->7591 7592 4caceb 7591->7592 7593 4cf315 14 API calls 7592->7593 7594 4cacff 7592->7594 7593->7594 7594->7553 7596 4cabfb 7595->7596 7599 4cac65 7596->7599 7757 4c2f22 7596->7757 7598 4cf315 14 API calls 7598->7599 7599->7598 7600 4cac8a 7599->7600 7601 4cac6f 7599->7601 7600->7553 7603 4cab81 2 API calls 7601->7603 7602 4cac23 7602->7599 7605 4c2684 2 API calls 7602->7605 7604 4cac81 7603->7604 7765 4c38f0 7604->7765 7605->7602 7607->7553 7609 4ca87d lstrlenA send 7608->7609 7610 4ca7df 7608->7610 7612 4ca8bf 7609->7612 7613 4ca899 7609->7613 7610->7609 7611 4ca8f2 7610->7611 7615 4ca80a 7610->7615 7618 4ca7fa wsprintfA 7610->7618 7614 4ca978 recv 7611->7614 7620 4ca9b0 wsprintfA 7611->7620 7621 4ca982 7611->7621 7612->7611 7617 4ca8c4 send 7612->7617 7616 4ca8a5 wsprintfA 7613->7616 7627 4ca89e 7613->7627 7614->7611 7614->7621 7615->7609 7615->7615 7616->7627 7617->7611 7619 4ca8d8 wsprintfA 7617->7619 7618->7615 7619->7627 7620->7627 7622 4c30b5 2 API calls 7621->7622 7621->7627 7623 4cab05 7622->7623 7624 4ce819 11 API calls 7623->7624 7625 4cab17 7624->7625 7626 4ca7a3 inet_ntoa 7625->7626 7626->7627 7627->7553 7629 4c30fa 4 API calls 7628->7629 7630 4c3d0b 7629->7630 7630->7553 7632 4c5ce1 22 API calls 7631->7632 7633 4cb3e6 7632->7633 7634 4c5ce1 22 API calls 7633->7634 7635 4cb404 7634->7635 7636 4cef7c 3 API calls 7635->7636 7642 4cb440 7635->7642 7638 4cb42b 7636->7638 7637 4cef7c 3 API calls 7639 4cb458 wsprintfA 7637->7639 7640 4cef7c 3 API calls 7638->7640 7641 4cef7c 3 API calls 7639->7641 7640->7642 7643 4cb480 7641->7643 7642->7637 7644 4cef7c 3 API calls 7643->7644 7645 4cb493 7644->7645 7646 4cef7c 3 API calls 7645->7646 7647 4cb4bb 7646->7647 7781 4cad89 GetLocalTime SystemTimeToFileTime 7647->7781 7651 4cb4cc 7652 4cef7c 3 API calls 7651->7652 7653 4cb4dd 7652->7653 7654 4cb211 7 API calls 7653->7654 7655 4cb4ec 7654->7655 7656 4cef7c 3 API calls 7655->7656 7657 4cb4fd 7656->7657 7658 4cb211 7 API calls 7657->7658 7659 4cb509 7658->7659 7660 4cef7c 3 API calls 7659->7660 7661 4cb51a 7660->7661 7661->7553 7663 4cab8c 7662->7663 7665 4cabe9 GetTickCount 7662->7665 7664 4caba8 lstrcpynA 7663->7664 7663->7665 7666 4cabe1 InterlockedIncrement 7663->7666 7664->7663 7667 4ca51d 7665->7667 7666->7663 7668 4ca4c7 4 API calls 7667->7668 7669 4ca52c 7668->7669 7670 4ca539 GetTickCount 7669->7670 7671 4ca542 GetTickCount 7669->7671 7673 4ca56c 7670->7673 7671->7670 7673->7553 7675 4ca4c7 4 API calls 7674->7675 7676 4ca633 7675->7676 7676->7553 7678 4cf04e 4 API calls 7677->7678 7680 4c372a 7678->7680 7679 4c3847 7679->7570 7679->7578 7680->7679 7681 4c37b3 GetCurrentThreadId 7680->7681 7681->7680 7682 4c37c8 GetCurrentThreadId 7681->7682 7682->7680 7684 4cf04e 4 API calls 7683->7684 7687 4c360c 7684->7687 7685 4c36f1 7685->7570 7685->7579 7686 4c36da GetCurrentThreadId 7686->7685 7688 4c36e5 GetCurrentThreadId 7686->7688 7687->7685 7687->7686 7688->7685 7690 4c4bff InterlockedExchange 7689->7690 7691 4c4bec GetTickCount 7690->7691 7692 4c4c08 7690->7692 7691->7692 7693 4c4bf7 Sleep 7691->7693 7692->7582 7693->7690 7713 4c4763 7694->7713 7696 4c5b58 7723 4c4699 7696->7723 7699 4c4763 lstrlenA 7700 4c5b6e 7699->7700 7744 4c4f9f 7700->7744 7702 4c5b79 7702->7553 7704 4c5549 lstrlenA 7705 4c548a 7704->7705 7705->7696 7707 4c558d lstrcpynA 7705->7707 7708 4c4ae6 8 API calls 7705->7708 7709 4c5a9f lstrcpyA 7705->7709 7710 4c5935 lstrcpynA 7705->7710 7711 4c5472 13 API calls 7705->7711 7712 4c58e7 lstrcpyA 7705->7712 7717 4c4ae6 7705->7717 7721 4cef7c lstrlenA lstrlenA lstrlenA 7705->7721 7707->7705 7708->7705 7709->7705 7710->7705 7711->7705 7712->7705 7716 4c477a 7713->7716 7714 4c4859 7714->7705 7715 4c480d lstrlenA 7715->7716 7716->7714 7716->7715 7718 4c4af3 7717->7718 7720 4c4b03 7717->7720 7719 4cebed 8 API calls 7718->7719 7719->7720 7720->7704 7722 4cefb4 7721->7722 7722->7705 7749 4c45b3 7723->7749 7726 4c45b3 7 API calls 7727 4c46c6 7726->7727 7728 4c45b3 7 API calls 7727->7728 7729 4c46d8 7728->7729 7730 4c45b3 7 API calls 7729->7730 7731 4c46ea 7730->7731 7732 4c45b3 7 API calls 7731->7732 7733 4c46ff 7732->7733 7734 4c45b3 7 API calls 7733->7734 7735 4c4711 7734->7735 7736 4c45b3 7 API calls 7735->7736 7737 4c4723 7736->7737 7738 4cef7c 3 API calls 7737->7738 7739 4c4735 7738->7739 7740 4cef7c 3 API calls 7739->7740 7741 4c474a 7740->7741 7742 4cef7c 3 API calls 7741->7742 7743 4c475c 7742->7743 7743->7699 7745 4c4fac 7744->7745 7748 4c4fb0 7744->7748 7745->7702 7746 4c4ffd 7746->7702 7747 4c4fd5 IsBadCodePtr 7747->7748 7748->7746 7748->7747 7750 4c45c8 7749->7750 7751 4c45c1 7749->7751 7753 4cebcc 4 API calls 7750->7753 7755 4c45e1 7750->7755 7752 4cebcc 4 API calls 7751->7752 7752->7750 7753->7755 7754 4c4691 7754->7726 7755->7754 7756 4cef7c 3 API calls 7755->7756 7756->7755 7772 4c2d21 GetModuleHandleA 7757->7772 7760 4c2fcf GetProcessHeap HeapFree 7764 4c2f44 7760->7764 7761 4c2f85 7761->7760 7761->7761 7762 4c2f4f 7763 4c2f6b GetProcessHeap HeapFree 7762->7763 7763->7764 7764->7602 7766 4c3980 7765->7766 7767 4c3900 7765->7767 7766->7600 7768 4c30fa 4 API calls 7767->7768 7771 4c390a 7768->7771 7769 4c391b GetCurrentThreadId 7769->7771 7770 4c3939 GetCurrentThreadId 7770->7771 7771->7766 7771->7769 7771->7770 7773 4c2d5b GetProcAddress 7772->7773 7774 4c2d46 LoadLibraryA 7772->7774 7775 4c2d6b DnsQuery_A 7773->7775 7776 4c2d54 7773->7776 7774->7773 7774->7776 7775->7776 7778 4c2d7d 7775->7778 7776->7761 7776->7762 7776->7764 7777 4c2d97 GetProcessHeap HeapAlloc 7777->7776 7780 4c2dac 7777->7780 7778->7776 7778->7777 7779 4c2db5 lstrcpynA 7779->7780 7780->7778 7780->7779 7782 4cadbf 7781->7782 7806 4cad08 gethostname 7782->7806 7785 4c30b5 2 API calls 7786 4cadd3 7785->7786 7787 4ca7a3 inet_ntoa 7786->7787 7788 4cade4 7786->7788 7787->7788 7789 4cae85 wsprintfA 7788->7789 7791 4cae36 wsprintfA wsprintfA 7788->7791 7790 4cef7c 3 API calls 7789->7790 7792 4caebb 7790->7792 7794 4cef7c 3 API calls 7791->7794 7793 4cef7c 3 API calls 7792->7793 7795 4caed2 7793->7795 7794->7788 7796 4cb211 7795->7796 7797 4cb2af GetLocalTime 7796->7797 7798 4cb2bb FileTimeToLocalFileTime FileTimeToSystemTime 7796->7798 7799 4cb2d2 7797->7799 7798->7799 7800 4cb31c GetTimeZoneInformation 7799->7800 7801 4cb2d9 SystemTimeToFileTime 7799->7801 7803 4cb33a wsprintfA 7800->7803 7802 4cb2ec 7801->7802 7804 4cb312 FileTimeToSystemTime 7802->7804 7803->7651 7804->7800 7807 4cad71 7806->7807 7812 4cad26 lstrlenA 7806->7812 7809 4cad79 lstrcpyA 7807->7809 7810 4cad85 7807->7810 7809->7810 7810->7785 7811 4cad68 lstrlenA 7811->7807 7812->7807 7812->7811 7814 4c2d21 7 API calls 7813->7814 7815 4c2f01 7814->7815 7816 4c2f14 7815->7816 7817 4c2f06 7815->7817 7818 4c2684 2 API calls 7816->7818 7836 4c2df2 GetModuleHandleA 7817->7836 7820 4c2f1d 7818->7820 7820->7400 7822 4c2f1f 7822->7400 7824 4cf428 14 API calls 7823->7824 7825 4c198a 7824->7825 7826 4c1998 7825->7826 7827 4c1990 closesocket 7825->7827 7826->7397 7827->7826 7830 4c1c80 7828->7830 7829 4c1d1c 7833 4c1d47 wsprintfA 7829->7833 7830->7829 7831 4c1cc2 wsprintfA 7830->7831 7834 4c1d79 7830->7834 7832 4c2684 2 API calls 7831->7832 7832->7830 7835 4c2684 2 API calls 7833->7835 7834->7394 7835->7834 7837 4c2e0b 7836->7837 7838 4c2e10 LoadLibraryA 7836->7838 7837->7838 7839 4c2e17 7837->7839 7838->7839 7840 4c2ef1 7839->7840 7841 4c2e28 GetProcAddress 7839->7841 7840->7816 7840->7822 7841->7840 7842 4c2e3e GetProcessHeap HeapAlloc 7841->7842 7845 4c2e62 7842->7845 7843 4c2ede GetProcessHeap HeapFree 7843->7840 7844 4c2e7f htons inet_addr 7844->7845 7846 4c2ea5 gethostbyname 7844->7846 7845->7840 7845->7843 7845->7844 7845->7846 7848 4c2ceb 7845->7848 7846->7845 7849 4c2cf2 7848->7849 7851 4c2d1c 7849->7851 7852 4c2d0e Sleep 7849->7852 7853 4c2a62 GetProcessHeap HeapAlloc 7849->7853 7851->7845 7852->7849 7852->7851 7854 4c2a99 socket 7853->7854 7855 4c2a92 7853->7855 7856 4c2ab4 7854->7856 7857 4c2cd3 GetProcessHeap HeapFree 7854->7857 7855->7849 7856->7857 7865 4c2abd 7856->7865 7857->7855 7858 4c2adb htons 7873 4c26ff 7858->7873 7860 4c2b04 select 7860->7865 7861 4c2ca4 7862 4c2cb3 GetProcessHeap HeapFree closesocket 7861->7862 7862->7855 7863 4c2b3f recv 7863->7865 7864 4c2b66 htons 7864->7861 7864->7865 7865->7858 7865->7860 7865->7861 7865->7862 7865->7863 7865->7864 7866 4c2b87 htons 7865->7866 7869 4c2bf3 GetProcessHeap HeapAlloc 7865->7869 7870 4c2c17 htons 7865->7870 7872 4c2c4d GetProcessHeap HeapFree 7865->7872 7880 4c2923 7865->7880 7892 4c2904 7865->7892 7866->7861 7866->7865 7869->7865 7888 4c2871 7870->7888 7872->7865 7874 4c2717 7873->7874 7875 4c271d 7873->7875 7876 4cebcc 4 API calls 7874->7876 7877 4c272b GetTickCount htons 7875->7877 7876->7875 7878 4c27cc htons htons sendto 7877->7878 7879 4c278a 7877->7879 7878->7865 7879->7878 7881 4c2944 7880->7881 7883 4c293d 7880->7883 7896 4c2816 htons 7881->7896 7883->7865 7884 4c2871 htons 7887 4c2950 7884->7887 7885 4c29bd htons htons htons 7885->7883 7886 4c29f6 GetProcessHeap HeapAlloc 7885->7886 7886->7883 7886->7887 7887->7883 7887->7884 7887->7885 7889 4c28e3 7888->7889 7890 4c2889 7888->7890 7889->7865 7890->7889 7891 4c28c3 htons 7890->7891 7891->7889 7891->7890 7893 4c2908 7892->7893 7894 4c2921 7892->7894 7895 4c2909 GetProcessHeap HeapFree 7893->7895 7894->7865 7895->7894 7895->7895 7897 4c286b 7896->7897 7898 4c2836 7896->7898 7897->7887 7898->7897 7899 4c285c htons 7898->7899 7899->7897 7899->7898 7901 4c6bbc 7900->7901 7902 4c6bc0 7900->7902 7901->7429 7903 4c6bd4 7902->7903 7904 4cebcc 4 API calls 7902->7904 7903->7429 7905 4c6be4 7904->7905 7905->7903 7906 4c6bfc 7905->7906 7907 4c6c07 CreateFileA 7905->7907 7910 4cec2e codecvt 4 API calls 7906->7910 7908 4c6c2a 7907->7908 7909 4c6c34 WriteFile 7907->7909 7911 4cec2e codecvt 4 API calls 7908->7911 7912 4c6c49 CloseHandle DeleteFileA 7909->7912 7913 4c6c5a CloseHandle 7909->7913 7910->7903 7911->7903 7912->7908 7914 4cec2e codecvt 4 API calls 7913->7914 7914->7903 8208 4c35a5 8209 4c30fa 4 API calls 8208->8209 8211 4c35b3 8209->8211 8210 4c35ea 8211->8210 8215 4c355d 8211->8215 8213 4c35da 8213->8210 8214 4c355d 4 API calls 8213->8214 8214->8210 8216 4cf04e 4 API calls 8215->8216 8217 4c356a 8216->8217 8217->8213 8027 4c4960 8028 4c496d 8027->8028 8030 4c497d 8027->8030 8029 4cebed 8 API calls 8028->8029 8029->8030 8031 4c4861 IsBadWritePtr 8032 4c4876 8031->8032 8033 4c9961 RegisterServiceCtrlHandlerA 8034 4c997d 8033->8034 8035 4c99cb 8033->8035 8043 4c9892 8034->8043 8037 4c999a 8038 4c99ba 8037->8038 8039 4c9892 SetServiceStatus 8037->8039 8038->8035 8041 4c9892 SetServiceStatus 8038->8041 8040 4c99aa 8039->8040 8040->8038 8042 4c98f2 41 API calls 8040->8042 8041->8035 8042->8038 8044 4c98c2 SetServiceStatus 8043->8044 8044->8037 8218 4c5e21 8219 4c5e29 8218->8219 8220 4c5e36 8218->8220 8221 4c50dc 17 API calls 8219->8221 8221->8220 8222 4c5d34 IsBadWritePtr 8223 4c5d47 8222->8223 8225 4c5d4a 8222->8225 8224 4c5389 12 API calls 8226 4c5d80 8224->8226 8225->8224 8227 4cbe31 lstrcmpiA 8228 4cbe55 lstrcmpiA 8227->8228 8234 4cbe71 8227->8234 8229 4cbe61 lstrcmpiA 8228->8229 8228->8234 8229->8234 8239 4cbfc8 8229->8239 8230 4cbf62 lstrcmpiA 8231 4cbf77 lstrcmpiA 8230->8231 8232 4cbf70 8230->8232 8231->8232 8233 4cbf8c lstrcmpiA 8231->8233 8235 4cbfc2 8232->8235 8236 4cec2e codecvt 4 API calls 8232->8236 8232->8239 8233->8232 8234->8230 8237 4cebcc 4 API calls 8234->8237 8238 4cec2e codecvt 4 API calls 8235->8238 8236->8232 8242 4cbeb6 8237->8242 8238->8239 8240 4cebcc 4 API calls 8240->8242 8241 4cbf5a 8241->8230 8242->8230 8242->8239 8242->8240 8242->8241
                                                                                      APIs
                                                                                      • closesocket.WS2_32(?), ref: 004CCA4E
                                                                                      • closesocket.WS2_32(?), ref: 004CCB63
                                                                                      • GetTempPathA.KERNEL32(00000120,?), ref: 004CCC28
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004CCCB4
                                                                                      • WriteFile.KERNEL32(004CA4B3,?,-000000E8,?,00000000), ref: 004CCCDC
                                                                                      • CloseHandle.KERNEL32(004CA4B3), ref: 004CCCED
                                                                                      • wsprintfA.USER32 ref: 004CCD21
                                                                                      • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004CCD77
                                                                                      • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 004CCD89
                                                                                      • CloseHandle.KERNEL32(?), ref: 004CCD98
                                                                                      • CloseHandle.KERNEL32(?), ref: 004CCD9D
                                                                                      • DeleteFileA.KERNEL32(?), ref: 004CCDC4
                                                                                      • CloseHandle.KERNEL32(004CA4B3), ref: 004CCDCC
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 004CCFB1
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 004CCFEF
                                                                                      • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 004CD033
                                                                                      • lstrcatA.KERNEL32(?,03B00108), ref: 004CD10C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080), ref: 004CD155
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 004CD171
                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000), ref: 004CD195
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004CD19C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002), ref: 004CD1C8
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 004CD231
                                                                                      • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 004CD27C
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 004CD2AB
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD2C7
                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD2EB
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 004CD2F2
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 004CD326
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 004CD372
                                                                                      • lstrcatA.KERNEL32(?,03B00108,?,?,?,?,?,?,?,00000100), ref: 004CD3BD
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 004CD3EC
                                                                                      • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD408
                                                                                      • WriteFile.KERNEL32(00000000,03B0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 004CD428
                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 004CD42F
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 004CD45B
                                                                                      • CreateProcessA.KERNEL32(?,004D0264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 004CD4DE
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 004CD4F4
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 004CD4FC
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 004CD513
                                                                                      • closesocket.WS2_32(?), ref: 004CD56C
                                                                                      • Sleep.KERNEL32(000003E8), ref: 004CD577
                                                                                      • ExitProcess.KERNEL32 ref: 004CD583
                                                                                      • wsprintfA.USER32 ref: 004CD81F
                                                                                        • Part of subcall function 004CC65C: send.WS2_32(00000000,?,00000000), ref: 004CC74B
                                                                                      • closesocket.WS2_32(?), ref: 004CDAD5
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                      • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$X M$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                      • API String ID: 562065436-952681147
                                                                                      • Opcode ID: 8690d6a7c5bae3174519e945a35180a5e7d5f855766719948976ff36180a9717
                                                                                      • Instruction ID: a100a9ca9a9ff00bf69c011ea4bb09a6a761a45104768520831e6c248fe7f7f7
                                                                                      • Opcode Fuzzy Hash: 8690d6a7c5bae3174519e945a35180a5e7d5f855766719948976ff36180a9717
                                                                                      • Instruction Fuzzy Hash: 1DB2C175D01208BBEB609FA5DD85FEE7BA8AB04304F14007FF609A3291D7789A45CB69
                                                                                      APIs
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 004C9A7F
                                                                                      • SetErrorMode.KERNELBASE(00000003), ref: 004C9A83
                                                                                      • SetUnhandledExceptionFilter.KERNEL32(004C6511), ref: 004C9A8A
                                                                                        • Part of subcall function 004CEC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 004CEC5E
                                                                                        • Part of subcall function 004CEC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 004CEC72
                                                                                        • Part of subcall function 004CEC54: GetTickCount.KERNEL32 ref: 004CEC78
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 004C9AB3
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004C9ABA
                                                                                      • GetCommandLineA.KERNEL32 ref: 004C9AFD
                                                                                      • lstrlenA.KERNEL32(?), ref: 004C9B99
                                                                                      • ExitProcess.KERNEL32 ref: 004C9C06
                                                                                      • GetTempPathA.KERNEL32(000001F4,?), ref: 004C9CAC
                                                                                      • lstrcpyA.KERNEL32(?,00000000), ref: 004C9D7A
                                                                                      • lstrcatA.KERNEL32(?,?), ref: 004C9D8B
                                                                                      • lstrcatA.KERNEL32(?,004D070C), ref: 004C9D9D
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004C9DED
                                                                                      • DeleteFileA.KERNEL32(00000022), ref: 004C9E38
                                                                                      • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 004C9E6F
                                                                                      • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 004C9EC8
                                                                                      • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 004C9ED5
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 004C9F3B
                                                                                      • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 004C9F5E
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 004C9F6A
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 004C9FAD
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 004C9FB4
                                                                                      • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 004C9FFE
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 004CA038
                                                                                      • lstrcatA.KERNEL32(00000022,004D0A34), ref: 004CA05E
                                                                                      • lstrcatA.KERNEL32(00000022,00000022), ref: 004CA072
                                                                                      • lstrcatA.KERNEL32(00000022,004D0A34), ref: 004CA08D
                                                                                      • wsprintfA.USER32 ref: 004CA0B6
                                                                                      • lstrcatA.KERNEL32(00000022,00000000), ref: 004CA0DE
                                                                                      • lstrcatA.KERNEL32(00000022,?), ref: 004CA0FD
                                                                                      • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 004CA120
                                                                                      • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 004CA131
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 004CA174
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004CA17B
                                                                                      • GetDriveTypeA.KERNEL32(00000022), ref: 004CA1B6
                                                                                      • GetCommandLineA.KERNEL32 ref: 004CA1E5
                                                                                        • Part of subcall function 004C99D2: lstrcpyA.KERNEL32(?,?,00000100,004D22F8,00000000,?,004C9E9D,?,00000022,?,?,?,?,?,?,?), ref: 004C99DF
                                                                                        • Part of subcall function 004C99D2: lstrcatA.KERNEL32(00000022,00000000,?,?,004C9E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 004C9A3C
                                                                                        • Part of subcall function 004C99D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,004C9E9D,?,00000022,?,?,?), ref: 004C9A52
                                                                                      • lstrlenA.KERNEL32(?), ref: 004CA288
                                                                                      • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 004CA3B7
                                                                                      • GetLastError.KERNEL32 ref: 004CA3ED
                                                                                      • Sleep.KERNEL32(000003E8), ref: 004CA400
                                                                                      • DeleteFileA.KERNELBASE(004D33D8), ref: 004CA407
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,004C405E,00000000,00000000,00000000), ref: 004CA42C
                                                                                      • WSAStartup.WS2_32(00001010,?), ref: 004CA43A
                                                                                      • CreateThread.KERNELBASE(00000000,00000000,004C877E,00000000,00000000,00000000), ref: 004CA469
                                                                                      • Sleep.KERNELBASE(00000BB8), ref: 004CA48A
                                                                                      • GetTickCount.KERNEL32 ref: 004CA49F
                                                                                      • GetTickCount.KERNEL32 ref: 004CA4B7
                                                                                      • Sleep.KERNELBASE(00001A90), ref: 004CA4C3
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                      • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$D$P$\$jjcfhqgg
                                                                                      • API String ID: 2089075347-3562732843
                                                                                      • Opcode ID: f61c933db9cbb11270716025d22f32e7dafd38ccd34503a40a71075f6b8eb3e9
                                                                                      • Instruction ID: 5cb8095f3c29c19dd340804f90d456802daffa6a3e0b71d3e417a04415e4ed8b
                                                                                      • Opcode Fuzzy Hash: f61c933db9cbb11270716025d22f32e7dafd38ccd34503a40a71075f6b8eb3e9
                                                                                      • Instruction Fuzzy Hash: 03529FB5C01259BBDB519FA19C49FEF7BBCAB04304F1440AFF509A3241EB789E448B69

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 905 4c199c-4c19cc inet_addr LoadLibraryA 906 4c19ce-4c19d0 905->906 907 4c19d5-4c19fe GetProcAddress * 3 905->907 908 4c1abf-4c1ac2 906->908 909 4c1a04-4c1a06 907->909 910 4c1ab3-4c1ab6 FreeLibrary 907->910 909->910 911 4c1a0c-4c1a0e 909->911 912 4c1abc 910->912 911->910 913 4c1a14-4c1a28 GetBestInterface GetProcessHeap 911->913 914 4c1abe 912->914 913->912 915 4c1a2e-4c1a40 HeapAlloc 913->915 914->908 915->912 916 4c1a42-4c1a50 GetAdaptersInfo 915->916 917 4c1a62-4c1a67 916->917 918 4c1a52-4c1a60 HeapReAlloc 916->918 919 4c1a69-4c1a73 GetAdaptersInfo 917->919 920 4c1aa1-4c1aad FreeLibrary 917->920 918->917 919->920 922 4c1a75 919->922 920->912 921 4c1aaf-4c1ab1 920->921 921->914 923 4c1a77-4c1a80 922->923 924 4c1a8a-4c1a91 923->924 925 4c1a82-4c1a86 923->925 926 4c1a96-4c1a9b HeapFree 924->926 927 4c1a93 924->927 925->923 928 4c1a88 925->928 926->920 927->926 928->926
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(123.45.67.89), ref: 004C19B1
                                                                                      • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,004C1E9E), ref: 004C19BF
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004C19E2
                                                                                      • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004C19ED
                                                                                      • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004C19F9
                                                                                      • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,004C1E9E), ref: 004C1A1B
                                                                                      • GetProcessHeap.KERNEL32(?,?,?,?,00000001,004C1E9E), ref: 004C1A1D
                                                                                      • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,004C1E9E), ref: 004C1A36
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,004C1E9E,?,?,?,?,00000001,004C1E9E), ref: 004C1A4A
                                                                                      • HeapReAlloc.KERNEL32(?,00000000,00000000,004C1E9E,?,?,?,?,00000001,004C1E9E), ref: 004C1A5A
                                                                                      • GetAdaptersInfo.IPHLPAPI(00000000,004C1E9E,?,?,?,?,00000001,004C1E9E), ref: 004C1A6E
                                                                                      • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,004C1E9E), ref: 004C1A9B
                                                                                      • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,004C1E9E), ref: 004C1AA4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                      • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                      • API String ID: 293628436-270533642
                                                                                      • Opcode ID: f2676e7521df5c5164a363c07c4cf256322c3355d4d1e8b289d666a187859663
                                                                                      • Instruction ID: 9c25663d24772396025d7156c49d57cf1f69a125ffc89df425ec10cbdb0d1ff2
                                                                                      • Opcode Fuzzy Hash: f2676e7521df5c5164a363c07c4cf256322c3355d4d1e8b289d666a187859663
                                                                                      • Instruction Fuzzy Hash: C3313035902219AFCB519FE4DC88EAFBBB5EB46301F24457FE501A3221D7364E41DB98

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 696 4c7a95-4c7ac2 RegOpenKeyExA 697 4c7acb-4c7ae7 GetUserNameA 696->697 698 4c7ac4-4c7ac6 696->698 700 4c7aed-4c7b1e LookupAccountNameA 697->700 701 4c7da7-4c7db3 RegCloseKey 697->701 699 4c7db4-4c7db6 698->699 700->701 702 4c7b24-4c7b43 RegGetKeySecurity 700->702 701->699 702->701 703 4c7b49-4c7b61 GetSecurityDescriptorOwner 702->703 704 4c7bb8-4c7bd6 GetSecurityDescriptorDacl 703->704 705 4c7b63-4c7b72 EqualSid 703->705 706 4c7bdc-4c7be1 704->706 707 4c7da6 704->707 705->704 708 4c7b74-4c7b88 LocalAlloc 705->708 706->707 710 4c7be7-4c7bf2 706->710 707->701 708->704 709 4c7b8a-4c7b94 InitializeSecurityDescriptor 708->709 711 4c7b96-4c7ba4 SetSecurityDescriptorOwner 709->711 712 4c7bb1-4c7bb2 LocalFree 709->712 710->707 713 4c7bf8-4c7c08 GetAce 710->713 711->712 714 4c7ba6-4c7bab RegSetKeySecurity 711->714 712->704 715 4c7c0e-4c7c1b 713->715 716 4c7cc6 713->716 714->712 718 4c7c1d-4c7c2f EqualSid 715->718 719 4c7c4f-4c7c52 715->719 717 4c7cc9-4c7cd3 716->717 717->713 720 4c7cd9-4c7cdc 717->720 721 4c7c36-4c7c38 718->721 722 4c7c31-4c7c34 718->722 723 4c7c5f-4c7c71 EqualSid 719->723 724 4c7c54-4c7c5e 719->724 720->707 727 4c7ce2-4c7ce8 720->727 721->719 728 4c7c3a-4c7c4d DeleteAce 721->728 722->718 722->721 725 4c7c86 723->725 726 4c7c73-4c7c84 723->726 724->723 729 4c7c8b-4c7c8e 725->729 726->729 730 4c7d5a-4c7d6e LocalAlloc 727->730 731 4c7cea-4c7cf0 727->731 728->717 732 4c7c9d-4c7c9f 729->732 733 4c7c90-4c7c96 729->733 730->707 734 4c7d70-4c7d7a InitializeSecurityDescriptor 730->734 731->730 735 4c7cf2-4c7d0d RegOpenKeyExA 731->735 736 4c7ca7-4c7cc3 732->736 737 4c7ca1-4c7ca5 732->737 733->732 738 4c7d7c-4c7d8a SetSecurityDescriptorDacl 734->738 739 4c7d9f-4c7da0 LocalFree 734->739 735->730 740 4c7d0f-4c7d16 735->740 736->716 737->716 737->736 738->739 741 4c7d8c-4c7d9a RegSetKeySecurity 738->741 739->707 742 4c7d19-4c7d1e 740->742 741->739 743 4c7d9c 741->743 742->742 744 4c7d20-4c7d52 call 4c2544 RegSetValueExA 742->744 743->739 744->730 747 4c7d54 744->747 747->730
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 004C7ABA
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004C7ADF
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,004D070C,?,?,?), ref: 004C7B16
                                                                                      • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 004C7B3B
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 004C7B59
                                                                                      • EqualSid.ADVAPI32(?,00000022), ref: 004C7B6A
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004C7B7E
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004C7B8C
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004C7B9C
                                                                                      • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 004C7BAB
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004C7BB2
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,004C7FC9,?,00000000), ref: 004C7BCE
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$D
                                                                                      • API String ID: 2976863881-3478025276
                                                                                      • Opcode ID: 1977a15707287f7ca079574bd377fd091b076032e34fd2d7ce7c9678fd5fffa0
                                                                                      • Instruction ID: 6ec50d4adfa6d1099f38c785a0dfd911d6a6cf70c51842579be261a68c969a5d
                                                                                      • Opcode Fuzzy Hash: 1977a15707287f7ca079574bd377fd091b076032e34fd2d7ce7c9678fd5fffa0
                                                                                      • Instruction Fuzzy Hash: 96A13775905219ABDF528FA1DC88FEFBBB8FB44304F14406BE506E2250E7399A45CF68

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 748 4c7809-4c7837 GetUserNameA 749 4c783d-4c786e LookupAccountNameA 748->749 750 4c7a8e-4c7a94 748->750 749->750 751 4c7874-4c78a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 4c78a8-4c78c3 GetSecurityDescriptorOwner 751->752 753 4c791d-4c793b GetSecurityDescriptorDacl 752->753 754 4c78c5-4c78da EqualSid 752->754 756 4c7a8d 753->756 757 4c7941-4c7946 753->757 754->753 755 4c78dc-4c78ed LocalAlloc 754->755 755->753 758 4c78ef-4c78f9 InitializeSecurityDescriptor 755->758 756->750 757->756 759 4c794c-4c7955 757->759 760 4c78fb-4c7909 SetSecurityDescriptorOwner 758->760 761 4c7916-4c7917 LocalFree 758->761 759->756 762 4c795b-4c796b GetAce 759->762 760->761 763 4c790b-4c7910 SetFileSecurityA 760->763 761->753 764 4c7a2a 762->764 765 4c7971-4c797e 762->765 763->761 766 4c7a2d-4c7a37 764->766 767 4c79ae-4c79b1 765->767 768 4c7980-4c7992 EqualSid 765->768 766->762 769 4c7a3d-4c7a41 766->769 770 4c79be-4c79d0 EqualSid 767->770 771 4c79b3-4c79bd 767->771 772 4c7999-4c799b 768->772 773 4c7994-4c7997 768->773 769->756 775 4c7a43-4c7a54 LocalAlloc 769->775 776 4c79e5 770->776 777 4c79d2-4c79e3 770->777 771->770 772->767 774 4c799d-4c79ac DeleteAce 772->774 773->768 773->772 774->766 775->756 778 4c7a56-4c7a60 InitializeSecurityDescriptor 775->778 779 4c79ea-4c79ed 776->779 777->779 780 4c7a86-4c7a87 LocalFree 778->780 781 4c7a62-4c7a71 SetSecurityDescriptorDacl 778->781 782 4c79ef-4c79f5 779->782 783 4c79f8-4c79fb 779->783 780->756 781->780 784 4c7a73-4c7a81 SetFileSecurityA 781->784 782->783 785 4c79fd-4c7a01 783->785 786 4c7a03-4c7a0e 783->786 784->780 787 4c7a83 784->787 785->764 785->786 788 4c7a19-4c7a24 786->788 789 4c7a10-4c7a17 786->789 787->780 790 4c7a27 788->790 789->790 790->764
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004C782F
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 004C7866
                                                                                      • GetLengthSid.ADVAPI32(?), ref: 004C7878
                                                                                      • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 004C789A
                                                                                      • GetSecurityDescriptorOwner.ADVAPI32(?,004C7F63,?), ref: 004C78B8
                                                                                      • EqualSid.ADVAPI32(?,004C7F63), ref: 004C78D2
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004C78E3
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004C78F1
                                                                                      • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 004C7901
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 004C7910
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004C7917
                                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 004C7933
                                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 004C7963
                                                                                      • EqualSid.ADVAPI32(?,004C7F63), ref: 004C798A
                                                                                      • DeleteAce.ADVAPI32(?,00000000), ref: 004C79A3
                                                                                      • EqualSid.ADVAPI32(?,004C7F63), ref: 004C79C5
                                                                                      • LocalAlloc.KERNEL32(00000040,00000014), ref: 004C7A4A
                                                                                      • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004C7A58
                                                                                      • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 004C7A69
                                                                                      • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 004C7A79
                                                                                      • LocalFree.KERNEL32(00000000), ref: 004C7A87
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                      • String ID: D
                                                                                      • API String ID: 3722657555-2746444292
                                                                                      • Opcode ID: 8acbe921d2a9653fc26c1c3154f4d2a5aa53819134126722fc4745efa9ed4f46
                                                                                      • Instruction ID: bb3cdfcc5c8839d48b68877ec88b4fff277697f14a991773c910a94c12d05310
                                                                                      • Opcode Fuzzy Hash: 8acbe921d2a9653fc26c1c3154f4d2a5aa53819134126722fc4745efa9ed4f46
                                                                                      • Instruction Fuzzy Hash: 1C814AB5905219ABDF62CFA4DD44FEFBBB8EF08340F14416AE505E2250D7398A41CF68

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 791 4c8328-4c833e call 4c7dd6 794 4c8348-4c8356 call 4c6ec3 791->794 795 4c8340-4c8343 791->795 799 4c835c-4c8378 call 4c73ff 794->799 800 4c846b-4c8474 794->800 796 4c877b-4c877d 795->796 808 4c837e-4c8384 799->808 809 4c8464-4c8466 799->809 802 4c847a-4c8480 800->802 803 4c85c2-4c85ce 800->803 802->803 807 4c8486-4c84ba call 4c2544 RegOpenKeyExA 802->807 805 4c8615-4c8620 803->805 806 4c85d0-4c85da call 4c675c 803->806 812 4c8626-4c864c GetTempPathA call 4c8274 call 4ceca5 805->812 813 4c86a7-4c86b0 call 4c6ba7 805->813 817 4c85df-4c85eb 806->817 824 4c84c0-4c84db RegQueryValueExA 807->824 825 4c8543-4c8571 call 4c2544 RegOpenKeyExA 807->825 808->809 815 4c838a-4c838d 808->815 816 4c8779-4c877a 809->816 845 4c864e-4c866f call 4ceca5 812->845 846 4c8671-4c86a4 call 4c2544 call 4cef00 call 4cee2a 812->846 826 4c86b6-4c86bd call 4c7e2f 813->826 827 4c8762 813->827 815->809 822 4c8393-4c8399 815->822 816->796 817->805 823 4c85ed-4c85ef 817->823 829 4c839c-4c83a1 822->829 823->805 830 4c85f1-4c85fa 823->830 832 4c84dd-4c84e1 824->832 833 4c8521-4c852d RegCloseKey 824->833 851 4c85a5-4c85b7 call 4cee2a 825->851 852 4c8573-4c857b 825->852 855 4c875b-4c875c DeleteFileA 826->855 856 4c86c3-4c873b call 4cee2a * 2 lstrcpyA lstrlenA call 4c7fcf CreateProcessA 826->856 835 4c8768-4c876b 827->835 829->829 837 4c83a3-4c83af 829->837 830->805 839 4c85fc-4c860f call 4c24c2 830->839 832->833 841 4c84e3-4c84e6 832->841 833->825 838 4c852f-4c8541 call 4ceed1 833->838 843 4c876d-4c8775 call 4cec2e 835->843 844 4c8776-4c8778 835->844 847 4c83b1 837->847 848 4c83b3-4c83ba 837->848 838->825 838->851 839->805 839->835 841->833 853 4c84e8-4c84f6 call 4cebcc 841->853 843->844 844->816 845->846 846->813 847->848 861 4c8450-4c845f call 4cee2a 848->861 862 4c83c0-4c83fb call 4c2544 RegOpenKeyExA 848->862 851->803 876 4c85b9-4c85c1 call 4cec2e 851->876 864 4c857e-4c8583 852->864 853->833 875 4c84f8-4c8513 RegQueryValueExA 853->875 855->827 899 4c873d-4c874d CloseHandle * 2 856->899 900 4c874f-4c875a call 4c7ee6 call 4c7ead 856->900 861->803 862->861 885 4c83fd-4c841c RegQueryValueExA 862->885 864->864 874 4c8585-4c859f RegSetValueExA RegCloseKey 864->874 874->851 875->833 881 4c8515-4c851e call 4cec2e 875->881 876->803 881->833 890 4c842d-4c8441 RegSetValueExA 885->890 891 4c841e-4c8421 885->891 892 4c8447-4c844a RegCloseKey 890->892 891->890 896 4c8423-4c8426 891->896 892->861 896->890 898 4c8428-4c842b 896->898 898->890 898->892 899->835 900->855
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C83F3
                                                                                      • RegQueryValueExA.KERNELBASE(004D0750,?,00000000,?,004C8893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C8414
                                                                                      • RegSetValueExA.KERNELBASE(004D0750,?,00000000,00000004,004C8893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C8441
                                                                                      • RegCloseKey.ADVAPI32(004D0750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004C844A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseOpenQuery
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe$localcfg
                                                                                      • API String ID: 237177642-230564873
                                                                                      • Opcode ID: 2194b7afdfbda0020fc7e227bc202895090f61bb7adef290ccedea8bef5bf868
                                                                                      • Instruction ID: 1f7923630974279b9b105d29152d64afbd608d5f2405c21649a262ddd3a612cd
                                                                                      • Opcode Fuzzy Hash: 2194b7afdfbda0020fc7e227bc202895090f61bb7adef290ccedea8bef5bf868
                                                                                      • Instruction Fuzzy Hash: CFC1BFB9941109BEEB51ABA1DC85FFF7BBCEB14304F14446FF500A2151EBB84E448B29

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 929 4c1d96-4c1dce call 4cee2a GetVersionExA 932 4c1de0 929->932 933 4c1dd0-4c1dde 929->933 934 4c1de3-4c1e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 4c1e24-4c1e59 call 4ce819 * 2 934->935 936 4c1e16-4c1e21 GetCurrentProcess 934->936 941 4c1e7a-4c1ea0 call 4cea84 call 4ce819 call 4c199c 935->941 942 4c1e5b-4c1e77 call 4cdf70 * 2 935->942 936->935 953 4c1ea8 941->953 954 4c1ea2-4c1ea6 941->954 942->941 955 4c1eac-4c1ec1 call 4ce819 953->955 954->955 958 4c1ee0-4c1ef6 call 4ce819 955->958 959 4c1ec3-4c1ed3 call 4cf04e call 4cea84 955->959 965 4c1ef8 call 4c1b71 958->965 966 4c1f14-4c1f2b call 4ce819 958->966 968 4c1ed8-4c1ede 959->968 971 4c1efd-4c1f11 call 4cea84 965->971 972 4c1f2d call 4c1bdf 966->972 973 4c1f49-4c1f65 call 4ce819 966->973 968->958 971->966 978 4c1f32-4c1f46 call 4cea84 972->978 981 4c1f7a-4c1f8c call 4c30b5 973->981 982 4c1f67-4c1f77 call 4cea84 973->982 978->973 988 4c1f8e-4c1f91 981->988 989 4c1f93-4c1f9a 981->989 982->981 990 4c1fbb-4c1fc0 988->990 991 4c1f9c-4c1fa3 call 4c6ec3 989->991 992 4c1fb7 989->992 994 4c1fc9-4c1fea GetTickCount 990->994 995 4c1fc2 990->995 997 4c1fae-4c1fb5 991->997 998 4c1fa5-4c1fac 991->998 992->990 995->994 997->990 998->990
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32 ref: 004C1DC6
                                                                                      • GetSystemInfo.KERNELBASE(?), ref: 004C1DE8
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 004C1E03
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004C1E0A
                                                                                      • GetCurrentProcess.KERNEL32(?), ref: 004C1E1B
                                                                                      • GetTickCount.KERNEL32 ref: 004C1FC9
                                                                                        • Part of subcall function 004C1BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 004C1C15
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                      • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                      • API String ID: 4207808166-1381319158
                                                                                      • Opcode ID: 23a3ee1c19b32b2a7bdea0fe0dc94892d0b1c56ce3f9b9d5b8f6280513bcc846
                                                                                      • Instruction ID: be44684a5d79c70be11013badcb5d67442974d2e9173c6ecd2242b35859a4909
                                                                                      • Opcode Fuzzy Hash: 23a3ee1c19b32b2a7bdea0fe0dc94892d0b1c56ce3f9b9d5b8f6280513bcc846
                                                                                      • Instruction Fuzzy Hash: 235195B49043446FE3B0AF768C85F2B7AECEB55708F04492FB94683253D77DA9048769

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 999 4c73ff-4c7419 1000 4c741d-4c7422 999->1000 1001 4c741b 999->1001 1002 4c7424 1000->1002 1003 4c7426-4c742b 1000->1003 1001->1000 1002->1003 1004 4c742d 1003->1004 1005 4c7430-4c7435 1003->1005 1004->1005 1006 4c743a-4c7481 call 4c6dc2 call 4c2544 RegOpenKeyExA 1005->1006 1007 4c7437 1005->1007 1012 4c77f9-4c77fe call 4cee2a 1006->1012 1013 4c7487-4c749d call 4cee2a 1006->1013 1007->1006 1018 4c7801 1012->1018 1019 4c7703-4c770e RegEnumKeyA 1013->1019 1022 4c7804-4c7808 1018->1022 1020 4c7714-4c771d RegCloseKey 1019->1020 1021 4c74a2-4c74b1 call 4c6cad 1019->1021 1020->1018 1025 4c76ed-4c7700 1021->1025 1026 4c74b7-4c74cc call 4cf1a5 1021->1026 1025->1019 1026->1025 1029 4c74d2-4c74f8 RegOpenKeyExA 1026->1029 1030 4c74fe-4c7530 call 4c2544 RegQueryValueExA 1029->1030 1031 4c7727-4c772a 1029->1031 1030->1031 1038 4c7536-4c753c 1030->1038 1033 4c772c-4c7740 call 4cef00 1031->1033 1034 4c7755-4c7764 call 4cee2a 1031->1034 1042 4c774b-4c774e 1033->1042 1043 4c7742-4c7745 RegCloseKey 1033->1043 1044 4c76df-4c76e2 1034->1044 1041 4c753f-4c7544 1038->1041 1041->1041 1046 4c7546-4c754b 1041->1046 1047 4c77ec-4c77f7 RegCloseKey 1042->1047 1043->1042 1044->1025 1045 4c76e4-4c76e7 RegCloseKey 1044->1045 1045->1025 1046->1034 1048 4c7551-4c756b call 4cee95 1046->1048 1047->1022 1048->1034 1051 4c7571-4c7593 call 4c2544 call 4cee95 1048->1051 1056 4c7599-4c75a0 1051->1056 1057 4c7753 1051->1057 1058 4c75c8-4c75d7 call 4ced03 1056->1058 1059 4c75a2-4c75c6 call 4cef00 call 4ced03 1056->1059 1057->1034 1065 4c75d8-4c75da 1058->1065 1059->1065 1067 4c75dc 1065->1067 1068 4c75df-4c7623 call 4cee95 call 4c2544 call 4cee95 call 4cee2a 1065->1068 1067->1068 1077 4c7626-4c762b 1068->1077 1077->1077 1078 4c762d-4c7634 1077->1078 1079 4c7637-4c763c 1078->1079 1079->1079 1080 4c763e-4c7642 1079->1080 1081 4c765c-4c7673 call 4ced23 1080->1081 1082 4c7644-4c7656 call 4ced77 1080->1082 1087 4c7675-4c767e 1081->1087 1088 4c7680 1081->1088 1082->1081 1089 4c7769-4c777c call 4cef00 1082->1089 1091 4c7683-4c768e call 4c6cad 1087->1091 1088->1091 1094 4c77e3-4c77e6 RegCloseKey 1089->1094 1096 4c7694-4c76bf call 4cf1a5 call 4c6c96 1091->1096 1097 4c7722-4c7725 1091->1097 1094->1047 1103 4c76d8 1096->1103 1104 4c76c1-4c76c7 1096->1104 1098 4c76dd 1097->1098 1098->1044 1103->1098 1104->1103 1105 4c76c9-4c76d2 1104->1105 1105->1103 1106 4c777e-4c7797 GetFileAttributesExA 1105->1106 1107 4c7799 1106->1107 1108 4c779a-4c779f 1106->1108 1107->1108 1109 4c77a1 1108->1109 1110 4c77a3-4c77a8 1108->1110 1109->1110 1111 4c77aa-4c77c0 call 4cee08 1110->1111 1112 4c77c4-4c77c8 1110->1112 1111->1112 1114 4c77ca-4c77d6 call 4cef00 1112->1114 1115 4c77d7-4c77dc 1112->1115 1114->1115 1118 4c77de 1115->1118 1119 4c77e0-4c77e2 1115->1119 1118->1119 1119->1094
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 004C7472
                                                                                      • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004C74F0
                                                                                      • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 004C7528
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004C764D
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004C76E7
                                                                                      • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 004C7706
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004C7717
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004C7745
                                                                                      • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004C77EF
                                                                                        • Part of subcall function 004CF1A5: lstrlenA.KERNEL32(000000C8,000000E4,004D22F8,000000C8,004C7150,?), ref: 004CF1AD
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004C778F
                                                                                      • RegCloseKey.KERNELBASE(?), ref: 004C77E6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                      • String ID: "
                                                                                      • API String ID: 3433985886-123907689
                                                                                      • Opcode ID: 79560e82c82d19570009996dd84836467f404d8bc0b51fb9d8f3344adf34f6de
                                                                                      • Instruction ID: b3fd2d6ad0afa54d0c24b1ebf8771612cf54dc2818dbf12b8392dc53a9debc23
                                                                                      • Opcode Fuzzy Hash: 79560e82c82d19570009996dd84836467f404d8bc0b51fb9d8f3344adf34f6de
                                                                                      • Instruction Fuzzy Hash: 62C1B079904209BBDB519BA5DC45FEFBBB9EF44310F1000AFF504A6291EB789A408F68

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1121 4c675c-4c6778 1122 4c677a-4c677e SetFileAttributesA 1121->1122 1123 4c6784-4c67a2 CreateFileA 1121->1123 1122->1123 1124 4c67a4-4c67b2 CreateFileA 1123->1124 1125 4c67b5-4c67b8 1123->1125 1124->1125 1126 4c67ba-4c67bf SetFileAttributesA 1125->1126 1127 4c67c5-4c67c9 1125->1127 1126->1127 1128 4c67cf-4c67df GetFileSize 1127->1128 1129 4c6977-4c6986 1127->1129 1130 4c696b 1128->1130 1131 4c67e5-4c67e7 1128->1131 1132 4c696e-4c6971 FindCloseChangeNotification 1130->1132 1131->1130 1133 4c67ed-4c680b ReadFile 1131->1133 1132->1129 1133->1130 1134 4c6811-4c6824 SetFilePointer 1133->1134 1134->1130 1135 4c682a-4c6842 ReadFile 1134->1135 1135->1130 1136 4c6848-4c6861 SetFilePointer 1135->1136 1136->1130 1137 4c6867-4c6876 1136->1137 1138 4c6878-4c688f ReadFile 1137->1138 1139 4c68d5-4c68df 1137->1139 1140 4c6891-4c689e 1138->1140 1141 4c68d2 1138->1141 1139->1132 1142 4c68e5-4c68eb 1139->1142 1143 4c68b7-4c68ba 1140->1143 1144 4c68a0-4c68b5 1140->1144 1141->1139 1145 4c68ed 1142->1145 1146 4c68f0-4c68fe call 4cebcc 1142->1146 1148 4c68bd-4c68c3 1143->1148 1144->1148 1145->1146 1146->1130 1152 4c6900-4c690b SetFilePointer 1146->1152 1150 4c68c8-4c68ce 1148->1150 1151 4c68c5 1148->1151 1150->1138 1153 4c68d0 1150->1153 1151->1150 1154 4c690d-4c6920 ReadFile 1152->1154 1155 4c695a-4c6969 call 4cec2e 1152->1155 1153->1139 1154->1155 1156 4c6922-4c6958 1154->1156 1155->1132 1156->1132
                                                                                      APIs
                                                                                      • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 004C677E
                                                                                      • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 004C679A
                                                                                      • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004C67B0
                                                                                      • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004C67BF
                                                                                      • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004C67D3
                                                                                      • ReadFile.KERNELBASE(000000FF,?,00000040,004C8244,00000000,?,74DF0F10,00000000), ref: 004C6807
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 004C681F
                                                                                      • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 004C683E
                                                                                      • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 004C685C
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000028,004C8244,00000000,?,74DF0F10,00000000), ref: 004C688B
                                                                                      • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 004C6906
                                                                                      • ReadFile.KERNEL32(000000FF,?,00000000,004C8244,00000000,?,74DF0F10,00000000), ref: 004C691C
                                                                                      • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 004C6971
                                                                                        • Part of subcall function 004CEC2E: GetProcessHeap.KERNEL32(00000000,'L,00000000,004CEA27,00000000), ref: 004CEC41
                                                                                        • Part of subcall function 004CEC2E: RtlFreeHeap.NTDLL(00000000), ref: 004CEC48
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                      • String ID:
                                                                                      • API String ID: 1400801100-0
                                                                                      • Opcode ID: 5d3e005705b349f67ce69c0f2446ea59b372afb959a3e0fb8d32f1294bdbbb95
                                                                                      • Instruction ID: bf5922110d18c6c11a0b709b3d194403ecf5d6cf75bca7b1e40bc5a00df5f1d2
                                                                                      • Opcode Fuzzy Hash: 5d3e005705b349f67ce69c0f2446ea59b372afb959a3e0fb8d32f1294bdbbb95
                                                                                      • Instruction Fuzzy Hash: F47166B5C0121DEFDF509FA5CC80EEEBBB8FB04314F10856AE515A2290E7349E92CB64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1159 4cf315-4cf332 1160 4cf33b-4cf372 call 4cee2a htons socket 1159->1160 1161 4cf334-4cf336 1159->1161 1165 4cf374-4cf37d closesocket 1160->1165 1166 4cf382-4cf39b ioctlsocket 1160->1166 1162 4cf424-4cf427 1161->1162 1165->1162 1167 4cf39d 1166->1167 1168 4cf3aa-4cf3f0 connect select 1166->1168 1169 4cf39f-4cf3a8 closesocket 1167->1169 1170 4cf421 1168->1170 1171 4cf3f2-4cf401 __WSAFDIsSet 1168->1171 1172 4cf423 1169->1172 1170->1172 1171->1169 1173 4cf403-4cf416 ioctlsocket call 4cf26d 1171->1173 1172->1162 1175 4cf41b-4cf41f 1173->1175 1175->1172
                                                                                      APIs
                                                                                      • htons.WS2_32(004CCA1D), ref: 004CF34D
                                                                                      • socket.WS2_32(00000002,00000001,00000000), ref: 004CF367
                                                                                      • closesocket.WS2_32(00000000), ref: 004CF375
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesockethtonssocket
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 311057483-2401304539
                                                                                      • Opcode ID: 83b7ab5e6058df1727f1f1487a53e0c149fc0779a24516ebd56f4b1ef58bf84e
                                                                                      • Instruction ID: c39220a23dd9690d3b521b19f658dac224943257093026e3e1051e97238cc6b1
                                                                                      • Opcode Fuzzy Hash: 83b7ab5e6058df1727f1f1487a53e0c149fc0779a24516ebd56f4b1ef58bf84e
                                                                                      • Instruction Fuzzy Hash: 74318976901118ABDB109FA5DC89EEF7BBDEF88314F10417BF904E3151E7388A458BA9

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1176 4c405e-4c407b CreateEventA 1177 4c407d-4c4081 1176->1177 1178 4c4084-4c40a8 call 4c3ecd call 4c4000 1176->1178 1183 4c40ae-4c40be call 4cee2a 1178->1183 1184 4c4130-4c413e call 4cee2a 1178->1184 1183->1184 1190 4c40c0-4c40f1 call 4ceca5 call 4c3f18 call 4c3f8c 1183->1190 1189 4c413f-4c4165 call 4c3ecd CreateNamedPipeA 1184->1189 1195 4c4188-4c4193 ConnectNamedPipe 1189->1195 1196 4c4167-4c4174 Sleep 1189->1196 1207 4c4127-4c412a CloseHandle 1190->1207 1208 4c40f3-4c40ff 1190->1208 1200 4c41ab-4c41c0 call 4c3f8c 1195->1200 1201 4c4195-4c41a5 GetLastError 1195->1201 1196->1189 1198 4c4176-4c4182 CloseHandle 1196->1198 1198->1195 1200->1195 1209 4c41c2-4c41f2 call 4c3f18 call 4c3f8c 1200->1209 1201->1200 1202 4c425e-4c4265 DisconnectNamedPipe 1201->1202 1202->1195 1207->1184 1208->1207 1210 4c4101-4c4121 call 4c3f18 ExitProcess 1208->1210 1209->1202 1217 4c41f4-4c4200 1209->1217 1217->1202 1218 4c4202-4c4215 call 4c3f8c 1217->1218 1218->1202 1221 4c4217-4c421b 1218->1221 1221->1202 1222 4c421d-4c4230 call 4c3f8c 1221->1222 1222->1202 1225 4c4232-4c4236 1222->1225 1225->1195 1226 4c423c-4c4251 call 4c3f18 1225->1226 1229 4c426a-4c4276 CloseHandle * 2 call 4ce318 1226->1229 1230 4c4253-4c4259 1226->1230 1232 4c427b 1229->1232 1230->1195 1232->1232
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 004C4070
                                                                                      • ExitProcess.KERNEL32 ref: 004C4121
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEventExitProcess
                                                                                      • String ID:
                                                                                      • API String ID: 2404124870-0
                                                                                      • Opcode ID: 8b6a2896d3d71baaa961411df4dff926d4c3680ed32d04b60a71cf3e83e3e911
                                                                                      • Instruction ID: 36d6b8290b0bc396220fa67845fc18102dd17452b85ea6109ce16c45703e0ade
                                                                                      • Opcode Fuzzy Hash: 8b6a2896d3d71baaa961411df4dff926d4c3680ed32d04b60a71cf3e83e3e911
                                                                                      • Instruction Fuzzy Hash: 9F51B379D40218BAEB61ABA19D46FFF7B7CEB51754F00406EF600A2180E7388E41C769

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1233 4c2d21-4c2d44 GetModuleHandleA 1234 4c2d5b-4c2d69 GetProcAddress 1233->1234 1235 4c2d46-4c2d52 LoadLibraryA 1233->1235 1236 4c2d54-4c2d56 1234->1236 1237 4c2d6b-4c2d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 4c2dee-4c2df1 1236->1238 1237->1236 1239 4c2d7d-4c2d88 1237->1239 1240 4c2d8a-4c2d8b 1239->1240 1241 4c2deb 1239->1241 1242 4c2d90-4c2d95 1240->1242 1241->1238 1243 4c2d97-4c2daa GetProcessHeap HeapAlloc 1242->1243 1244 4c2de2-4c2de8 1242->1244 1245 4c2dea 1243->1245 1246 4c2dac-4c2dd9 call 4cee2a lstrcpynA 1243->1246 1244->1242 1244->1245 1245->1241 1249 4c2ddb-4c2dde 1246->1249 1250 4c2de0 1246->1250 1249->1244 1250->1244
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,004C2F01,?,004C20FF,004D2000), ref: 004C2D3A
                                                                                      • LoadLibraryA.KERNEL32(?), ref: 004C2D4A
                                                                                      • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 004C2D61
                                                                                      • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 004C2D77
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 004C2D99
                                                                                      • HeapAlloc.KERNEL32(00000000), ref: 004C2DA0
                                                                                      • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 004C2DCB
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                      • String ID: DnsQuery_A$dnsapi.dll
                                                                                      • API String ID: 233223969-3847274415
                                                                                      • Opcode ID: a983b52d9c65033a1cf2640e5bab25d649244df21b7f1cf72c93b882e288ba58
                                                                                      • Instruction ID: 06294e99192087418dbae00ac9651e2b847475669d1d77a227148aa392dd9859
                                                                                      • Opcode Fuzzy Hash: a983b52d9c65033a1cf2640e5bab25d649244df21b7f1cf72c93b882e288ba58
                                                                                      • Instruction Fuzzy Hash: 61218E75901226ABCB629F54DD44FAFBBB8EF18B51F10402BF906E3210D7F4998287D8

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1251 4c80c9-4c80ed call 4c6ec3 1254 4c80ef call 4c7ee6 1251->1254 1255 4c80f9-4c8115 call 4c704c 1251->1255 1259 4c80f4 1254->1259 1260 4c8225-4c822b 1255->1260 1261 4c811b-4c8121 1255->1261 1259->1260 1262 4c826c-4c8273 1260->1262 1263 4c822d-4c8233 1260->1263 1261->1260 1264 4c8127-4c812a 1261->1264 1263->1262 1265 4c8235-4c823f call 4c675c 1263->1265 1264->1260 1266 4c8130-4c8167 call 4c2544 RegOpenKeyExA 1264->1266 1269 4c8244-4c824b 1265->1269 1272 4c816d-4c818b RegQueryValueExA 1266->1272 1273 4c8216-4c8222 call 4cee2a 1266->1273 1269->1262 1271 4c824d-4c8269 call 4c24c2 call 4cec2e 1269->1271 1271->1262 1275 4c818d-4c8191 1272->1275 1276 4c81f7-4c81fe 1272->1276 1273->1260 1275->1276 1281 4c8193-4c8196 1275->1281 1279 4c820d-4c8210 RegCloseKey 1276->1279 1280 4c8200-4c8206 call 4cec2e 1276->1280 1279->1273 1289 4c820c 1280->1289 1281->1276 1285 4c8198-4c81a8 call 4cebcc 1281->1285 1285->1279 1291 4c81aa-4c81c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 4c81c4-4c81ca 1291->1292 1293 4c81cd-4c81d2 1292->1293 1293->1293 1294 4c81d4-4c81e5 call 4cebcc 1293->1294 1294->1279 1297 4c81e7-4c81f5 call 4cef00 1294->1297 1297->1289
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004C815F
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,004CA45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004C8187
                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,004CA45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004C81BE
                                                                                      • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004C8210
                                                                                        • Part of subcall function 004C675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 004C677E
                                                                                        • Part of subcall function 004C675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 004C679A
                                                                                        • Part of subcall function 004C675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004C67B0
                                                                                        • Part of subcall function 004C675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004C67BF
                                                                                        • Part of subcall function 004C675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004C67D3
                                                                                        • Part of subcall function 004C675C: ReadFile.KERNELBASE(000000FF,?,00000040,004C8244,00000000,?,74DF0F10,00000000), ref: 004C6807
                                                                                        • Part of subcall function 004C675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 004C681F
                                                                                        • Part of subcall function 004C675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 004C683E
                                                                                        • Part of subcall function 004C675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 004C685C
                                                                                        • Part of subcall function 004CEC2E: GetProcessHeap.KERNEL32(00000000,'L,00000000,004CEA27,00000000), ref: 004CEC41
                                                                                        • Part of subcall function 004CEC2E: RtlFreeHeap.NTDLL(00000000), ref: 004CEC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                      • String ID: C:\Windows\SysWOW64\jjcfhqgg\wzsddmnn.exe
                                                                                      • API String ID: 124786226-1358119261
                                                                                      • Opcode ID: a6ce23b9b4dad802ff40be461632070619f3a511a897373ba9fd29396c205121
                                                                                      • Instruction ID: b30c12d9c3a2a0153eba5087d79327ef05d23534c6a313614d966301ad95166d
                                                                                      • Opcode Fuzzy Hash: a6ce23b9b4dad802ff40be461632070619f3a511a897373ba9fd29396c205121
                                                                                      • Instruction Fuzzy Hash: A841A0BA801108BFEB50EBA19D85FBF77ACAB10304F1448AFF500A3101EA785E458B29

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1300 4c1ac3-4c1adc LoadLibraryA 1301 4c1b6b-4c1b70 1300->1301 1302 4c1ae2-4c1af3 GetProcAddress 1300->1302 1303 4c1b6a 1302->1303 1304 4c1af5-4c1b01 1302->1304 1303->1301 1305 4c1b1c-4c1b27 GetAdaptersAddresses 1304->1305 1306 4c1b29-4c1b2b 1305->1306 1307 4c1b03-4c1b12 call 4cebed 1305->1307 1308 4c1b2d-4c1b32 1306->1308 1309 4c1b5b-4c1b5e 1306->1309 1307->1306 1318 4c1b14-4c1b1b 1307->1318 1311 4c1b69 1308->1311 1312 4c1b34-4c1b3b 1308->1312 1309->1311 1313 4c1b60-4c1b68 call 4cec2e 1309->1313 1311->1303 1315 4c1b3d-4c1b52 1312->1315 1316 4c1b54-4c1b59 1312->1316 1313->1311 1315->1315 1315->1316 1316->1309 1316->1312 1318->1305
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 004C1AD4
                                                                                      • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 004C1AE9
                                                                                      • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 004C1B20
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                      • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                      • API String ID: 3646706440-1087626847
                                                                                      • Opcode ID: bcfeb8351b26dd430fb932425aad04a11a0da05162be3e1ca80fc0f9546dfa68
                                                                                      • Instruction ID: e7945856197881a6cb1cfc5fa4cd2432ed7d16091f95d92a7f78ff44ed4fe2fe
                                                                                      • Opcode Fuzzy Hash: bcfeb8351b26dd430fb932425aad04a11a0da05162be3e1ca80fc0f9546dfa68
                                                                                      • Instruction Fuzzy Hash: 6711EB79E01124AFCB55D765CC84EAEFB79EB45B10B14405FE005A3222F6346D40CF88

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1320 4ce3ca-4ce3ee RegOpenKeyExA 1321 4ce528-4ce52d 1320->1321 1322 4ce3f4-4ce3fb 1320->1322 1323 4ce3fe-4ce403 1322->1323 1323->1323 1324 4ce405-4ce40f 1323->1324 1325 4ce414-4ce452 call 4cee08 call 4cf1ed RegQueryValueExA 1324->1325 1326 4ce411-4ce413 1324->1326 1331 4ce51d-4ce527 RegCloseKey 1325->1331 1332 4ce458-4ce486 call 4cf1ed RegQueryValueExA 1325->1332 1326->1325 1331->1321 1335 4ce488-4ce48a 1332->1335 1335->1331 1336 4ce490-4ce4a1 call 4cdb2e 1335->1336 1336->1331 1339 4ce4a3-4ce4a6 1336->1339 1340 4ce4a9-4ce4d3 call 4cf1ed RegQueryValueExA 1339->1340 1343 4ce4e8-4ce4ea 1340->1343 1344 4ce4d5-4ce4da 1340->1344 1343->1331 1346 4ce4ec-4ce516 call 4c2544 call 4ce332 1343->1346 1344->1343 1345 4ce4dc-4ce4e6 1344->1345 1345->1340 1345->1343 1346->1331
                                                                                      APIs
                                                                                      • RegOpenKeyExA.KERNELBASE(80000001,004CE5F2,00000000,00020119,004CE5F2,004D22F8), ref: 004CE3E6
                                                                                      • RegQueryValueExA.ADVAPI32(004CE5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 004CE44E
                                                                                      • RegQueryValueExA.ADVAPI32(004CE5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 004CE482
                                                                                      • RegQueryValueExA.ADVAPI32(004CE5F2,?,00000000,?,80000001,?), ref: 004CE4CF
                                                                                      • RegCloseKey.ADVAPI32(004CE5F2,?,?,?,?,000000C8,000000E4), ref: 004CE520
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: QueryValue$CloseOpen
                                                                                      • String ID:
                                                                                      • API String ID: 1586453840-0
                                                                                      • Opcode ID: 649f5f8e5a92648f686a7a720046e11813166255c8a428176089064178d52309
                                                                                      • Instruction ID: b8f8f3aefaf37dabc84abe4e5425037d6d19e8adfe8c8a01e34f08387a3e04f5
                                                                                      • Opcode Fuzzy Hash: 649f5f8e5a92648f686a7a720046e11813166255c8a428176089064178d52309
                                                                                      • Instruction Fuzzy Hash: 5D4116B6D00219BFEF519FD5DC85EEEBBB9EB04308F04406AE900A3250E7359E158B64

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1351 4cf26d-4cf303 setsockopt * 5
                                                                                      APIs
                                                                                      • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 004CF2A0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 004CF2C0
                                                                                      • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 004CF2DD
                                                                                      • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 004CF2EC
                                                                                      • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 004CF2FD
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: setsockopt
                                                                                      • String ID:
                                                                                      • API String ID: 3981526788-0
                                                                                      • Opcode ID: 81807dddde636a90fe62178a9dc5666e0de447ff30f643ca3f14807382342287
                                                                                      • Instruction ID: 7020d5dd1ac2147338e7c1a5463582ea88f23728a87cc5fff590694fd726f095
                                                                                      • Opcode Fuzzy Hash: 81807dddde636a90fe62178a9dc5666e0de447ff30f643ca3f14807382342287
                                                                                      • Instruction Fuzzy Hash: EE11F8B2A40248BAEB11DF94CD85F9E7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                      Control-flow Graph

                                                                                      • Executed
                                                                                      • Not Executed
                                                                                      control_flow_graph 1352 4c1bdf-4c1c04 call 4c1ac3 1354 4c1c09-4c1c0b 1352->1354 1355 4c1c0d-4c1c1d GetComputerNameA 1354->1355 1356 4c1c5a-4c1c5e 1354->1356 1357 4c1c1f-4c1c24 1355->1357 1358 4c1c45-4c1c57 GetVolumeInformationA 1355->1358 1357->1358 1359 4c1c26-4c1c3b 1357->1359 1358->1356 1359->1359 1360 4c1c3d-4c1c3f 1359->1360 1360->1358 1361 4c1c41-4c1c43 1360->1361 1361->1356
                                                                                      APIs
                                                                                        • Part of subcall function 004C1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 004C1AD4
                                                                                        • Part of subcall function 004C1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 004C1AE9
                                                                                        • Part of subcall function 004C1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 004C1B20
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 004C1C15
                                                                                      • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 004C1C51
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: hi_id$localcfg
                                                                                      • API String ID: 2794401326-2393279970
                                                                                      • Opcode ID: a392e8fcad37e42b50e6c937fd3c7a9f95ec119a41c5a9110bd4f2d3238b1011
                                                                                      • Instruction ID: fc03980164d26091c2db3cd27fd538b48fdc75ed6ec25112f80e5056ac859d8f
                                                                                      • Opcode Fuzzy Hash: a392e8fcad37e42b50e6c937fd3c7a9f95ec119a41c5a9110bd4f2d3238b1011
                                                                                      • Instruction Fuzzy Hash: 20018476940118BBEB50DAE8C8C5EFFBBBCE745745F10047BE602E3211D1349D448665
                                                                                      APIs
                                                                                        • Part of subcall function 004C1AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 004C1AD4
                                                                                        • Part of subcall function 004C1AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 004C1AE9
                                                                                        • Part of subcall function 004C1AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 004C1B20
                                                                                      • GetComputerNameA.KERNEL32(?,0000000F), ref: 004C1BA3
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,004C1EFD,00000000,00000000,00000000,00000000), ref: 004C1BB8
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2794401326-1857712256
                                                                                      • Opcode ID: fa51b747c8af020cb4c59680d727b0a96ed43b6b13f4e56d8a4b5cca5ff97612
                                                                                      • Instruction ID: 763ed7ec511304c39427c2b0a6000081a4a4114eee7059e898d76135b2beb928
                                                                                      • Opcode Fuzzy Hash: fa51b747c8af020cb4c59680d727b0a96ed43b6b13f4e56d8a4b5cca5ff97612
                                                                                      • Instruction Fuzzy Hash: 25018BB6D00108BFEB01ABE9CC81EEFFBBCEB48654F150066A601E3151E6706E084AA0
                                                                                      APIs
                                                                                      • inet_addr.WS2_32(00000001), ref: 004C2693
                                                                                      • gethostbyname.WS2_32(00000001), ref: 004C269F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynameinet_addr
                                                                                      • String ID: time_cfg
                                                                                      • API String ID: 1594361348-2401304539
                                                                                      • Opcode ID: 6486d3924a99b119a27ff4ebf1cf9ac6b93f1092382cfccfc070afd42fecdcbc
                                                                                      • Instruction ID: ca9bee86f090582709e2f901dec703f6204462fe90764606b7f77a3b573f81d4
                                                                                      • Opcode Fuzzy Hash: 6486d3924a99b119a27ff4ebf1cf9ac6b93f1092382cfccfc070afd42fecdcbc
                                                                                      • Instruction Fuzzy Hash: 3FE08C342060218FCB909B28F848F8A37A4AF16330F01418AF480C72A0C7B4DC8097A8
                                                                                      APIs
                                                                                        • Part of subcall function 004CEBA0: GetProcessHeap.KERNEL32(00000000,00000000,004CEC0A,00000000,80000001,?,004CDB55,7FFF0001), ref: 004CEBAD
                                                                                        • Part of subcall function 004CEBA0: HeapSize.KERNEL32(00000000,?,004CDB55,7FFF0001), ref: 004CEBB4
                                                                                      • GetProcessHeap.KERNEL32(00000000,'L,00000000,004CEA27,00000000), ref: 004CEC41
                                                                                      • RtlFreeHeap.NTDLL(00000000), ref: 004CEC48
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$FreeSize
                                                                                      • String ID: 'L
                                                                                      • API String ID: 1305341483-3688640772
                                                                                      • Opcode ID: c7ee7a45117c9cf5c8d83703ef37cd71fc30d4634c2a11b36743667587a83fe6
                                                                                      • Instruction ID: c8902f186d44ec25d74ca9e5fd1b13c928a0b77e6b237237861398353d4e962b
                                                                                      • Opcode Fuzzy Hash: c7ee7a45117c9cf5c8d83703ef37cd71fc30d4634c2a11b36743667587a83fe6
                                                                                      • Instruction Fuzzy Hash: 79C012324072306BC5912751BC0DFAF6B189F46711F0D441FF4056715487645C4086E9
                                                                                      APIs
                                                                                        • Part of subcall function 004CDD05: GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                        • Part of subcall function 004CDD05: InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                        • Part of subcall function 004CDD05: GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,004CA445), ref: 004CE558
                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,004CA445), ref: 004CE583
                                                                                      • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,004CA445), ref: 004CE5B2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                      • String ID:
                                                                                      • API String ID: 3683885500-0
                                                                                      • Opcode ID: 84b6b8c2677051e950257a7dab722b0328a5874d57545aea913f21659fd819de
                                                                                      • Instruction ID: 6db93406f7f5bccfbfd025f98ae7b8f6c0e05b20d94455add2f8b0bcdba9ae11
                                                                                      • Opcode Fuzzy Hash: 84b6b8c2677051e950257a7dab722b0328a5874d57545aea913f21659fd819de
                                                                                      • Instruction Fuzzy Hash: 1F21EAB69402007AE2A17A635D07F6B3E5CDB54758F10052FFE09A12E3EB9DE91081BD
                                                                                      APIs
                                                                                      • Sleep.KERNELBASE(000003E8), ref: 004C88A5
                                                                                        • Part of subcall function 004CF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,004CE342,00000000,75A8EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4), ref: 004CF089
                                                                                        • Part of subcall function 004CF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,004CE342,00000000,75A8EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4,000000C8), ref: 004CF093
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$FileSystem$Sleep
                                                                                      • String ID: localcfg$rresolv
                                                                                      • API String ID: 1561729337-486471987
                                                                                      • Opcode ID: ff07bbe4faf36107e8122dd1c9ac3397b42f0504d185dbdeee94644fe84cc53c
                                                                                      • Instruction ID: 061eadf69b191834441f7436fe5f3f034f8bcf8a92b5501c9566cece7c16e624
                                                                                      • Opcode Fuzzy Hash: ff07bbe4faf36107e8122dd1c9ac3397b42f0504d185dbdeee94644fe84cc53c
                                                                                      • Instruction Fuzzy Hash: FB21C4391493006AF395B7676E47FAA3BE9DB10B14FA0482FF904961C3EEDD854441BD
                                                                                      APIs
                                                                                      • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004D22F8,004C42B6,00000000,00000001,004D22F8,00000000,?,004C98FD), ref: 004C4021
                                                                                      • GetLastError.KERNEL32(?,004C98FD,00000001,00000100,004D22F8,004CA3C7), ref: 004C402C
                                                                                      • Sleep.KERNEL32(000001F4,?,004C98FD,00000001,00000100,004D22F8,004CA3C7), ref: 004C4046
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateErrorFileLastSleep
                                                                                      • String ID:
                                                                                      • API String ID: 408151869-0
                                                                                      • Opcode ID: 126130671b69d94768e0de383a77aed4403bf9980874d4aa2bf84be8431f7eb5
                                                                                      • Instruction ID: 7c296a97e488d6e6a93d18eb2a170f1dbe5952c0175c34ba2904f80eced29672
                                                                                      • Opcode Fuzzy Hash: 126130671b69d94768e0de383a77aed4403bf9980874d4aa2bf84be8431f7eb5
                                                                                      • Instruction Fuzzy Hash: 9BF0A7352801016AD7724B26BD59F1B37A1DBC2724F254B2EF3B5E31E0C63448819B1D
                                                                                      APIs
                                                                                      • GetEnvironmentVariableA.KERNEL32(004CDC19,?,00000104), ref: 004CDB7F
                                                                                      • lstrcpyA.KERNEL32(?,004D28F8), ref: 004CDBA4
                                                                                      • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 004CDBC2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                      • String ID:
                                                                                      • API String ID: 2536392590-0
                                                                                      • Opcode ID: a1721f348d829c7e0b06347378a14b8c0e5a3a5fcffe4b520ab31fc732df989a
                                                                                      • Instruction ID: 06a32206bd6f374b33328171adaa1cc9e5f6f3da8034625a2327b5708c2087cf
                                                                                      • Opcode Fuzzy Hash: a1721f348d829c7e0b06347378a14b8c0e5a3a5fcffe4b520ab31fc732df989a
                                                                                      • Instruction Fuzzy Hash: D8F09070500209BBEF119F64EC89FD93B69AB10308F1041A5BB55A50D0D7F2E945CB28
                                                                                      APIs
                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 004CEC5E
                                                                                      • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 004CEC72
                                                                                      • GetTickCount.KERNEL32 ref: 004CEC78
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$CountFileInformationSystemTickVolume
                                                                                      • String ID:
                                                                                      • API String ID: 1209300637-0
                                                                                      • Opcode ID: 8ff3c7fc207da01957c465a6b1dc029bcf877f76f121244bbac8a9dab925e4a4
                                                                                      • Instruction ID: 51d59fdee966cb44e6c165f5d13a9b9d09c9ef9c175f831c056677bc20e2d91f
                                                                                      • Opcode Fuzzy Hash: 8ff3c7fc207da01957c465a6b1dc029bcf877f76f121244bbac8a9dab925e4a4
                                                                                      • Instruction Fuzzy Hash: A9E09AF5811104BFE711ABB0EC4AE6F77BCEB08215F500661B911D6090DA709A058B64
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 004C30D8
                                                                                      • gethostbyname.WS2_32(?), ref: 004C30E2
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbynamegethostname
                                                                                      • String ID:
                                                                                      • API String ID: 3961807697-0
                                                                                      • Opcode ID: c028fc20f5799f5491a3b7f9712b1c4edd6a1a68f0e5b715d797cae008ce898a
                                                                                      • Instruction ID: 008f96053f4b2361c10cb5ada43a85a606c77b089e0523e4a8842f905637bd90
                                                                                      • Opcode Fuzzy Hash: c028fc20f5799f5491a3b7f9712b1c4edd6a1a68f0e5b715d797cae008ce898a
                                                                                      • Instruction Fuzzy Hash: DCE09B769011199BCF00DBA8EC89F9B77ECFF04308F084066F905E3255EA34E9048794
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,004CDB55,7FFF0001), ref: 004CEC13
                                                                                      • RtlReAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEC1A
                                                                                        • Part of subcall function 004CEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,004CEBFE,7FFF0001,?,004CDB55,7FFF0001), ref: 004CEBD3
                                                                                        • Part of subcall function 004CEBCC: RtlAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$AllocateProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1357844191-0
                                                                                      • Opcode ID: 767421176c7de718add4fc5283e6cc8c4559ae24c97f950ade2b871c768b4001
                                                                                      • Instruction ID: a6d7f48fcd2e299f916045722a1a5bff2f8bdfe8b35d74ceb0d998316be63305
                                                                                      • Opcode Fuzzy Hash: 767421176c7de718add4fc5283e6cc8c4559ae24c97f950ade2b871c768b4001
                                                                                      • Instruction Fuzzy Hash: 56E012361052187ADF412B96EC09FAD7B59DB04365F14802AF90D49161DB369990D698
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,80000001,004CEBFE,7FFF0001,?,004CDB55,7FFF0001), ref: 004CEBD3
                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEBDA
                                                                                        • Part of subcall function 004CEB74: GetProcessHeap.KERNEL32(00000000,00000000,004CEC28,00000000,?,004CDB55,7FFF0001), ref: 004CEB81
                                                                                        • Part of subcall function 004CEB74: HeapSize.KERNEL32(00000000,?,004CDB55,7FFF0001), ref: 004CEB88
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AllocateSize
                                                                                      • String ID:
                                                                                      • API String ID: 2559512979-0
                                                                                      • Opcode ID: f5545c5ec4272c84696421c470d2b0958f2b75df3b4b21eafbd0d624c0a17144
                                                                                      • Instruction ID: 0101197cdf3902b652cba7fd1fb05ae5e1ab00a5343cbb020bfd8a9837907b4f
                                                                                      • Opcode Fuzzy Hash: f5545c5ec4272c84696421c470d2b0958f2b75df3b4b21eafbd0d624c0a17144
                                                                                      • Instruction Fuzzy Hash: 83C0803610523067C64127A57C0CF9E7F54DF05352F08001AF505C3160C7354C4087A9
                                                                                      APIs
                                                                                      • recv.WS2_32(000000C8,?,00000000,004CCA44), ref: 004CF476
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: recv
                                                                                      • String ID:
                                                                                      • API String ID: 1507349165-0
                                                                                      • Opcode ID: d20e055c3b3a77b6b43181ba240d60e8070aa15aee6ad586c7d80f15b65a5359
                                                                                      • Instruction ID: 370582eb186bdd336a1e2efebd7fcb75617cf3b7639b992488765f5d94044c71
                                                                                      • Opcode Fuzzy Hash: d20e055c3b3a77b6b43181ba240d60e8070aa15aee6ad586c7d80f15b65a5359
                                                                                      • Instruction Fuzzy Hash: AFF08C3620154AAB9B419E9ADC84DAB3BAEFB99310B050137FA04D3110D639E825CBA8
                                                                                      APIs
                                                                                      • closesocket.WS2_32(00000000), ref: 004C1992
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: closesocket
                                                                                      • String ID:
                                                                                      • API String ID: 2781271927-0
                                                                                      • Opcode ID: 4cb469fcc944aa9858e614e28a890652cbbb4d370db0628398c54c03e8584945
                                                                                      • Instruction ID: 1932f31a2154ba366c4d7cea5e076c16a83120925415a3d87734f0688273bce8
                                                                                      • Opcode Fuzzy Hash: 4cb469fcc944aa9858e614e28a890652cbbb4d370db0628398c54c03e8584945
                                                                                      • Instruction Fuzzy Hash: 91D0222A1092312A42402359BC04A7FAB8CCF05262B00802FFC48C0120C638CC41839D
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(80000011,00000000), ref: 004CDDB5
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID:
                                                                                      • API String ID: 1586166983-0
                                                                                      • Opcode ID: 9a6a5fac6c1e8b6e35a4547a9f168245bdbb8650cb7a4bf06cd0a95b113d7800
                                                                                      • Instruction ID: 574e18dcee573c768c38ef747d77807550a201aa4462f4736a0d8ee488d79d75
                                                                                      • Opcode Fuzzy Hash: 9a6a5fac6c1e8b6e35a4547a9f168245bdbb8650cb7a4bf06cd0a95b113d7800
                                                                                      • Instruction Fuzzy Hash: 0EF05839E003029BCBA18E249984B67B7E8AB85325F14483FE25A92250DB38DC45CB1A
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,004C9816,EntryPoint), ref: 004C638F
                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,004C9816,EntryPoint), ref: 004C63A9
                                                                                      • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004C63CA
                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004C63EB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                      • String ID:
                                                                                      • API String ID: 1965334864-0
                                                                                      • Opcode ID: a94449a7bf0ac5f898afbabb7d68dcc3216b5d717c842f47f77af8b1009c06b5
                                                                                      • Instruction ID: 4c66a08ce49fd29e37a8ddcc9ae786a82abf9ad6c992e1763ebecde160e60748
                                                                                      • Opcode Fuzzy Hash: a94449a7bf0ac5f898afbabb7d68dcc3216b5d717c842f47f77af8b1009c06b5
                                                                                      • Instruction Fuzzy Hash: 3211E3B5600219BFDB518F65DC09F9B3BA8EB047A4F01806AFD08E7290D671DC008AB8
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,00000000,004C1839,004C9646), ref: 004C1012
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004C10C2
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004C10E1
                                                                                      • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 004C1101
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 004C1121
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 004C1140
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 004C1160
                                                                                      • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 004C1180
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 004C119F
                                                                                      • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004C11BF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004C11DF
                                                                                      • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004C11FE
                                                                                      • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 004C121A
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressProc$LibraryLoad
                                                                                      • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                      • API String ID: 2238633743-3228201535
                                                                                      • Opcode ID: e4d9be6713f9d57c2ef0e63569ad49677bb98de508f22834fc43d2d31264048e
                                                                                      • Instruction ID: c668310532dc64a97f5cf1bd553e62826475e492c55dbbed7dbb65cfcc53cadb
                                                                                      • Opcode Fuzzy Hash: e4d9be6713f9d57c2ef0e63569ad49677bb98de508f22834fc43d2d31264048e
                                                                                      • Instruction Fuzzy Hash: 11513EB9643601A6D7518F69EC64B5637E86749322F1403BB9420D23F1D7F8CA82CB9E
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 004CB2B3
                                                                                      • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 004CB2C2
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 004CB2D0
                                                                                      • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 004CB2E1
                                                                                      • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 004CB31A
                                                                                      • GetTimeZoneInformation.KERNEL32(?), ref: 004CB329
                                                                                      • wsprintfA.USER32 ref: 004CB3B7
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                      • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                      • API String ID: 766114626-2976066047
                                                                                      • Opcode ID: 5f8c4e5a4c32ba0287c5a65017c4b7934668f8aec6c7dceb8c964a738ba1c594
                                                                                      • Instruction ID: 2de09d58191dca095938e22a9ae72a69589d7d14fe07a32c22f762dde70d8526
                                                                                      • Opcode Fuzzy Hash: 5f8c4e5a4c32ba0287c5a65017c4b7934668f8aec6c7dceb8c964a738ba1c594
                                                                                      • Instruction Fuzzy Hash: C4519475D1021CAACF58CFD5D859AEEBBB9FF49704F10812BE501B7250D3784A89CB98
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                      • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                      • API String ID: 2400214276-165278494
                                                                                      • Opcode ID: 81ee6a296748b113edc01b91e8df94f0497196f280d2c8ddea31eb2a2736e0cb
                                                                                      • Instruction ID: 08466d0a77727deacca4fce7701f43a19679ceaeb12d9ce4c95e4fcca328044d
                                                                                      • Opcode Fuzzy Hash: 81ee6a296748b113edc01b91e8df94f0497196f280d2c8ddea31eb2a2736e0cb
                                                                                      • Instruction Fuzzy Hash: B1615E72A50208AFDB609FB4DC45FEA77E9FF08300F24806AF959D3261DA75A9508F54
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 004CA7FB
                                                                                      • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 004CA87E
                                                                                      • send.WS2_32(00000000,?,00000000,00000000), ref: 004CA893
                                                                                      • wsprintfA.USER32 ref: 004CA8AF
                                                                                      • send.WS2_32(00000000,.,00000005,00000000), ref: 004CA8D2
                                                                                      • wsprintfA.USER32 ref: 004CA8E2
                                                                                      • recv.WS2_32(00000000,?,000003F6,00000000), ref: 004CA97C
                                                                                      • wsprintfA.USER32 ref: 004CA9B9
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$send$lstrlenrecv
                                                                                      • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                      • API String ID: 3650048968-2394369944
                                                                                      • Opcode ID: b0678bdda8376edec3c28d472ff81923876d6eecc44096ff873ad45b8b10a4bc
                                                                                      • Instruction ID: eabfe6d9a3aac16ce7d84e4b66b7844cd59ef61059db42f635da00b5a18d0494
                                                                                      • Opcode Fuzzy Hash: b0678bdda8376edec3c28d472ff81923876d6eecc44096ff873ad45b8b10a4bc
                                                                                      • Instruction Fuzzy Hash: D9A1067994420DABDFA09A54DC85FAE3769AB0030CF24042FFA01A7290EA3D9D65875F
                                                                                      APIs
                                                                                      • ShellExecuteExW.SHELL32(?), ref: 004C139A
                                                                                      • lstrlenW.KERNEL32(-00000003), ref: 004C1571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ExecuteShelllstrlen
                                                                                      • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                                      • API String ID: 1628651668-179334549
                                                                                      • Opcode ID: 75eb81d155013a44510108f1c96a40290daa185f97b8ee31f65580d9439f0e6e
                                                                                      • Instruction ID: dd103374a7a69ceaf279e97ca421394ce0be0e8e196f123d699d5ff99724a3ea
                                                                                      • Opcode Fuzzy Hash: 75eb81d155013a44510108f1c96a40290daa185f97b8ee31f65580d9439f0e6e
                                                                                      • Instruction Fuzzy Hash: D1F19AB92093419FD320DF64C888F6BB7E4FB8A304F10492EF586973A1D7789945CB5A
                                                                                      APIs
                                                                                      • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 004C2A83
                                                                                      • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 004C2A86
                                                                                      • socket.WS2_32(00000002,00000002,00000011), ref: 004C2AA0
                                                                                      • htons.WS2_32(00000000), ref: 004C2ADB
                                                                                      • select.WS2_32 ref: 004C2B28
                                                                                      • recv.WS2_32(?,00000000,00001000,00000000), ref: 004C2B4A
                                                                                      • htons.WS2_32(?), ref: 004C2B71
                                                                                      • htons.WS2_32(?), ref: 004C2B8C
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000108), ref: 004C2BFB
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                      • String ID:
                                                                                      • API String ID: 1639031587-0
                                                                                      • Opcode ID: f51a4e5e2d09b5c9ef50e4bcf79cdc3fba603980c3cf15c51f56a7059582b510
                                                                                      • Instruction ID: cafd4fdd25b6662c9d656fa5875774a6e59ef40afaa90cd2ae709f58ff88c70d
                                                                                      • Opcode Fuzzy Hash: f51a4e5e2d09b5c9ef50e4bcf79cdc3fba603980c3cf15c51f56a7059582b510
                                                                                      • Instruction Fuzzy Hash: CB61ED759053159BC760AF65DE08F2FBBE8FB89744F04081FF84597250D7F998408BAA
                                                                                      APIs
                                                                                      • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004C70C2
                                                                                      • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 004C719E
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004C71B2
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004C7208
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004C7291
                                                                                      • ___ascii_stricmp.LIBCMT ref: 004C72C2
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004C72D0
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004C7314
                                                                                      • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 004C738D
                                                                                      • RegCloseKey.ADVAPI32(74DF0F10), ref: 004C73D8
                                                                                        • Part of subcall function 004CF1A5: lstrlenA.KERNEL32(000000C8,000000E4,004D22F8,000000C8,004C7150,?), ref: 004CF1AD
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                      • String ID: $"
                                                                                      • API String ID: 4293430545-3817095088
                                                                                      • Opcode ID: 6f7eda01279dd9b268d9736154a1aa3d5bdecbf5af0c1483a9bc9c5a2dc0616c
                                                                                      • Instruction ID: 94181ce953895b0dc587094da0ad521b5cfeef655ea2ddbf7cfe63569fb6bfe6
                                                                                      • Opcode Fuzzy Hash: 6f7eda01279dd9b268d9736154a1aa3d5bdecbf5af0c1483a9bc9c5a2dc0616c
                                                                                      • Instruction Fuzzy Hash: 83B18C76908209BBDB559FA1DC45FEF77B8EB04304F10046FF901E2291EB799A84CB68
                                                                                      APIs
                                                                                      • GetLocalTime.KERNEL32(?), ref: 004CAD98
                                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 004CADA6
                                                                                        • Part of subcall function 004CAD08: gethostname.WS2_32(?,00000080), ref: 004CAD1C
                                                                                        • Part of subcall function 004CAD08: lstrlenA.KERNEL32(00000000), ref: 004CAD60
                                                                                        • Part of subcall function 004CAD08: lstrlenA.KERNEL32(00000000), ref: 004CAD69
                                                                                        • Part of subcall function 004CAD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 004CAD7F
                                                                                        • Part of subcall function 004C30B5: gethostname.WS2_32(?,00000080), ref: 004C30D8
                                                                                        • Part of subcall function 004C30B5: gethostbyname.WS2_32(?), ref: 004C30E2
                                                                                      • wsprintfA.USER32 ref: 004CAEA5
                                                                                        • Part of subcall function 004CA7A3: inet_ntoa.WS2_32(?), ref: 004CA7A9
                                                                                      • wsprintfA.USER32 ref: 004CAE4F
                                                                                      • wsprintfA.USER32 ref: 004CAE5E
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 004CEF92
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(?), ref: 004CEF99
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(00000000), ref: 004CEFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                      • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                      • API String ID: 3631595830-1816598006
                                                                                      • Opcode ID: 11534b5893d6152d82265e1b6ce003e3d5b569ecf2bead75ea63c533b48218cf
                                                                                      • Instruction ID: d234995a2367e4c74b20424874586e35c73d65fa3da11884c17419cef30dd055
                                                                                      • Opcode Fuzzy Hash: 11534b5893d6152d82265e1b6ce003e3d5b569ecf2bead75ea63c533b48218cf
                                                                                      • Instruction Fuzzy Hash: 644150B690020C6BDB25AFA1DC45FEE3BADFB08304F14442FB91592151EB79E5148B55
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E01
                                                                                      • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E11
                                                                                      • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 004C2E2E
                                                                                      • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E4C
                                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2E4F
                                                                                      • htons.WS2_32(00000035), ref: 004C2E88
                                                                                      • inet_addr.WS2_32(?), ref: 004C2E93
                                                                                      • gethostbyname.WS2_32(?), ref: 004C2EA6
                                                                                      • GetProcessHeap.KERNEL32(00000000,?,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2EE3
                                                                                      • HeapFree.KERNEL32(00000000,?,00000000,004C2F0F,?,004C20FF,004D2000), ref: 004C2EE6
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                      • String ID: GetNetworkParams$iphlpapi.dll
                                                                                      • API String ID: 929413710-2099955842
                                                                                      • Opcode ID: 53a25f57b9eaada15a50bfcd634d2532699ef92a6b04ef59fc640d39ffb23ba2
                                                                                      • Instruction ID: 72f98568f992aba39c0864957b8b1a5a318112836e5b7174996e812825a85be6
                                                                                      • Opcode Fuzzy Hash: 53a25f57b9eaada15a50bfcd634d2532699ef92a6b04ef59fc640d39ffb23ba2
                                                                                      • Instruction Fuzzy Hash: 4931B139A0120AABDB519BB89D48F6F77B8AF05360F14012BE914F7390DBF8D9418B5C
                                                                                      APIs
                                                                                      • GetVersionExA.KERNEL32(?,?,004C9DD7,?,00000022,?,?,00000000,00000001), ref: 004C9340
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,004C9DD7,?,00000022,?,?,00000000,00000001), ref: 004C936E
                                                                                      • GetModuleFileNameA.KERNEL32(00000000,?,004C9DD7,?,00000022,?,?,00000000,00000001), ref: 004C9375
                                                                                      • wsprintfA.USER32 ref: 004C93CE
                                                                                      • wsprintfA.USER32 ref: 004C940C
                                                                                      • wsprintfA.USER32 ref: 004C948D
                                                                                      • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004C94F1
                                                                                      • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004C9526
                                                                                      • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 004C9571
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                      • String ID: runas
                                                                                      • API String ID: 3696105349-4000483414
                                                                                      • Opcode ID: e1a3b1b4c7f3ec3bcfae25919146c658c74a8f5c16e5939fcfb971e43de7c4dc
                                                                                      • Instruction ID: 7311013488d10516a1c5206dd7b59cb69d430209e4de0418194247aacd54144e
                                                                                      • Opcode Fuzzy Hash: e1a3b1b4c7f3ec3bcfae25919146c658c74a8f5c16e5939fcfb971e43de7c4dc
                                                                                      • Instruction Fuzzy Hash: 6BA172B6540248FBEB659FA1CC49FDF37ACEB04744F10402BFA0592291D7B9D944CBA9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C2078
                                                                                      • GetTickCount.KERNEL32 ref: 004C20D4
                                                                                      • GetTickCount.KERNEL32 ref: 004C20DB
                                                                                      • GetTickCount.KERNEL32 ref: 004C212B
                                                                                      • GetTickCount.KERNEL32 ref: 004C2132
                                                                                      • GetTickCount.KERNEL32 ref: 004C2142
                                                                                        • Part of subcall function 004CF04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,004CE342,00000000,75A8EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4), ref: 004CF089
                                                                                        • Part of subcall function 004CF04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,004CE342,00000000,75A8EA50,80000001,00000000,004CE513,?,00000000,00000000,?,000000E4,000000C8), ref: 004CF093
                                                                                        • Part of subcall function 004CE854: lstrcpyA.KERNEL32(00000001,?,?,004CD8DF,00000001,localcfg,except_info,00100000,004D0264), ref: 004CE88B
                                                                                        • Part of subcall function 004CE854: lstrlenA.KERNEL32(00000001,?,004CD8DF,00000001,localcfg,except_info,00100000,004D0264), ref: 004CE899
                                                                                        • Part of subcall function 004C1C5F: wsprintfA.USER32 ref: 004C1CE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                      • String ID: 0fN$localcfg$net_type$rbl_bl$rbl_ip
                                                                                      • API String ID: 3976553417-2898490758
                                                                                      • Opcode ID: 1ac6e3ca3ef90700c1a63d797bcd86d3a2ecedb32e722ebbf51f8e06e9b44cab
                                                                                      • Instruction ID: ba164521fbb39e679b403e1a679c7fedc73515b9c502e3ac353945dc1393c4ef
                                                                                      • Opcode Fuzzy Hash: 1ac6e3ca3ef90700c1a63d797bcd86d3a2ecedb32e722ebbf51f8e06e9b44cab
                                                                                      • Instruction Fuzzy Hash: B05103386023465EE7A8EF26EF45F563BD4AB10318F14007FF641862A2DBFC9944CA2D
                                                                                      APIs
                                                                                      • wsprintfA.USER32 ref: 004CB467
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 004CEF92
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(?), ref: 004CEF99
                                                                                        • Part of subcall function 004CEF7C: lstrlenA.KERNEL32(00000000), ref: 004CEFA0
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$wsprintf
                                                                                      • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                      • API String ID: 1220175532-2340906255
                                                                                      • Opcode ID: 59d6dae464c533b0920b3faba5b1d4f2b4759ca39b3a802ff08a51f78f94d47f
                                                                                      • Instruction ID: 66b3cf7a07a879b751b1d45317002a443ff44938c1de6ac487ae60b17979cc66
                                                                                      • Opcode Fuzzy Hash: 59d6dae464c533b0920b3faba5b1d4f2b4759ca39b3a802ff08a51f78f94d47f
                                                                                      • Instruction Fuzzy Hash: 46416DB65401187EDF00AAA6CCD2FBF7A6CEE0974CF14011FF904A2142DB78AA1487A9
                                                                                      APIs
                                                                                        • Part of subcall function 004CA4C7: GetTickCount.KERNEL32 ref: 004CA4D1
                                                                                        • Part of subcall function 004CA4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 004CA4FA
                                                                                      • GetTickCount.KERNEL32 ref: 004CC31F
                                                                                      • GetTickCount.KERNEL32 ref: 004CC32B
                                                                                      • GetTickCount.KERNEL32 ref: 004CC363
                                                                                      • GetTickCount.KERNEL32 ref: 004CC378
                                                                                      • GetTickCount.KERNEL32 ref: 004CC44D
                                                                                      • InterlockedIncrement.KERNEL32(004CC4E4), ref: 004CC4AE
                                                                                      • CreateThread.KERNEL32(00000000,00000000,004CB535,00000000,?,004CC4E0), ref: 004CC4C1
                                                                                      • CloseHandle.KERNEL32(00000000,?,004CC4E0,004D3588,004C8810), ref: 004CC4CC
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1553760989-1857712256
                                                                                      • Opcode ID: 24673712623286acfcbdf6ca0c5794be2d09371546d204ffa745a9d5bd90bd3f
                                                                                      • Instruction ID: 0307270221df78aa65a2c8fa22fb47d3810731992ae33e9c9830369a8c6df973
                                                                                      • Opcode Fuzzy Hash: 24673712623286acfcbdf6ca0c5794be2d09371546d204ffa745a9d5bd90bd3f
                                                                                      • Instruction Fuzzy Hash: 15517FB5600B418FC7648F69D5D4A2ABBE9FB48304B50993FD58BC7AA0D778F840CB18
                                                                                      APIs
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 004CBE4F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 004CBE5B
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 004CBE67
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 004CBF6A
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 004CBF7F
                                                                                      • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 004CBF94
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmpi
                                                                                      • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                      • API String ID: 1586166983-1625972887
                                                                                      • Opcode ID: 5498af8048b6eeadd8e75fdbaea87334f49fa17848f6a3d483eccb3ab3e64249
                                                                                      • Instruction ID: 375ae461effc23fe0266d8897300e21e5e063f1cc95cfdb0309cc60124e10e2c
                                                                                      • Opcode Fuzzy Hash: 5498af8048b6eeadd8e75fdbaea87334f49fa17848f6a3d483eccb3ab3e64249
                                                                                      • Instruction Fuzzy Hash: 7D51AF39A0021AAFDB518B65CC92FAA7BA9EF14344F14406FE841EB351D738ED418FD8
                                                                                      APIs
                                                                                      • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6A7D
                                                                                      • GetDiskFreeSpaceA.KERNEL32(004C9E9D,004C9A60,?,?,?,004D22F8,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6ABB
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B40
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B4E
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B5F
                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B6F
                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B7D
                                                                                      • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,004C9A60,?,?,004C9E9D), ref: 004C6B80
                                                                                      • GetLastError.KERNEL32(?,?,?,004C9A60,?,?,004C9E9D,?,?,?,?,?,004C9E9D,?,00000022,?), ref: 004C6B96
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                      • String ID:
                                                                                      • API String ID: 3188212458-0
                                                                                      • Opcode ID: a98b6ea87bc3c3d02a7a4096429a71d2d1d581941afd43a70c15bc6a92f9e690
                                                                                      • Instruction ID: e785920719f576dfc817abc061515c7d7ebdd4431af0d9cc741c8f851401110c
                                                                                      • Opcode Fuzzy Hash: a98b6ea87bc3c3d02a7a4096429a71d2d1d581941afd43a70c15bc6a92f9e690
                                                                                      • Instruction Fuzzy Hash: AF31CCBA902149BFCB419FA09D44F9FBBB9EB48300F15807BE211E3211E734A9458F69
                                                                                      APIs
                                                                                      • GetUserNameA.ADVAPI32(?,004CD7C3), ref: 004C6F7A
                                                                                      • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,004CD7C3), ref: 004C6FC1
                                                                                      • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 004C6FE8
                                                                                      • LocalFree.KERNEL32(00000120), ref: 004C701F
                                                                                      • wsprintfA.USER32 ref: 004C7036
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                      • String ID: /%d$|
                                                                                      • API String ID: 676856371-4124749705
                                                                                      • Opcode ID: 5a62fd4339008a46d58338b8b3f069d9a79bfb2481d357156310e134b7a7af95
                                                                                      • Instruction ID: d01f510a59c8f45e097c839cb921dcd85adc8b2650f002ccb7acdd7ee33cbdf2
                                                                                      • Opcode Fuzzy Hash: 5a62fd4339008a46d58338b8b3f069d9a79bfb2481d357156310e134b7a7af95
                                                                                      • Instruction Fuzzy Hash: BE312B76500108BBDB41DFA5D845FDF7BA8AF04314F04806BF909DB201DA39DA088B98
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004D22F8,000000E4,004C6DDC,000000C8), ref: 004C6CE7
                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 004C6CEE
                                                                                      • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 004C6D14
                                                                                      • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 004C6D2B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                      • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                      • API String ID: 1082366364-3395550214
                                                                                      • Opcode ID: f34a5e8cd58c80fc604d1d63b3fb1e925c67e6b4f3df8dd071588d31f63b270a
                                                                                      • Instruction ID: 3c1e64b19c1349cd0c32d010e5e3644bd47baa15138df500ae4be634476dab03
                                                                                      • Opcode Fuzzy Hash: f34a5e8cd58c80fc604d1d63b3fb1e925c67e6b4f3df8dd071588d31f63b270a
                                                                                      • Instruction Fuzzy Hash: 4C21355974224039F7A257325E89F7B2F4C8B62744F0D809FF805A72D2CBDD884682AD
                                                                                      APIs
                                                                                      • CreateProcessA.KERNEL32(00000000,004C9947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004D22F8), ref: 004C97B1
                                                                                      • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004D22F8), ref: 004C97EB
                                                                                      • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C97F9
                                                                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C9831
                                                                                      • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C984E
                                                                                      • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,004D22F8), ref: 004C985B
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                      • String ID: D
                                                                                      • API String ID: 2981417381-2746444292
                                                                                      • Opcode ID: f9dd04d3d9bba895192258002e4ea206a85955bff8225d0d483fcfea03a1b6b5
                                                                                      • Instruction ID: 868e3742da55ae1e2ce7244975336ec824f35d3d402753958b4023b2093b80be
                                                                                      • Opcode Fuzzy Hash: f9dd04d3d9bba895192258002e4ea206a85955bff8225d0d483fcfea03a1b6b5
                                                                                      • Instruction Fuzzy Hash: FD216D75902129BBDB519FA1DC49FEF7BBCEF05750F400066B909E2150EB359A44CAA8
                                                                                      APIs
                                                                                        • Part of subcall function 004CDD05: GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                        • Part of subcall function 004CDD05: InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                        • Part of subcall function 004CDD05: GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                        • Part of subcall function 004CDD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 004CDDB5
                                                                                      • lstrcpynA.KERNEL32(?,004C1E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,004CEAAA,?,?), ref: 004CE8DE
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,004CEAAA,?,?,00000001,?,004C1E84,?), ref: 004CE935
                                                                                      • lstrlenA.KERNEL32(00000001,?,?,?,?,?,004CEAAA,?,?,00000001,?,004C1E84,?,0000000A), ref: 004CE93D
                                                                                      • lstrlenA.KERNEL32(00000000,?,?,?,?,?,004CEAAA,?,?,00000001,?,004C1E84,?), ref: 004CE94F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                      • String ID: flags_upd$localcfg
                                                                                      • API String ID: 204374128-3505511081
                                                                                      • Opcode ID: 0908d74fd094aae1d177ca834c77e48acc8e79906dfef2abc39900dec8f7a2d6
                                                                                      • Instruction ID: bb547afcfde0830d9b25f30e6d4cb05e5d00098b0b24688b7fa71bdba7b654c8
                                                                                      • Opcode Fuzzy Hash: 0908d74fd094aae1d177ca834c77e48acc8e79906dfef2abc39900dec8f7a2d6
                                                                                      • Instruction Fuzzy Hash: DC515076D00209AFCB41EFA9C984EAEB7F9FF44308F14052EE405A3211DB79EA149B54
                                                                                      APIs
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Code
                                                                                      • String ID:
                                                                                      • API String ID: 3609698214-0
                                                                                      • Opcode ID: 2fd00c2e03f3e75cd24c459dc7e542139a5314c5681fa91e36d8f5d7a1c43d8f
                                                                                      • Instruction ID: 1a8869f5b927290ae55461d461d765f726292612f262ae8e2f6dfb17d58003ab
                                                                                      • Opcode Fuzzy Hash: 2fd00c2e03f3e75cd24c459dc7e542139a5314c5681fa91e36d8f5d7a1c43d8f
                                                                                      • Instruction Fuzzy Hash: 7C21A17A101115FFDB525B61FD49FAF3BACDB04364B21842BF502E2051EB38DA00967C
                                                                                      APIs
                                                                                      • GetTempPathA.KERNEL32(00000400,?,00000000,004D22F8), ref: 004C907B
                                                                                      • wsprintfA.USER32 ref: 004C90E9
                                                                                      • CreateFileA.KERNEL32(004D22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004C910E
                                                                                      • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 004C9122
                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 004C912D
                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004C9134
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                      • String ID:
                                                                                      • API String ID: 2439722600-0
                                                                                      • Opcode ID: 64c8c5a500366e8dc7622b98f4d76957bbfbf1ca69a40a5be735d5a62ab6586c
                                                                                      • Instruction ID: 9e3e3016c07ae1bce3abf8e7130bfff429177fd496e2378394487b6620b8ccc7
                                                                                      • Opcode Fuzzy Hash: 64c8c5a500366e8dc7622b98f4d76957bbfbf1ca69a40a5be735d5a62ab6586c
                                                                                      • Instruction Fuzzy Hash: EF1184B66411147BF7656B23EC0EFAF366DDBC5B04F00807FBB0AA6191EA744E019668
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004CDD20
                                                                                      • GetTickCount.KERNEL32 ref: 004CDD2E
                                                                                      • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,004CE538,?,74DF0F10,?,00000000,?,004CA445), ref: 004CDD3B
                                                                                      • InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 3819781495-0
                                                                                      • Opcode ID: bc05a9d8b0d5ef1a396ad13fbaacd0a08f61bc1b80268cee19e9782d779e078d
                                                                                      • Instruction ID: fafcfb2850569b7640972b914535e4d0e25ebde81a3780c7489f584e70542231
                                                                                      • Opcode Fuzzy Hash: bc05a9d8b0d5ef1a396ad13fbaacd0a08f61bc1b80268cee19e9782d779e078d
                                                                                      • Instruction Fuzzy Hash: 97F0BE76906204BBD7915F65BC84F293BA4E744312F00007BE20AC3260C7289545CE2F
                                                                                      APIs
                                                                                      • gethostname.WS2_32(?,00000080), ref: 004CAD1C
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 004CAD60
                                                                                      • lstrlenA.KERNEL32(00000000), ref: 004CAD69
                                                                                      • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 004CAD7F
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$gethostnamelstrcpy
                                                                                      • String ID: LocalHost
                                                                                      • API String ID: 3695455745-3154191806
                                                                                      • Opcode ID: 1b3f385fa85f30b4f5aaecae4eb5b84f49e297ac8b8deed8ceaf5b290ec28de6
                                                                                      • Instruction ID: 719388dcd45ccf5874f294a38e04469f923d9ecf067f55b3889910d0af465ac9
                                                                                      • Opcode Fuzzy Hash: 1b3f385fa85f30b4f5aaecae4eb5b84f49e297ac8b8deed8ceaf5b290ec28de6
                                                                                      • Instruction Fuzzy Hash: BF01492C84418D5DDFB206289844FA63F779B9770EF10005FE4C2C7616D61C8853835F
                                                                                      APIs
                                                                                      • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004C98FD,00000001,00000100,004D22F8,004CA3C7), ref: 004C4290
                                                                                      • CloseHandle.KERNEL32(004CA3C7), ref: 004C43AB
                                                                                      • CloseHandle.KERNEL32(00000001), ref: 004C43AE
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CloseHandle$CreateEvent
                                                                                      • String ID:
                                                                                      • API String ID: 1371578007-0
                                                                                      • Opcode ID: f0e4d0c38b3c2bdfffdbba55ef22ce55060f70a4e0bb16f71e74e709b1391079
                                                                                      • Instruction ID: ff6964a2d6be4fa81cb16f4f8f8f257047f809d2014470a055174496efe34d94
                                                                                      • Opcode Fuzzy Hash: f0e4d0c38b3c2bdfffdbba55ef22ce55060f70a4e0bb16f71e74e709b1391079
                                                                                      • Instruction Fuzzy Hash: 02418375D00109BADB10AFA2CD46FEF7FB8EF80325F10455EF514A2191D7389A41DB64
                                                                                      APIs
                                                                                      • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004C64CF,00000000), ref: 004C609C
                                                                                      • LoadLibraryA.KERNEL32(?,?,004C64CF,00000000), ref: 004C60C3
                                                                                      • GetProcAddress.KERNEL32(?,00000014), ref: 004C614A
                                                                                      • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 004C619E
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Read$AddressLibraryLoadProc
                                                                                      • String ID:
                                                                                      • API String ID: 2438460464-0
                                                                                      • Opcode ID: a128973405898bae28d53bc5d0b19d2051d9e7f9025a27c2e81c5989a9474e4f
                                                                                      • Instruction ID: e1d06ea70e973f5749cfa4e4386d6f8f31e1d9a6905ae892c542539093dc67fe
                                                                                      • Opcode Fuzzy Hash: a128973405898bae28d53bc5d0b19d2051d9e7f9025a27c2e81c5989a9474e4f
                                                                                      • Instruction Fuzzy Hash: D0418979A00106ABDB50CF59C880F6AB7B8EF04355F2AC06EE815D7391EB38ED41CB84
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID:
                                                                                      • String ID:
                                                                                      • API String ID:
                                                                                      • Opcode ID: 915389caf191f4b927dbb499c0a1a4a58cbdbcad14b903b848c3218b190806cb
                                                                                      • Instruction ID: b7b9f3a2ddcaad29d53cf7e0cf2c803e65e96e41b2114025743b39d289a67857
                                                                                      • Opcode Fuzzy Hash: 915389caf191f4b927dbb499c0a1a4a58cbdbcad14b903b848c3218b190806cb
                                                                                      • Instruction Fuzzy Hash: FB31BF79A00619ABCB509FA6CD81BBEB7F4FF48705F10446FE504E7241E3B8DA418B68
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C272E
                                                                                      • htons.WS2_32(00000001), ref: 004C2752
                                                                                      • htons.WS2_32(0000000F), ref: 004C27D5
                                                                                      • htons.WS2_32(00000001), ref: 004C27E3
                                                                                      • sendto.WS2_32(?,004D2BF8,00000009,00000000,00000010,00000010), ref: 004C2802
                                                                                        • Part of subcall function 004CEBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,004CEBFE,7FFF0001,?,004CDB55,7FFF0001), ref: 004CEBD3
                                                                                        • Part of subcall function 004CEBCC: RtlAllocateHeap.NTDLL(00000000,?,004CDB55,7FFF0001), ref: 004CEBDA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                      • String ID:
                                                                                      • API String ID: 1128258776-0
                                                                                      • Opcode ID: 4815b5e8a4fc83553270df3f8c82d4be42b37ce66466dd1b51c4f8b62bc2ad43
                                                                                      • Instruction ID: 47f37b8ba99dd51fb327272efef48c8fbce319c463e1ee92302f727ed2eae893
                                                                                      • Opcode Fuzzy Hash: 4815b5e8a4fc83553270df3f8c82d4be42b37ce66466dd1b51c4f8b62bc2ad43
                                                                                      • Instruction Fuzzy Hash: FB3104382823829FD7108F74D990E667760BF29318B19806FE8558B322D6F7E842D718
                                                                                      APIs
                                                                                      • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004D22F8), ref: 004C915F
                                                                                      • GetModuleFileNameA.KERNEL32(00000000), ref: 004C9166
                                                                                      • CharToOemA.USER32(?,?), ref: 004C9174
                                                                                      • wsprintfA.USER32 ref: 004C91A9
                                                                                        • Part of subcall function 004C9064: GetTempPathA.KERNEL32(00000400,?,00000000,004D22F8), ref: 004C907B
                                                                                        • Part of subcall function 004C9064: wsprintfA.USER32 ref: 004C90E9
                                                                                        • Part of subcall function 004C9064: CreateFileA.KERNEL32(004D22F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004C910E
                                                                                        • Part of subcall function 004C9064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 004C9122
                                                                                        • Part of subcall function 004C9064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 004C912D
                                                                                        • Part of subcall function 004C9064: CloseHandle.KERNEL32(00000000), ref: 004C9134
                                                                                      • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004C91E1
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                      • String ID:
                                                                                      • API String ID: 3857584221-0
                                                                                      • Opcode ID: 61dd2dfb0d27c6cf5bfdcc0e8ed2b52b9fc8d5f41dec7d9f3c194100cf53e6a0
                                                                                      • Instruction ID: bbda71737a33205aba49252010a3e06eceab56714e82e6d61c84ba5d34d4fd65
                                                                                      • Opcode Fuzzy Hash: 61dd2dfb0d27c6cf5bfdcc0e8ed2b52b9fc8d5f41dec7d9f3c194100cf53e6a0
                                                                                      • Instruction Fuzzy Hash: 890152FA9401187BD760A7629D4DFDF777CDB95B05F0000A7B749E2040DAB49A858F74
                                                                                      APIs
                                                                                      • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,004C2491,?,?,?,004CE844,-00000030,?,?,?,00000001), ref: 004C2429
                                                                                      • lstrlenA.KERNEL32(?,?,004C2491,?,?,?,004CE844,-00000030,?,?,?,00000001,004C1E3D,00000001,localcfg,lid_file_upd), ref: 004C243E
                                                                                      • lstrcmpiA.KERNEL32(?,?), ref: 004C2452
                                                                                      • lstrlenA.KERNEL32(?,?,004C2491,?,?,?,004CE844,-00000030,?,?,?,00000001,004C1E3D,00000001,localcfg,lid_file_upd), ref: 004C2467
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrlen$lstrcmpi
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 1808961391-1857712256
                                                                                      • Opcode ID: fdb7e888ffc0f2c163271c89e52a2f6db6ffeb1d1b4a651a09c81b7c5b2e48d9
                                                                                      • Instruction ID: 02d82fdf9c30a396887b112e9b028dc421f46b1408ab3955e29f86bff0103575
                                                                                      • Opcode Fuzzy Hash: fdb7e888ffc0f2c163271c89e52a2f6db6ffeb1d1b4a651a09c81b7c5b2e48d9
                                                                                      • Instruction Fuzzy Hash: F3011A35600218BFCF55EF69DD80ADE7BA9EF44354B01C42AE85997210E3B4EA40CA98
                                                                                      APIs
                                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 004C6F0F
                                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,*pL), ref: 004C6F24
                                                                                      • FreeSid.ADVAPI32(?), ref: 004C6F3E
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                      • String ID: *pL
                                                                                      • API String ID: 3429775523-2597219945
                                                                                      • Opcode ID: a8eb5ac75762d3d4ee7ec6705a97b516a73bd85534136a7b194bc7f13267106c
                                                                                      • Instruction ID: 2d6165f0756935f7d3e00eaf91cb47c33ddc6e682fbd10dc80b053c5d5a7d696
                                                                                      • Opcode Fuzzy Hash: a8eb5ac75762d3d4ee7ec6705a97b516a73bd85534136a7b194bc7f13267106c
                                                                                      • Instruction Fuzzy Hash: C8011E75901208BFDB11DFE4ED85FAE77B8EB04304F10887FE605E2151E7749944CA18
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: wsprintf
                                                                                      • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                      • API String ID: 2111968516-120809033
                                                                                      • Opcode ID: 7aa2cff6518119168288f3ed4639d535f9ed52aff59db381a5b01edf89d19578
                                                                                      • Instruction ID: 84b5394328a2147331d24bc0815d11a2c9abd36bad3f2e07c29c5e4be4830962
                                                                                      • Opcode Fuzzy Hash: 7aa2cff6518119168288f3ed4639d535f9ed52aff59db381a5b01edf89d19578
                                                                                      • Instruction Fuzzy Hash: D241DF369002989FDB61CF798C44FEE3BE89F0A310F24005AFD60D3252D638EA04CBA4
                                                                                      APIs
                                                                                        • Part of subcall function 004CDD05: GetTickCount.KERNEL32 ref: 004CDD0F
                                                                                        • Part of subcall function 004CDD05: InterlockedExchange.KERNEL32(004D36B4,00000001), ref: 004CDD44
                                                                                        • Part of subcall function 004CDD05: GetCurrentThreadId.KERNEL32 ref: 004CDD53
                                                                                      • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,004C5EC1), ref: 004CE693
                                                                                      • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,004C5EC1), ref: 004CE6E9
                                                                                      • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,004C5EC1), ref: 004CE722
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                      • String ID: 89ABCDEF
                                                                                      • API String ID: 3343386518-71641322
                                                                                      • Opcode ID: d3efcb5e32f33bcc5e0866d339d7c1cc3695e8c6d36f8e5d60e310e4b992dd45
                                                                                      • Instruction ID: 7371dad12bb96de9a93684eb0878a53b2e465794217836d885e7b4e340719145
                                                                                      • Opcode Fuzzy Hash: d3efcb5e32f33bcc5e0866d339d7c1cc3695e8c6d36f8e5d60e310e4b992dd45
                                                                                      • Instruction Fuzzy Hash: 1A31EF39A11302DBCBB18F66D884F6B37E4AB20324F10843FE55687650E778EC80CB89
                                                                                      APIs
                                                                                      • RegCreateKeyExA.ADVAPI32(80000001,004CE2A3,00000000,00000000,00000000,00020106,00000000,004CE2A3,00000000,000000E4), ref: 004CE0B2
                                                                                      • RegSetValueExA.ADVAPI32(004CE2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004D22F8), ref: 004CE127
                                                                                      • RegDeleteValueA.ADVAPI32(004CE2A3,?,?,?,?,?,000000C8,004D22F8), ref: 004CE158
                                                                                      • RegCloseKey.ADVAPI32(004CE2A3,?,?,?,?,000000C8,004D22F8,?,?,?,?,?,?,?,?,004CE2A3), ref: 004CE161
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Value$CloseCreateDelete
                                                                                      • String ID:
                                                                                      • API String ID: 2667537340-0
                                                                                      • Opcode ID: 646352c0c9f16613d89c48ceb7a7231b42a5116f7d3a4a47f93f18a21d0bcaa9
                                                                                      • Instruction ID: c8971767fb2ac80ca570c2cc04d4c6e26a28a397b76bbd8867e9f4c2389cfb9f
                                                                                      • Opcode Fuzzy Hash: 646352c0c9f16613d89c48ceb7a7231b42a5116f7d3a4a47f93f18a21d0bcaa9
                                                                                      • Instruction Fuzzy Hash: B7219C31A00229BBDF619EA6DC89F9F7FB9EF08754F044066F904A2150EB718A14CB94
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(00000000,00000000,004CA3C7,00000000,00000000,000007D0,00000001), ref: 004C3F44
                                                                                      • GetLastError.KERNEL32 ref: 004C3F4E
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 004C3F5F
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004C3F72
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                      • String ID:
                                                                                      • API String ID: 3373104450-0
                                                                                      • Opcode ID: 7a7d4cb4c2b78da3e2cad14a4442e24face8452b64840a07d6d72b2a5d288852
                                                                                      • Instruction ID: fdc26bc39bfaa050d4059eb576baa465bec8c8854f790b0a682aa93603373568
                                                                                      • Opcode Fuzzy Hash: 7a7d4cb4c2b78da3e2cad14a4442e24face8452b64840a07d6d72b2a5d288852
                                                                                      • Instruction Fuzzy Hash: 4901E972912109ABDF01DF90ED44BEF7B7CEB04356F10842AFA01E2150D734DA158BBA
                                                                                      APIs
                                                                                      • ReadFile.KERNEL32(00000000,00000000,004CA3C7,00000000,00000000,000007D0,00000001), ref: 004C3FB8
                                                                                      • GetLastError.KERNEL32 ref: 004C3FC2
                                                                                      • WaitForSingleObject.KERNEL32(00000004,?), ref: 004C3FD3
                                                                                      • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 004C3FE6
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                      • String ID:
                                                                                      • API String ID: 888215731-0
                                                                                      • Opcode ID: 37c45f92fd704ab3fc4a43c7547d35be97bada8aaa74c108725e66dc2211e3a5
                                                                                      • Instruction ID: afd497f02c37896304344ead73dce5717c4bf5cbf805c1f54f41b6d096187b43
                                                                                      • Opcode Fuzzy Hash: 37c45f92fd704ab3fc4a43c7547d35be97bada8aaa74c108725e66dc2211e3a5
                                                                                      • Instruction Fuzzy Hash: 2901297291110AABDF01DF94ED45BEF3BBCEB08356F00842AF902E2050D734DA148BBA
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004CA4D1
                                                                                      • GetTickCount.KERNEL32 ref: 004CA4E4
                                                                                      • Sleep.KERNEL32(00000000,?,004CC2E9,004CC4E0,00000000,localcfg,?,004CC4E0,004D3588,004C8810), ref: 004CA4F1
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 004CA4FA
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 0db20d39e1b77d56c2e2d9d4613632640ee4744cdf128cca5b8473f7a4df5c53
                                                                                      • Instruction ID: cf3f0bd912c0a20699f70d5dedefc067b740095c997432aeccba6528d9992e7c
                                                                                      • Opcode Fuzzy Hash: 0db20d39e1b77d56c2e2d9d4613632640ee4744cdf128cca5b8473f7a4df5c53
                                                                                      • Instruction Fuzzy Hash: FBE0263B20220877C7001BA5BD84F6A7388AB4A761F054037FB04D3240C65AA85141BF
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C4E9E
                                                                                      • GetTickCount.KERNEL32 ref: 004C4EAD
                                                                                      • Sleep.KERNEL32(0000000A,?,00000001), ref: 004C4EBA
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 004C4EC3
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 359984679506c8b9bd00185a2f69d818ca4672a8c03de0e52069ed0232604487
                                                                                      • Instruction ID: fe899e51c986c14b6a337e72d8100cd25e863c1add3c6f776be22d26ee618213
                                                                                      • Opcode Fuzzy Hash: 359984679506c8b9bd00185a2f69d818ca4672a8c03de0e52069ed0232604487
                                                                                      • Instruction Fuzzy Hash: 1AE0863A20221467D61027B9BE84F5A6799AB96361F060537E709D3180C65A984245B9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C4BDD
                                                                                      • GetTickCount.KERNEL32 ref: 004C4BEC
                                                                                      • Sleep.KERNEL32(00000000,?,?,?,02A1B1BC,004C50F2), ref: 004C4BF9
                                                                                      • InterlockedExchange.KERNEL32(02A1B1B0,00000001), ref: 004C4C02
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: 24c3059b018bc6c89f0506260fcf988047c5eced751e5673ee5a22bdbe4ddcd8
                                                                                      • Instruction ID: 74c0b1106b67a8a95e34c2d611ca30b86a70f0da469873470ab45fb8748f94df
                                                                                      • Opcode Fuzzy Hash: 24c3059b018bc6c89f0506260fcf988047c5eced751e5673ee5a22bdbe4ddcd8
                                                                                      • Instruction Fuzzy Hash: 08E0863A24221467D75017A57E80F5A77989B96361F060077F708D3150D95AE84141B9
                                                                                      APIs
                                                                                      • GetTickCount.KERNEL32 ref: 004C3103
                                                                                      • GetTickCount.KERNEL32 ref: 004C310F
                                                                                      • Sleep.KERNEL32(00000000), ref: 004C311C
                                                                                      • InterlockedExchange.KERNEL32(?,00000001), ref: 004C3128
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick$ExchangeInterlockedSleep
                                                                                      • String ID:
                                                                                      • API String ID: 2207858713-0
                                                                                      • Opcode ID: e7d2dca63d41372aaf467d57ca0b581995c49d734370837b42f90053a575c2e0
                                                                                      • Instruction ID: d4df164f5b3d0751408e536eb6e67bf0107015de6418ce1592e3efe539ac51f6
                                                                                      • Opcode Fuzzy Hash: e7d2dca63d41372aaf467d57ca0b581995c49d734370837b42f90053a575c2e0
                                                                                      • Instruction Fuzzy Hash: 9FE0C239201215BFDB406F75BE44F5A6B9ADF84762F05403BF201D31A0C9554D01897A
                                                                                      APIs
                                                                                      • WriteFile.KERNEL32(004C9A60,?,?,00000000,00000000,004C9A60,?,00000000), ref: 004C69F9
                                                                                      • WriteFile.KERNEL32(004C9A60,?,004C9A60,00000000,00000000), ref: 004C6A27
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: FileWrite
                                                                                      • String ID: ,kL
                                                                                      • API String ID: 3934441357-930470209
                                                                                      • Opcode ID: 4a67c524b8be7eda31fe68ce1e04b5a9f9dc7b886f165af050711f4b67bd9f18
                                                                                      • Instruction ID: 1eaab636ce026711230c417406459cd0320d98ec8d0446c1d56b1ebb42c85878
                                                                                      • Opcode Fuzzy Hash: 4a67c524b8be7eda31fe68ce1e04b5a9f9dc7b886f165af050711f4b67bd9f18
                                                                                      • Instruction Fuzzy Hash: 6F313676A00209EFDB64CF69D984FAAB7F4EB04315F12846EE801E7200D375EE54CBA5
                                                                                      APIs
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTick
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 536389180-1857712256
                                                                                      • Opcode ID: 9a62ea1a0e63c7b18cc9a37d65d196c193d1fd21ef490ad41bc16e943ef0a8b5
                                                                                      • Instruction ID: ebff12fdd3d3671089170fba5c940ccc2c349161b095f7f037a0f1aef549ea77
                                                                                      • Opcode Fuzzy Hash: 9a62ea1a0e63c7b18cc9a37d65d196c193d1fd21ef490ad41bc16e943ef0a8b5
                                                                                      • Instruction Fuzzy Hash: 4721C03A611215AFCB908F64DD85F9ABBB9EB21315B29006FD802D7291CF38E940C75A
                                                                                      APIs
                                                                                      Strings
                                                                                      • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 004CC057
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CountTickwsprintf
                                                                                      • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                      • API String ID: 2424974917-1012700906
                                                                                      • Opcode ID: 6d4175e935614c6513606c3b1149b6062c895b6f419c232884d724964a263483
                                                                                      • Instruction ID: e1e08c355069369b10b68beb97e05226ce8fecbe86ca5c9c1a6733d483204003
                                                                                      • Opcode Fuzzy Hash: 6d4175e935614c6513606c3b1149b6062c895b6f419c232884d724964a263483
                                                                                      • Instruction Fuzzy Hash: B5119772100100FFDB429BA9DD44E567FA6FF88318B3481ADF6188E166D633D863EB50
                                                                                      APIs
                                                                                        • Part of subcall function 004C30FA: GetTickCount.KERNEL32 ref: 004C3103
                                                                                        • Part of subcall function 004C30FA: InterlockedExchange.KERNEL32(?,00000001), ref: 004C3128
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004C3929
                                                                                      • GetCurrentThreadId.KERNEL32 ref: 004C3939
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 3716169038-2903620461
                                                                                      • Opcode ID: 6c6bc35a13817fedbc31e50f2360238e96e0ff1dc8d8b2c62a22c91371489de9
                                                                                      • Instruction ID: fec4b45eeb4c2abd2d77d790885c7b1682ae6160d866a753373832113c761bf4
                                                                                      • Opcode Fuzzy Hash: 6c6bc35a13817fedbc31e50f2360238e96e0ff1dc8d8b2c62a22c91371489de9
                                                                                      • Instruction Fuzzy Hash: AF1104B9900214EBD760DF1AD581B69F3F4FB09716F10856FE84497291C7B8AA80CFA9
                                                                                      APIs
                                                                                      • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,004CBD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 004CABB9
                                                                                      • InterlockedIncrement.KERNEL32(004D3640), ref: 004CABE1
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: IncrementInterlockedlstrcpyn
                                                                                      • String ID: %FROM_EMAIL
                                                                                      • API String ID: 224340156-2903620461
                                                                                      • Opcode ID: 8537b946b450c9db1de0ccd7afe2f1f6fd9eb928b6ee09c107edcc650c484ae3
                                                                                      • Instruction ID: 51245cf27a3111cb429c8a0c49fa3e8c2bd7059e7d14b82d54964c0e9711931e
                                                                                      • Opcode Fuzzy Hash: 8537b946b450c9db1de0ccd7afe2f1f6fd9eb928b6ee09c107edcc650c484ae3
                                                                                      • Instruction Fuzzy Hash: 4D019E35508288AFDB21CF18D881F967BA6AF15318F14449AE6808B353C379EA55CB96
                                                                                      APIs
                                                                                      • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004C26C3
                                                                                      • inet_ntoa.WS2_32(?), ref: 004C26E4
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: gethostbyaddrinet_ntoa
                                                                                      • String ID: localcfg
                                                                                      • API String ID: 2112563974-1857712256
                                                                                      • Opcode ID: 0d2e0d28fb9510006f9952e94c7ec37c3dff983b682081276bd165da9e02934f
                                                                                      • Instruction ID: 5e791386e0305f630fd5c8f216f1528c3f33e126128692a2cd480b98aa458bb2
                                                                                      • Opcode Fuzzy Hash: 0d2e0d28fb9510006f9952e94c7ec37c3dff983b682081276bd165da9e02934f
                                                                                      • Instruction Fuzzy Hash: 3BF082362492097BEF406FA5ED09F9A379CEB04350F10446FFA08CA090DBB5D94097AC
                                                                                      APIs
                                                                                      • RegisterServiceCtrlHandlerA.ADVAPI32(jjcfhqgg,Function_00009867), ref: 004C996C
                                                                                        • Part of subcall function 004C9892: SetServiceStatus.ADVAPI32(004D3394), ref: 004C98EB
                                                                                        • Part of subcall function 004C98F2: Sleep.KERNEL32(000003E8,00000100,004D22F8,004CA3C7), ref: 004C9909
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Service$CtrlHandlerRegisterSleepStatus
                                                                                      • String ID: hK$jjcfhqgg
                                                                                      • API String ID: 1317371667-1757453468
                                                                                      • Opcode ID: 93ad6211244068cc4d1f880d85e3c43e2474dca98f498cd923d1352cff8b6984
                                                                                      • Instruction ID: 76596864d37334dacfc07713d6100aff2f25d586b2b2101334ab3df28ba40efc
                                                                                      • Opcode Fuzzy Hash: 93ad6211244068cc4d1f880d85e3c43e2474dca98f498cd923d1352cff8b6984
                                                                                      • Instruction Fuzzy Hash: 3CF030E5542244BEE7506F516E8FF123248A711749F04003FB9054A291EBB94D04823B
                                                                                      APIs
                                                                                      • LoadLibraryA.KERNEL32(ntdll.dll,004CEB54,_alldiv,004CF0B7,80000001,00000000,00989680,00000000,?,?,?,004CE342,00000000,75A8EA50,80000001,00000000), ref: 004CEAF2
                                                                                      • GetProcAddress.KERNEL32(76E90000,00000000), ref: 004CEB07
                                                                                      Strings
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: AddressLibraryLoadProc
                                                                                      • String ID: ntdll.dll
                                                                                      • API String ID: 2574300362-2227199552
                                                                                      • Opcode ID: 89b299af721506dc1f0d78a70672c4250cd5715899f5e76e98a22ec05fe61714
                                                                                      • Instruction ID: 87e2e503f6f3d79facb94c37c6303aa03000d7657880c4d13eeea2ef5d8c6a2a
                                                                                      • Opcode Fuzzy Hash: 89b299af721506dc1f0d78a70672c4250cd5715899f5e76e98a22ec05fe61714
                                                                                      • Instruction Fuzzy Hash: 2BD0C978602702BB8F62DF65AD1AF1A77A8EB50702F40803BB416C2620E738E844DA0D
                                                                                      APIs
                                                                                        • Part of subcall function 004C2D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,004C2F01,?,004C20FF,004D2000), ref: 004C2D3A
                                                                                        • Part of subcall function 004C2D21: LoadLibraryA.KERNEL32(?), ref: 004C2D4A
                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004C2F73
                                                                                      • HeapFree.KERNEL32(00000000), ref: 004C2F7A
                                                                                      Memory Dump Source
                                                                                      • Source File: 00000011.00000002.2902905763.00000000004C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 004C0000, based on PE: true
                                                                                      Joe Sandbox IDA Plugin
                                                                                      • Snapshot File: hcaresult_17_2_4c0000_svchost.jbxd
                                                                                      Yara matches
                                                                                      Similarity
                                                                                      • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                      • String ID:
                                                                                      • API String ID: 1017166417-0
                                                                                      • Opcode ID: db36e5989226fe336c3157799c4d9089149d03af0495fa0a30321beea1d59dd9
                                                                                      • Instruction ID: 90d3cf73005c3ba09812ea3a25123deed985ed59325a2a6925c4eaed2b346203
                                                                                      • Opcode Fuzzy Hash: db36e5989226fe336c3157799c4d9089149d03af0495fa0a30321beea1d59dd9
                                                                                      • Instruction Fuzzy Hash: BA51C27A90020A9FCF01DF64D884AFAB775FF16304F14416EEC96C7210E7769A19CB88