Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
vyrcclmm.exe

Overview

General Information

Sample name:vyrcclmm.exe
Analysis ID:1468508
MD5:52d6521fdf86ef42b47afa05bf06225f
SHA1:ffe1dca080b60cac20e6d2dcba807388badde68f
SHA256:039bcb175a6042892395691ef543d82135ff3e0542cc18a30b791d20d205b966
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Query firmware table information (likely to detect VMs)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Use Short Name Path in Command Line
Sigma detected: Windows Defender Exclusions Added - Registry
Uses SMTP (mail sending)
Yara signature match

Classification

  • System is w10x64
  • vyrcclmm.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\vyrcclmm.exe" MD5: 52D6521FDF86EF42B47AFA05BF06225F)
    • cmd.exe (PID: 4536 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4512 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2684 cmdline: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1000 cmdline: "C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 1836 cmdline: "C:\Windows\System32\sc.exe" start bzycpcet MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 2644 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 2232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 4428 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 3736 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 6148 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 1452 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 5916 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 6880 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1476 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 2168 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • pspizbvl.exe (PID: 7016 cmdline: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d"C:\Users\user\Desktop\vyrcclmm.exe" MD5: 38DF4E4C47840B37306FF102DD07903D)
    • svchost.exe (PID: 2132 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • svchost.exe (PID: 6380 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1624 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
SourceRuleDescriptionAuthorStrings
00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
      • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
      Click to see the 24 entries
      SourceRuleDescriptionAuthorStrings
      0.2.vyrcclmm.exe.29c0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.vyrcclmm.exe.29c0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      20.3.pspizbvl.exe.3130000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      20.3.pspizbvl.exe.3130000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      0.3.vyrcclmm.exe.4460000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 39 entries

      System Summary

      barindex
      Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d"C:\Users\user\Desktop\vyrcclmm.exe", ParentImage: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe, ParentProcessId: 7016, ParentProcessName: pspizbvl.exe, ProcessCommandLine: svchost.exe, ProcessId: 2132, ProcessName: svchost.exe
      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\vyrcclmm.exe", ParentImage: C:\Users\user\Desktop\vyrcclmm.exe, ParentProcessId: 6316, ParentProcessName: vyrcclmm.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2684, ProcessName: sc.exe
      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.11.0, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 2132, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49705
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d"C:\Users\user\Desktop\vyrcclmm.exe", ParentImage: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe, ParentProcessId: 7016, ParentProcessName: pspizbvl.exe, ProcessCommandLine: svchost.exe, ProcessId: 2132, ProcessName: svchost.exe
      Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\, CommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\vyrcclmm.exe", ParentImage: C:\Users\user\Desktop\vyrcclmm.exe, ParentProcessId: 6316, ParentProcessName: vyrcclmm.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\, ProcessId: 4512, ProcessName: cmd.exe
      Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2132, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\bzycpcet
      Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\vyrcclmm.exe", ParentImage: C:\Users\user\Desktop\vyrcclmm.exe, ParentProcessId: 6316, ParentProcessName: vyrcclmm.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2684, ProcessName: sc.exe
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 4428, ProcessName: svchost.exe
      No Snort rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
      Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
      Source: jotunheim.nameVirustotal: Detection: 13%Perma Link
      Source: vanaheim.cnVirustotal: Detection: 17%Perma Link
      Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
      Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
      Source: vyrcclmm.exeVirustotal: Detection: 43%Perma Link
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.0% probability
      Source: C:\Users\user\AppData\Local\Temp\pspizbvl.exeJoe Sandbox ML: detected
      Source: vyrcclmm.exeJoe Sandbox ML: detected

      Compliance

      barindex
      Source: C:\Users\user\Desktop\vyrcclmm.exeUnpacked PE file: 0.2.vyrcclmm.exe.400000.0.unpack
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeUnpacked PE file: 20.2.pspizbvl.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\vyrcclmm.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Change of critical system settings

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\bzycpcetJump to behavior

      Networking

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.133.13.231 443Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 173.194.76.26 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.77 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.72 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
      Source: Malware configuration extractorURLs: vanaheim.cn:443
      Source: Malware configuration extractorURLs: jotunheim.name:443
      Source: Joe Sandbox ViewIP Address: 52.101.11.0 52.101.11.0
      Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
      Source: Joe Sandbox ViewIP Address: 67.195.204.77 67.195.204.77
      Source: Joe Sandbox ViewIP Address: 67.195.204.72 67.195.204.72
      Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
      Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
      Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
      Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
      Source: global trafficTCP traffic: 192.168.2.7:49705 -> 52.101.11.0:25
      Source: global trafficTCP traffic: 192.168.2.7:49707 -> 67.195.204.72:25
      Source: global trafficTCP traffic: 192.168.2.7:49708 -> 173.194.76.26:25
      Source: global trafficTCP traffic: 192.168.2.7:49713 -> 94.100.180.31:25
      Source: global trafficTCP traffic: 192.168.2.7:49717 -> 104.47.54.36:25
      Source: global trafficTCP traffic: 192.168.2.7:49719 -> 67.195.204.77:25
      Source: global trafficTCP traffic: 192.168.2.7:49722 -> 217.69.139.150:25
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
      Source: global trafficDNS traffic detected: DNS query: time.windows.com
      Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
      Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
      Source: global trafficDNS traffic detected: DNS query: yahoo.com
      Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
      Source: global trafficDNS traffic detected: DNS query: google.com
      Source: global trafficDNS traffic detected: DNS query: smtp.google.com
      Source: global trafficDNS traffic detected: DNS query: mail.ru
      Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
      Source: global trafficDNS traffic detected: DNS query: jotunheim.name
      Source: svchost.exe, 0000000D.00000002.3693187786.000002CE7C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3694275058.000002CE7CB02000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.13.drString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
      Source: svchost.exe, 00000002.00000002.1426700791.0000026366213000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.comc
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
      Source: svchost.exe, 00000002.00000002.1426886129.0000026366270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1414299016.000002636625A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1385716596.000002636626E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
      Source: svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
      Source: svchost.exe, 00000002.00000002.1426886129.0000026366270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1385716596.000002636626E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
      Source: svchost.exe, 00000002.00000003.1414299016.000002636625A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
      Source: svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
      Source: svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
      Source: svchost.exe, 00000002.00000002.1426775775.0000026366241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
      Source: svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
      Source: svchost.exe, 00000002.00000003.1383970177.0000026366234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000002.00000002.1426775775.0000026366241000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1401912422.000002636625E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
      Source: svchost.exe, 00000002.00000003.1383970177.0000026366234000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
      Source: svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
      Source: svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
      Source: svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
      Source: svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
      Source: svchost.exe, 00000002.00000003.1410254879.000002636625D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
      Source: svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
      Source: svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
      Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
      Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
      Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443

      Spam, unwanted Advertisements and Ransom Demands

      barindex
      Source: Yara matchFile source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vyrcclmm.exe PID: 6316, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: pspizbvl.exe PID: 7016, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2132, type: MEMORYSTR

      System Summary

      barindex
      Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
      Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
      Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
      Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess Stats: CPU usage > 49%
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,LocalAlloc,0_2_00401280
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\bzycpcet\Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_0040C9130_2_0040C913
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_0040C91320_2_0040C913
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 24_2_0045C91324_2_0045C913
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: String function: 0040EE2A appears 40 times
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: String function: 00402544 appears 53 times
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: String function: 029C27AB appears 35 times
      Source: vyrcclmm.exe, 00000000.00000002.3693491534.0000000002815000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesAtlassing0 vs vyrcclmm.exe
      Source: vyrcclmm.exe, 00000000.00000002.3694830598.0000000002945000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesc.exej% vs vyrcclmm.exe
      Source: vyrcclmm.exe, 00000000.00000002.3694830598.0000000002928000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesAtlassing0 vs vyrcclmm.exe
      Source: vyrcclmm.exeBinary or memory string: OriginalFilenamesAtlassing0 vs vyrcclmm.exe
      Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.vyrcclmm.exe.29c0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.3.pspizbvl.exe.3130000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.3.vyrcclmm.exe.4460000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.2.pspizbvl.exe.29b0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
      Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
      Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
      Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
      Source: classification engineClassification label: mal100.troj.evad.winEXE@34/6@14/9
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_028E6DBC CreateToolhelp32Snapshot,Module32First,0_2_028E6DBC
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,20_2_00409A6B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 24_2_00459A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,24_2_00459A6B
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2920:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4696:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2232:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4268:120:WilError_03
      Source: C:\Users\user\Desktop\vyrcclmm.exeFile created: C:\Users\user~1\AppData\Local\Temp\pspizbvl.exeJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: vyrcclmm.exeVirustotal: Detection: 43%
      Source: C:\Users\user\Desktop\vyrcclmm.exeFile read: C:\Users\user\Desktop\vyrcclmm.exeJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_20-14590
      Source: C:\Users\user\Desktop\vyrcclmm.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-14479
      Source: unknownProcess created: C:\Users\user\Desktop\vyrcclmm.exe "C:\Users\user\Desktop\vyrcclmm.exe"
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support"
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection"
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bzycpcet
      Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d"C:\Users\user\Desktop\vyrcclmm.exe"
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection"Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bzycpcetJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usosvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: updatepolicy.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: upshared.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usocoreps.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: usoapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeSection loaded: msimg32.dllJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeSection loaded: msvcr100.dllJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
      Source: vyrcclmm.exeStatic file information: File size 10890752 > 1048576
      Source: C:\Users\user\Desktop\vyrcclmm.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

      Data Obfuscation

      barindex
      Source: C:\Users\user\Desktop\vyrcclmm.exeUnpacked PE file: 0.2.vyrcclmm.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeUnpacked PE file: 20.2.pspizbvl.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
      Source: C:\Users\user\Desktop\vyrcclmm.exeUnpacked PE file: 0.2.vyrcclmm.exe.400000.0.unpack
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeUnpacked PE file: 20.2.pspizbvl.exe.400000.0.unpack
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069

      Persistence and Installation Behavior

      barindex
      Source: unknownExecutable created and started: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe
      Source: C:\Users\user\Desktop\vyrcclmm.exeFile created: C:\Users\user\AppData\Local\Temp\pspizbvl.exeJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe (copy)Jump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe (copy)Jump to dropped file
      Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support"
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,24_2_0045199C
      Source: C:\Windows\SysWOW64\svchost.exeWindow / User API: threadDelayed 716Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15434
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_20-14986
      Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_24-7604
      Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_24-6139
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_20-14966
      Source: C:\Users\user\Desktop\vyrcclmm.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-14925
      Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_24-7326
      Source: C:\Users\user\Desktop\vyrcclmm.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14495
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_20-14605
      Source: C:\Users\user\Desktop\vyrcclmm.exeAPI coverage: 6.1 %
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeAPI coverage: 4.6 %
      Source: C:\Windows\SysWOW64\svchost.exe TID: 1836Thread sleep count: 716 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 1836Thread sleep time: -716000s >= -30000sJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 1836Thread sleep count: 163 > 30Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exe TID: 1836Thread sleep time: -163000s >= -30000sJump to behavior
      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
      Source: svchost.exe, 00000009.00000002.3692737951.000002266A42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000018.00000002.3692735595.0000000002A00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYc
      Source: svchost.exe, 00000009.00000002.3692737951.000002266A42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.3693748237.000002266A480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.3693748237.000002266A466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:odul
      Source: svchost.exe, 00000009.00000002.3693748237.000002266A466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
      Source: svchost.exe, 00000009.00000002.3691899523.000002266A402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
      Source: svchost.exe, 00000009.00000002.3694320773.000002266A502000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000009.00000002.3692737951.000002266A42B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
      Source: svchost.exe, 00000009.00000002.3693188714.000002266A44D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
      Source: svchost.exe, 00000017.00000002.3692836823.0000024941A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: C:\Users\user\Desktop\vyrcclmm.exeAPI call chain: ExitProcess graph end nodegraph_0-14928
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeAPI call chain: ExitProcess graph end nodegraph_20-14978

      Anti Debugging

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_24-7491
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_028E6699 push dword ptr fs:[00000030h]0_2_028E6699
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_029C0D90 mov eax, dword ptr fs:[00000030h]0_2_029C0D90
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_029C092B mov eax, dword ptr fs:[00000030h]0_2_029C092B
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_029B0D90 mov eax, dword ptr fs:[00000030h]20_2_029B0D90
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_029B092B mov eax, dword ptr fs:[00000030h]20_2_029B092B
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_029F10E1 push dword ptr fs:[00000030h]20_2_029F10E1
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,20_2_00409A6B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 24_2_00459A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,24_2_00459A6B

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.133.13.231 443Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 94.100.180.31 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 173.194.76.26 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.11.0 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.77 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.72 25Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 80.66.75.11 443Jump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 450000 protect: page execute and read and writeJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 450000 value starts with: 4D5AJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 450000Jump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 335008Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection"Jump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start bzycpcetJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
      Source: C:\Users\user\Desktop\vyrcclmm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,VirtualProtect,0_2_00409326

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: C:\Users\user\Desktop\vyrcclmm.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      Source: svchost.exe, 0000000F.00000002.3695104345.000001D4A3D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Files%\Windows Defender\MsMpeng.exe
      Source: svchost.exe, 0000000F.00000002.3695104345.000001D4A3D02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
      Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

      Stealing of Sensitive Information

      barindex
      Source: Yara matchFile source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vyrcclmm.exe PID: 6316, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: pspizbvl.exe PID: 7016, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2132, type: MEMORYSTR

      Remote Access Functionality

      barindex
      Source: Yara matchFile source: 24.2.svchost.exe.450000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.29c0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.3130000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.3130000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.29b0e67.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.2.pspizbvl.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.3.vyrcclmm.exe.4460000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.vyrcclmm.exe.400000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 20.3.pspizbvl.exe.3130000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 24.2.svchost.exe.450000.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: vyrcclmm.exe PID: 6316, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: pspizbvl.exe PID: 7016, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2132, type: MEMORYSTR
      Source: C:\Users\user\Desktop\vyrcclmm.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
      Source: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exeCode function: 20_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,20_2_004088B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 24_2_004588B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,24_2_004588B0
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure1
      Valid Accounts
      1
      Windows Management Instrumentation
      1
      DLL Side-Loading
      1
      DLL Side-Loading
      4
      Disable or Modify Tools
      OS Credential Dumping2
      System Time Discovery
      Remote Services1
      Archive Collected Data
      1
      Ingress Tool Transfer
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts41
      Native API
      1
      Valid Accounts
      1
      Valid Accounts
      1
      Deobfuscate/Decode Files or Information
      LSASS Memory1
      Account Discovery
      Remote Desktop ProtocolData from Removable Media12
      Encrypted Channel
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts2
      Command and Scripting Interpreter
      14
      Windows Service
      1
      Access Token Manipulation
      1
      Obfuscated Files or Information
      Security Account Manager1
      File and Directory Discovery
      SMB/Windows Admin SharesData from Network Shared Drive1
      Non-Application Layer Protocol
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal Accounts3
      Service Execution
      Login Hook14
      Windows Service
      2
      Software Packing
      NTDS26
      System Information Discovery
      Distributed Component Object ModelInput Capture112
      Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
      Process Injection
      1
      DLL Side-Loading
      LSA Secrets251
      Security Software Discovery
      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
      Masquerading
      Cached Domain Credentials23
      Virtualization/Sandbox Evasion
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Valid Accounts
      DCSync1
      Process Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Access Token Manipulation
      Proc Filesystem1
      Application Window Discovery
      Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt23
      Virtualization/Sandbox Evasion
      /etc/passwd and /etc/shadow1
      System Owner/User Discovery
      Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
      Process Injection
      Network Sniffing1
      System Network Configuration Discovery
      Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1468508 Sample: vyrcclmm.exe Startdate: 06/07/2024 Architecture: WINDOWS Score: 100 51 yahoo.com 2->51 53 vanaheim.cn 2->53 55 8 other IPs or domains 2->55 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 10 other signatures 2->69 8 pspizbvl.exe 2->8         started        11 vyrcclmm.exe 2 2->11         started        14 svchost.exe 2->14         started        16 8 other processes 2->16 signatures3 process4 file5 77 Detected unpacking (changes PE section rights) 8->77 79 Detected unpacking (overwrites its own PE header) 8->79 81 Writes to foreign memory regions 8->81 91 2 other signatures 8->91 18 svchost.exe 1 8->18         started        49 C:\Users\user\AppData\Local\...\pspizbvl.exe, PE32 11->49 dropped 83 Uses netsh to modify the Windows network and firewall settings 11->83 85 Modifies the windows firewall 11->85 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        31 3 other processes 11->31 87 Changes security center settings (notifications, updates, antivirus, firewall) 14->87 29 MpCmdRun.exe 2 14->29         started        89 Query firmware table information (likely to detect VMs) 16->89 signatures6 process7 dnsIp8 57 mta5.am0.yahoodns.net 67.195.204.72, 25 YAHOO-3US United States 18->57 59 67.195.204.77, 25 YAHOO-3US United States 18->59 61 7 other IPs or domains 18->61 71 System process connects to network (likely due to code injection or exploit) 18->71 73 Found API chain indicative of debugger detection 18->73 75 Adds extensions / path to Windows Defender exclusion list (Registry) 18->75 47 C:\Windows\SysWOW64\...\pspizbvl.exe (copy), PE32 22->47 dropped 33 conhost.exe 22->33         started        35 conhost.exe 25->35         started        37 conhost.exe 27->37         started        39 conhost.exe 29->39         started        41 conhost.exe 31->41         started        43 conhost.exe 31->43         started        45 conhost.exe 31->45         started        file9 signatures10 process11

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      vyrcclmm.exe43%VirustotalBrowse
      vyrcclmm.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\pspizbvl.exe100%Joe Sandbox ML
      No Antivirus matches
      SourceDetectionScannerLabelLink
      mxs.mail.ru0%VirustotalBrowse
      mta5.am0.yahoodns.net0%VirustotalBrowse
      jotunheim.name14%VirustotalBrowse
      microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
      vanaheim.cn17%VirustotalBrowse
      yahoo.com0%VirustotalBrowse
      google.com0%VirustotalBrowse
      mail.ru0%VirustotalBrowse
      smtp.google.com0%VirustotalBrowse
      time.windows.com0%VirustotalBrowse
      SourceDetectionScannerLabelLink
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%Avira URL Cloudsafe
      https://dev.ditu.live.com/REST/v1/Routes/0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Routes/Driving0%Avira URL Cloudsafe
      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%Avira URL Cloudsafe
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx0%VirustotalBrowse
      https://dev.virtualearth.net/REST/v1/Routes/Driving0%VirustotalBrowse
      https://dev.ditu.live.com/REST/v1/Transit/Stops/0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Routes/0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%Avira URL Cloudsafe
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx0%VirustotalBrowse
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=0%VirustotalBrowse
      https://dev.virtualearth.net/REST/v1/Routes/Walking0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Routes/0%VirustotalBrowse
      https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%VirustotalBrowse
      https://dev.ditu.live.com/REST/v1/Transit/Stops/0%VirustotalBrowse
      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/0%VirustotalBrowse
      https://dev.ditu.live.com/REST/v1/Routes/0%VirustotalBrowse
      https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=0%VirustotalBrowse
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%VirustotalBrowse
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Locations0%Avira URL Cloudsafe
      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
      jotunheim.name:4430%Avira URL Cloudsafe
      https://dev.virtualearth.net/mapcontrol/logging.ashx0%Avira URL Cloudsafe
      https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%Avira URL Cloudsafe
      http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%Avira URL Cloudsafe
      jotunheim.name:44313%VirustotalBrowse
      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/0%VirustotalBrowse
      https://dev.ditu.live.com/mapcontrol/logging.ashx0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Locations0%VirustotalBrowse
      https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/0%VirustotalBrowse
      https://dev.virtualearth.net/mapcontrol/logging.ashx0%VirustotalBrowse
      https://dev.virtualearth.net/REST/v1/Routes/Walking0%VirustotalBrowse
      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
      http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%VirustotalBrowse
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%Avira URL Cloudsafe
      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%Avira URL Cloudsafe
      vanaheim.cn:443100%Avira URL Cloudphishing
      https://dynamic.t0%Avira URL Cloudsafe
      https://dev.ditu.live.com/mapcontrol/logging.ashx0%VirustotalBrowse
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=0%VirustotalBrowse
      http://www.bingmapsportal.comc0%Avira URL Cloudsafe
      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=0%VirustotalBrowse
      https://dev.virtualearth.net/REST/v1/Routes/Transit0%Avira URL Cloudsafe
      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Transit/Schedules/0%VirustotalBrowse
      vanaheim.cn:4438%VirustotalBrowse
      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%Avira URL Cloudsafe
      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/0%VirustotalBrowse
      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=0%Avira URL Cloudsafe
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=0%VirustotalBrowse
      https://dev.virtualearth.net/REST/v1/Routes/Transit0%VirustotalBrowse
      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen0%VirustotalBrowse
      https://dev.ditu.live.com/REST/v1/Locations0%Avira URL Cloudsafe
      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=0%VirustotalBrowse
      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/0%Avira URL Cloudsafe
      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=0%Avira URL Cloudsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      mxs.mail.ru
      94.100.180.31
      truetrueunknown
      mta5.am0.yahoodns.net
      67.195.204.72
      truetrueunknown
      jotunheim.name
      80.66.75.11
      truetrueunknown
      microsoft-com.mail.protection.outlook.com
      52.101.11.0
      truetrueunknown
      vanaheim.cn
      195.133.13.231
      truetrueunknown
      smtp.google.com
      173.194.76.26
      truefalseunknown
      google.com
      unknown
      unknowntrueunknown
      time.windows.com
      unknown
      unknowntrueunknown
      yahoo.com
      unknown
      unknowntrueunknown
      mail.ru
      unknown
      unknowntrueunknown
      NameMaliciousAntivirus DetectionReputation
      jotunheim.name:443true
      • 13%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      vanaheim.cn:443true
      • 8%, Virustotal, Browse
      • Avira URL Cloud: phishing
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000002.00000003.1410254879.000002636625D000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.ditu.live.com/REST/v1/Transit/Stops/svchost.exe, 00000002.00000002.1426886129.0000026366270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1385716596.000002636626E000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1401912422.000002636625E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000003.1383970177.0000026366234000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 0000000D.00000002.3693187786.000002CE7C287000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.3694275058.000002CE7CB02000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.13.drfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000002.1426886129.0000026366270000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1414299016.000002636625A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426791972.0000026366244000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1415537390.0000026366243000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1385716596.000002636626E000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 00000002.00000002.1426775775.0000026366241000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000002.00000002.1426775775.0000026366241000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dynamic.tsvchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://www.bingmapsportal.comcsvchost.exe, 00000002.00000002.1426700791.0000026366213000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=svchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 00000002.00000003.1417561518.0000026366257000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426809926.0000026366258000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000003.1414299016.000002636625A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1392924123.0000026366262000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000002.00000002.1426870101.0000026366268000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1390205159.0000026366267000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426727211.000002636622B000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000002.00000003.1383970177.0000026366234000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1426850778.0000026366263000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs
      IPDomainCountryFlagASNASN NameMalicious
      173.194.76.26
      smtp.google.comUnited States
      15169GOOGLEUSfalse
      52.101.11.0
      microsoft-com.mail.protection.outlook.comUnited States
      8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
      217.69.139.150
      unknownRussian Federation
      47764MAILRU-ASMailRuRUtrue
      67.195.204.77
      unknownUnited States
      26101YAHOO-3UStrue
      67.195.204.72
      mta5.am0.yahoodns.netUnited States
      26101YAHOO-3UStrue
      195.133.13.231
      vanaheim.cnRussian Federation
      197695AS-REGRUtrue
      94.100.180.31
      mxs.mail.ruRussian Federation
      47764MAILRU-ASMailRuRUtrue
      80.66.75.11
      jotunheim.nameRussian Federation
      20803RISS-ASRUtrue
      104.47.54.36
      unknownUnited States
      8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1468508
      Start date and time:2024-07-06 09:10:10 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 9m 7s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:31
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:vyrcclmm.exe
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@34/6@14/9
      EGA Information:
      • Successful, ratio: 100%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 66
      • Number of non-executed functions: 256
      Cookbook Comments:
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for sample files taking high CPU consumption
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe
      • Excluded IPs from analysis (whitelisted): 40.119.148.38, 20.76.201.171, 20.70.246.20, 20.236.44.162, 20.231.239.246, 20.112.250.133
      • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtEnumerateKey calls found.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      TimeTypeDescription
      04:21:33API Interceptor1x Sleep call for process: MpCmdRun.exe modified
      04:21:38API Interceptor857x Sleep call for process: svchost.exe modified
      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      52.101.11.0AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
        DWoKcG581L.exeGet hashmaliciousTofseeBrowse
          kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
            Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
              L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                file.exeGet hashmaliciousTofseeBrowse
                  sorteado!!.com.exeGet hashmaliciousUnknownBrowse
                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                      bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                        t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                          217.69.139.150AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                            I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                              lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                  rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                    OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                      G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                        x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                          x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                            EwK95WVtzI.exeGet hashmaliciousPushdoBrowse
                                              67.195.204.77file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                  data.log.exeGet hashmaliciousUnknownBrowse
                                                    message.elm.exeGet hashmaliciousUnknownBrowse
                                                      message.txt.exeGet hashmaliciousUnknownBrowse
                                                        test.dat.exeGet hashmaliciousUnknownBrowse
                                                          Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                            Update-KB9504-x86.exeGet hashmaliciousUnknownBrowse
                                                              La60esvnOK.exeGet hashmaliciousRaccoon SmokeLoader Tofsee Vidar XmrigBrowse
                                                                SecuriteInfo.com.Trojan.DownLoader41.25700.7371.exeGet hashmaliciousTofsee XmrigBrowse
                                                                  67.195.204.72file.exeGet hashmaliciousPhorpiexBrowse
                                                                    file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                      l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                        data.log.exeGet hashmaliciousUnknownBrowse
                                                                          message.elm.exeGet hashmaliciousUnknownBrowse
                                                                            message.txt.exeGet hashmaliciousUnknownBrowse
                                                                              Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                                                                Update-KB6734-x86.exeGet hashmaliciousUnknownBrowse
                                                                                  Update-KB78-x86.exeGet hashmaliciousUnknownBrowse
                                                                                    file.txt.exeGet hashmaliciousUnknownBrowse
                                                                                      195.133.13.231AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        mxs.mail.ruAvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                        • 94.100.180.31
                                                                                        I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                        • 94.100.180.31
                                                                                        G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                                                        • 217.69.139.150
                                                                                        x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                                        • 217.69.139.150
                                                                                        microsoft-com.mail.protection.outlook.comAvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.0
                                                                                        bill.txt.exeGet hashmaliciousUnknownBrowse
                                                                                        • 104.47.54.36
                                                                                        I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.54.36
                                                                                        lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.40.26
                                                                                        dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.53.36
                                                                                        rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.54.36
                                                                                        OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.53.36
                                                                                        DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.53.36
                                                                                        kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                        • 52.101.11.0
                                                                                        Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.53.36
                                                                                        mta5.am0.yahoodns.netlYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.91
                                                                                        I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.204.73
                                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.228.110
                                                                                        file.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 98.136.96.74
                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                        • 98.136.96.77
                                                                                        newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.204.77
                                                                                        file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                        • 67.195.228.110
                                                                                        file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                        • 67.195.228.109
                                                                                        .exeGet hashmaliciousUnknownBrowse
                                                                                        • 67.195.228.111
                                                                                        l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 98.136.96.75
                                                                                        jotunheim.nameAvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.11
                                                                                        kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        file.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        SecuriteInfo.com.Win32.BotX-gen.15544.10747.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        SecuriteInfo.com.Win32.BotX-gen.28812.11191.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        SecuriteInfo.com.Trojan.Siggen23.53341.25424.13682.exeGet hashmaliciousTofseeBrowse
                                                                                        • 80.66.75.77
                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        MAILRU-ASMailRuRUAvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        • 94.100.180.31
                                                                                        http://ct31152.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                        • 94.100.180.226
                                                                                        http://cb00287.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                        • 217.69.129.214
                                                                                        http://cv59800.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                        • 217.69.129.214
                                                                                        I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        https://cs13786.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                        • 217.69.129.214
                                                                                        http://cf20871.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                        • 5.61.23.11
                                                                                        x64.nn.elfGet hashmaliciousMiraiBrowse
                                                                                        • 128.140.169.91
                                                                                        dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                        • 217.69.139.150
                                                                                        YAHOO-3USHTUyCRuDev.elfGet hashmaliciousUnknownBrowse
                                                                                        • 98.139.142.32
                                                                                        https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                        • 74.6.143.26
                                                                                        wQsdlAeKOF.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.139.142.16
                                                                                        NA9GDRMmA3.elfGet hashmaliciousUnknownBrowse
                                                                                        • 74.6.62.1
                                                                                        V#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                                                                        • 74.6.143.26
                                                                                        YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.139.142.20
                                                                                        I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.204.73
                                                                                        https://www.canva.com/design/DAGDiia04Xg/_SQxN5BXpIl2RgDD44fATw/edit?utm_content=DAGDiia04Xg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 76.13.32.146
                                                                                        98zdN8lGtk.elfGet hashmaliciousUnknownBrowse
                                                                                        • 76.13.122.13
                                                                                        https://yhs-world-aged-dust-4671.aubrey744.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 66.218.84.137
                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUSAvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                        • 104.47.53.36
                                                                                        (No subject) (29).emlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 104.47.65.28
                                                                                        arm5-20240706-0012.elfGet hashmaliciousMiraiBrowse
                                                                                        • 20.18.255.130
                                                                                        https://pub-fb608504b57048a1b1ca54c74dbf132d.r2.dev/ront.html?ccsendGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 20.76.252.24
                                                                                        https://netorgft11417463-my.sharepoint.com/:o:/g/personal/miraxy_mlmfoodsusa_com/Ep2tW9OiVYhPtqAXFyRLSFoBWqPOojE29ja-FQWlUqv0SA?e=5%3algW4EA&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.136.10
                                                                                        https://bainbridgemfg-my.sharepoint.com/:o:/p/david/ErvlllHCJGpPobC1afGT7j4Badn5zob3qi0w_pRTIz-v-g?e=5%3a0L4XAf&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.136.10
                                                                                        https://starsof.com/404.php?7-797967704b536932307465765443334f7a4d6d73306b744f533948337a676e494439454841413d3d-amdyb3dAdG9sbGVzb25hei5vcmc=Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.74.129.92
                                                                                        https://deacerousa2-my.sharepoint.com/:o:/g/personal/eservice_huynhlaw_com/Ekv2F9Kc_pJJuB-bxZ7Z5QcBrNuZWh85OaRkXp9nQSqCiQ?e=5%3aD7eLEH&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 52.107.242.226
                                                                                        https://deacerousa2-my.sharepoint.com/:o:/g/personal/eservice_huynhlaw_com/Ekv2F9Kc_pJJuB-bxZ7Z5QcBrNuZWh85OaRkXp9nQSqCiQ?e=5%3aD7eLEH&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.136.10
                                                                                        Christy Towler shared _OmniSource Marketing Group_ with you.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 13.107.136.10
                                                                                        YAHOO-3USHTUyCRuDev.elfGet hashmaliciousUnknownBrowse
                                                                                        • 98.139.142.32
                                                                                        https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                                        • 74.6.143.26
                                                                                        wQsdlAeKOF.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.139.142.16
                                                                                        NA9GDRMmA3.elfGet hashmaliciousUnknownBrowse
                                                                                        • 74.6.62.1
                                                                                        V#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                                                                        • 74.6.143.26
                                                                                        YCrL9vbZ3g.elfGet hashmaliciousMiraiBrowse
                                                                                        • 98.139.142.20
                                                                                        I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                        • 67.195.204.73
                                                                                        https://www.canva.com/design/DAGDiia04Xg/_SQxN5BXpIl2RgDD44fATw/edit?utm_content=DAGDiia04Xg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 76.13.32.146
                                                                                        98zdN8lGtk.elfGet hashmaliciousUnknownBrowse
                                                                                        • 76.13.122.13
                                                                                        https://yhs-world-aged-dust-4671.aubrey744.workers.dev/favicon.icoGet hashmaliciousHTMLPhisherBrowse
                                                                                        • 66.218.84.137
                                                                                        No context
                                                                                        No context
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:data
                                                                                        Category:dropped
                                                                                        Size (bytes):4096
                                                                                        Entropy (8bit):1.1989171971449115
                                                                                        Encrypted:false
                                                                                        SSDEEP:12:OTqPqF69Fq5DQehk56GWtbgjO3s7Nxk56G5le0Thl+oad:OM1JmGtm2jGt5g8l+x
                                                                                        MD5:1FC56A241333C0F0B08DA5F6FFDB2602
                                                                                        SHA1:4C60784311BEDDC4AB2BDAC8529211677BB7AF69
                                                                                        SHA-256:C39D4F4FCB95D49AD932028F6E01275FE3F05CB653533C02AC94325C50A37F54
                                                                                        SHA-512:57C77AF412C55E4608125FC06FF155E19E4F82D243A3DD89DE230AADC3F21A6A1C3682F1ACA9FEDB3AF9ED722597B7E71BB238CDFAF766E32B89072DF741D5B1
                                                                                        Malicious:false
                                                                                        Preview:............................................................................D.............\.s...................eJ..............Zb..K....(......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................?W.............\.s...........U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.U.S.O.S.h.a.r.e.d.\.L.o.g.s.\.S.y.s.t.e.m.\.U.p.d.a.t.e.S.e.s.s.i.o.n.O.r.c.h.e.s.t.r.a.t.i.o.n...e.3.2.3.d.a.c.c.-.2.6.4.7.-.4.c.c.d.-.8.b.7.c.-.9.7.6.c.8.7.6.a.1.a.2.b...1...e.t.l...........P.P..........f^.s...................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):999
                                                                                        Entropy (8bit):4.966299883488245
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                        MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                        SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                        SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                        SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                        Malicious:false
                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..
                                                                                        Process:C:\Users\user\Desktop\vyrcclmm.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:modified
                                                                                        Size (bytes):13180416
                                                                                        Entropy (8bit):5.507441220985376
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:9qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3:
                                                                                        MD5:38DF4E4C47840B37306FF102DD07903D
                                                                                        SHA1:6E4BD0EDFDDE08C290555F10CE45BB971A7A6E50
                                                                                        SHA-256:3880E692DB7811D3DB60D7F5C66624DB46EFEA75740596A640E53BEFD740E9EF
                                                                                        SHA-512:6F0E323A79068B1D334544AE3F33C12FF7E2C72CB60A1DFB1D118EF391FB631EC87AEB6554DF8F85CDB9DAA38DFD988517634F16FECA61E4FA1DFEFF9FC8A362
                                                                                        Malicious:true
                                                                                        Antivirus:
                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............yB.yB.yB...B.yB...B.yB...B..yB...B.yB.xB..yB...B.yB...B.yB...B.yBRich.yB................PE..L...577d.....................P@.....h%............@...........................B......;......................................<9.......PA..............................9...............................4..@............................................text...p........................... ..`.rdata..d2.......4..................@..@.data.....>..P.......6..............@....rsrc........PA..4..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                        Category:modified
                                                                                        Size (bytes):2464
                                                                                        Entropy (8bit):3.2488343793843195
                                                                                        Encrypted:false
                                                                                        SSDEEP:24:QOaqdmuF3rGY+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVx+:FaqdF7j+AAHdKoqKFxcxkFj
                                                                                        MD5:44910CACB1F6C7DB5B7DC2B4A8C0DE89
                                                                                        SHA1:F179B8C8F8424E44DD081F237092C4D5D1D4EDD4
                                                                                        SHA-256:A9AC501DD0CD08D830D2B2097073A3BB942523826000FD080DB7D5C96421F3A9
                                                                                        SHA-512:DDFC14D4B35A5130F49263F730D008BAA28DCEF8EF9EB2CF68AA9F019F441D01419C95C7F7D23D6A4764B7E4995716F0F52345810D80E70FED4B5E8B91F8BC4C
                                                                                        Malicious:false
                                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. J.u.l. .. 0.6. .. 2.0.2.4. .0.4.:.2.1.:.3.3.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.
                                                                                        Process:C:\Windows\SysWOW64\cmd.exe
                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Category:dropped
                                                                                        Size (bytes):13180416
                                                                                        Entropy (8bit):5.507441220985376
                                                                                        Encrypted:false
                                                                                        SSDEEP:98304:9qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq3:
                                                                                        MD5:38DF4E4C47840B37306FF102DD07903D
                                                                                        SHA1:6E4BD0EDFDDE08C290555F10CE45BB971A7A6E50
                                                                                        SHA-256:3880E692DB7811D3DB60D7F5C66624DB46EFEA75740596A640E53BEFD740E9EF
                                                                                        SHA-512:6F0E323A79068B1D334544AE3F33C12FF7E2C72CB60A1DFB1D118EF391FB631EC87AEB6554DF8F85CDB9DAA38DFD988517634F16FECA61E4FA1DFEFF9FC8A362
                                                                                        Malicious:true
                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............yB.yB.yB...B.yB...B.yB...B..yB...B.yB.xB..yB...B.yB...B.yB...B.yBRich.yB................PE..L...577d.....................P@.....h%............@...........................B......;......................................<9.......PA..............................9...............................4..@............................................text...p........................... ..`.rdata..d2.......4..................@..@.data.....>..P.......6..............@....rsrc........PA..4..................@..@........................................................................................................................................................................................................................................................................................................................................................................
                                                                                        Process:C:\Windows\SysWOW64\netsh.exe
                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                        Category:dropped
                                                                                        Size (bytes):3773
                                                                                        Entropy (8bit):4.7109073551842435
                                                                                        Encrypted:false
                                                                                        SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                        MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                        SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                        SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                        SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                        Malicious:false
                                                                                        Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|
                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                        Entropy (8bit):5.513171290077752
                                                                                        TrID:
                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                        File name:vyrcclmm.exe
                                                                                        File size:10'890'752 bytes
                                                                                        MD5:52d6521fdf86ef42b47afa05bf06225f
                                                                                        SHA1:ffe1dca080b60cac20e6d2dcba807388badde68f
                                                                                        SHA256:039bcb175a6042892395691ef543d82135ff3e0542cc18a30b791d20d205b966
                                                                                        SHA512:9d70674d23ad82d1210b7cfd755f7aa5a590883bcddbb18a54e5a53706b642d606c0244c3d9b97ee93615d80d72a51e9e69241a48bd98a222a757244551a350a
                                                                                        SSDEEP:98304:Gqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqv:
                                                                                        TLSH:3DB67C90E7E25880F66B493B8A617ED4D57FFC52FBE2D27F22045A2F2C71652C502326
                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............yB..yB..yB...B..yB...B..yB...B..yB...B..yB..xB..yB...B..yB...B..yB...B..yBRich..yB................PE..L...577d...........
                                                                                        Icon Hash:63796de961636e0f
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jul 6, 2024 09:11:32.674210072 CEST4970525192.168.2.752.101.11.0
                                                                                        Jul 6, 2024 09:11:33.663700104 CEST4970525192.168.2.752.101.11.0
                                                                                        Jul 6, 2024 09:11:35.539781094 CEST49706443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:11:35.539833069 CEST44349706195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:11:35.539908886 CEST49706443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:11:35.757577896 CEST4970525192.168.2.752.101.11.0
                                                                                        Jul 6, 2024 09:11:39.851382017 CEST4970525192.168.2.752.101.11.0
                                                                                        Jul 6, 2024 09:11:47.866978884 CEST4970525192.168.2.752.101.11.0
                                                                                        Jul 6, 2024 09:11:52.684009075 CEST4970725192.168.2.767.195.204.72
                                                                                        Jul 6, 2024 09:11:53.867024899 CEST4970725192.168.2.767.195.204.72
                                                                                        Jul 6, 2024 09:11:55.882550001 CEST4970725192.168.2.767.195.204.72
                                                                                        Jul 6, 2024 09:11:59.882570028 CEST4970725192.168.2.767.195.204.72
                                                                                        Jul 6, 2024 09:12:07.882570982 CEST4970725192.168.2.767.195.204.72
                                                                                        Jul 6, 2024 09:12:12.717941046 CEST4970825192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:12:13.726485968 CEST4970825192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:12:15.539021969 CEST49706443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:15.539108038 CEST44349706195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:12:15.539222002 CEST49706443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:15.649183989 CEST49709443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:15.649228096 CEST44349709195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:12:15.649317980 CEST49709443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:15.726361990 CEST4970825192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:12:19.742044926 CEST4970825192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:12:27.757787943 CEST4970825192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:12:32.730051994 CEST4971325192.168.2.794.100.180.31
                                                                                        Jul 6, 2024 09:12:33.726478100 CEST4971325192.168.2.794.100.180.31
                                                                                        Jul 6, 2024 09:12:35.742069960 CEST4971325192.168.2.794.100.180.31
                                                                                        Jul 6, 2024 09:12:39.898339987 CEST4971325192.168.2.794.100.180.31
                                                                                        Jul 6, 2024 09:12:47.898432016 CEST4971325192.168.2.794.100.180.31
                                                                                        Jul 6, 2024 09:12:55.648493052 CEST49709443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:55.648583889 CEST44349709195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:12:55.648665905 CEST49709443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:55.759254932 CEST49714443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:12:55.759309053 CEST44349714195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:12:55.759408951 CEST49714443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:13:35.757987022 CEST49714443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:13:35.758055925 CEST44349714195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:13:35.758224964 CEST49714443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:13:35.868088007 CEST49715443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:13:35.868168116 CEST44349715195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:13:35.868266106 CEST49715443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:13:59.377273083 CEST4971725192.168.2.7104.47.54.36
                                                                                        Jul 6, 2024 09:14:00.382986069 CEST4971725192.168.2.7104.47.54.36
                                                                                        Jul 6, 2024 09:14:02.445547104 CEST4971725192.168.2.7104.47.54.36
                                                                                        Jul 6, 2024 09:14:06.445566893 CEST4971725192.168.2.7104.47.54.36
                                                                                        Jul 6, 2024 09:14:14.539278030 CEST4971725192.168.2.7104.47.54.36
                                                                                        Jul 6, 2024 09:14:15.867582083 CEST49715443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:14:15.867645025 CEST44349715195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:14:15.867753029 CEST49715443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:14:15.978482008 CEST49718443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:14:15.978538990 CEST44349718195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:14:15.978634119 CEST49718443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:14:19.377983093 CEST4971925192.168.2.767.195.204.77
                                                                                        Jul 6, 2024 09:14:20.383140087 CEST4971925192.168.2.767.195.204.77
                                                                                        Jul 6, 2024 09:14:22.383124113 CEST4971925192.168.2.767.195.204.77
                                                                                        Jul 6, 2024 09:14:26.383114100 CEST4971925192.168.2.767.195.204.77
                                                                                        Jul 6, 2024 09:14:34.398843050 CEST4971925192.168.2.767.195.204.77
                                                                                        Jul 6, 2024 09:14:39.392369032 CEST4972025192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:14:40.383187056 CEST4972025192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:14:42.383186102 CEST4972025192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:14:46.383219004 CEST4972025192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:14:54.398869038 CEST4972025192.168.2.7173.194.76.26
                                                                                        Jul 6, 2024 09:14:55.977133989 CEST49718443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:14:55.977220058 CEST44349718195.133.13.231192.168.2.7
                                                                                        Jul 6, 2024 09:14:55.977308035 CEST49718443192.168.2.7195.133.13.231
                                                                                        Jul 6, 2024 09:14:56.098345995 CEST49721443192.168.2.780.66.75.11
                                                                                        Jul 6, 2024 09:14:56.098395109 CEST4434972180.66.75.11192.168.2.7
                                                                                        Jul 6, 2024 09:14:56.098629951 CEST49721443192.168.2.780.66.75.11
                                                                                        Jul 6, 2024 09:14:59.393008947 CEST4972225192.168.2.7217.69.139.150
                                                                                        Jul 6, 2024 09:15:00.398951054 CEST4972225192.168.2.7217.69.139.150
                                                                                        Jul 6, 2024 09:15:02.398817062 CEST4972225192.168.2.7217.69.139.150
                                                                                        Jul 6, 2024 09:15:06.414453983 CEST4972225192.168.2.7217.69.139.150
                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                        Jul 6, 2024 09:11:11.773183107 CEST6164153192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:11:32.647283077 CEST6516753192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:11:32.673497915 CEST53651671.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:11:35.491096973 CEST6304253192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:11:35.502367020 CEST53630421.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:11:52.664469957 CEST5628453192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:11:52.673046112 CEST53562841.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:11:52.673818111 CEST5230953192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST53523091.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:12:12.695873976 CEST5445053192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:12:12.704437971 CEST53544501.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:12:12.706026077 CEST6068153192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:12:12.714915991 CEST53606811.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:12:32.712018013 CEST5341653192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:12:32.719425917 CEST53534161.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:12:32.720911026 CEST5928153192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:12:32.728657007 CEST53592811.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:13:59.341948032 CEST6506853192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:13:59.376648903 CEST53650681.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:14:19.368593931 CEST4938653192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST53493861.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:14:39.383851051 CEST5923653192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:14:39.391499996 CEST53592361.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:14:56.086985111 CEST5776453192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:14:56.097516060 CEST53577641.1.1.1192.168.2.7
                                                                                        Jul 6, 2024 09:14:59.384335995 CEST6086953192.168.2.71.1.1.1
                                                                                        Jul 6, 2024 09:14:59.392393112 CEST53608691.1.1.1192.168.2.7
                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                        Jul 6, 2024 09:11:11.773183107 CEST192.168.2.71.1.1.10x618dStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:32.647283077 CEST192.168.2.71.1.1.10xe732Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:35.491096973 CEST192.168.2.71.1.1.10x43daStandard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.664469957 CEST192.168.2.71.1.1.10x3549Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.673818111 CEST192.168.2.71.1.1.10xb834Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.695873976 CEST192.168.2.71.1.1.10x9b62Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.706026077 CEST192.168.2.71.1.1.10xa52eStandard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:32.712018013 CEST192.168.2.71.1.1.10xb579Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:32.720911026 CEST192.168.2.71.1.1.10xa65cStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:13:59.341948032 CEST192.168.2.71.1.1.10xfd45Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.368593931 CEST192.168.2.71.1.1.10x8f35Standard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:39.383851051 CEST192.168.2.71.1.1.10xad14Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:56.086985111 CEST192.168.2.71.1.1.10xac98Standard query (0)jotunheim.nameA (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:59.384335995 CEST192.168.2.71.1.1.10x5685Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                        Jul 6, 2024 09:11:11.780968904 CEST1.1.1.1192.168.2.70x618dNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:32.673497915 CEST1.1.1.1192.168.2.70xe732No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:32.673497915 CEST1.1.1.1192.168.2.70xe732No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:32.673497915 CEST1.1.1.1192.168.2.70xe732No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:32.673497915 CEST1.1.1.1192.168.2.70xe732No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:35.502367020 CEST1.1.1.1192.168.2.70x43daNo error (0)vanaheim.cn195.133.13.231A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.673046112 CEST1.1.1.1192.168.2.70x3549No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.673046112 CEST1.1.1.1192.168.2.70x3549No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.673046112 CEST1.1.1.1192.168.2.70x3549No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:11:52.683382988 CEST1.1.1.1192.168.2.70xb834No error (0)mta5.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.704437971 CEST1.1.1.1192.168.2.70x9b62No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.714915991 CEST1.1.1.1192.168.2.70xa52eNo error (0)smtp.google.com173.194.76.26A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.714915991 CEST1.1.1.1192.168.2.70xa52eNo error (0)smtp.google.com108.177.15.26A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.714915991 CEST1.1.1.1192.168.2.70xa52eNo error (0)smtp.google.com66.102.1.26A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.714915991 CEST1.1.1.1192.168.2.70xa52eNo error (0)smtp.google.com173.194.76.27A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:12.714915991 CEST1.1.1.1192.168.2.70xa52eNo error (0)smtp.google.com66.102.1.27A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:32.719425917 CEST1.1.1.1192.168.2.70xb579No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:32.728657007 CEST1.1.1.1192.168.2.70xa65cNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:12:32.728657007 CEST1.1.1.1192.168.2.70xa65cNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:13:59.376648903 CEST1.1.1.1192.168.2.70xfd45No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:13:59.376648903 CEST1.1.1.1192.168.2.70xfd45No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net67.195.204.77A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net67.195.204.79A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net67.195.228.109A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net67.195.228.111A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:19.377379894 CEST1.1.1.1192.168.2.70x8f35No error (0)mta5.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:39.391499996 CEST1.1.1.1192.168.2.70xad14No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:56.097516060 CEST1.1.1.1192.168.2.70xac98No error (0)jotunheim.name80.66.75.11A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:59.392393112 CEST1.1.1.1192.168.2.70x5685No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                        Jul 6, 2024 09:14:59.392393112 CEST1.1.1.1192.168.2.70x5685No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false

                                                                                        Click to jump to process

                                                                                        Click to jump to process

                                                                                        Click to dive into process behavior distribution

                                                                                        Click to jump to process

                                                                                        Target ID:0
                                                                                        Start time:03:11:01
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Users\user\Desktop\vyrcclmm.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Users\user\Desktop\vyrcclmm.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:10'890'752 bytes
                                                                                        MD5 hash:52D6521FDF86EF42B47AFA05BF06225F
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1257457512.0000000004460000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                        Reputation:low
                                                                                        Has exited:false

                                                                                        Target ID:2
                                                                                        Start time:03:11:06
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:3
                                                                                        Start time:03:11:06
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:false
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Target ID:4
                                                                                        Start time:03:11:06
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\bzycpcet\
                                                                                        Imagebase:0x410000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:5
                                                                                        Start time:03:11:06
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:6
                                                                                        Start time:03:11:06
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\SgrmBroker.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                        Imagebase:0x7ff7161e0000
                                                                                        File size:329'504 bytes
                                                                                        MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Target ID:7
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user~1\AppData\Local\Temp\pspizbvl.exe" C:\Windows\SysWOW64\bzycpcet\
                                                                                        Imagebase:0x410000
                                                                                        File size:236'544 bytes
                                                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:8
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:9
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Target ID:10
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Target ID:11
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" create bzycpcet binPath= "C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d\"C:\Users\user\Desktop\vyrcclmm.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                        Imagebase:0xa40000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:moderate
                                                                                        Has exited:true

                                                                                        Target ID:12
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:true

                                                                                        Target ID:13
                                                                                        Start time:03:11:07
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Target ID:15
                                                                                        Start time:03:11:08
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Reputation:high
                                                                                        Has exited:false

                                                                                        Target ID:16
                                                                                        Start time:03:11:08
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" description bzycpcet "wifi internet conection"
                                                                                        Imagebase:0xa40000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:17
                                                                                        Start time:03:11:08
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:18
                                                                                        Start time:03:11:09
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\sc.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\sc.exe" start bzycpcet
                                                                                        Imagebase:0xa40000
                                                                                        File size:61'440 bytes
                                                                                        MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:19
                                                                                        Start time:03:11:09
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:20
                                                                                        Start time:03:11:09
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe /d"C:\Users\user\Desktop\vyrcclmm.exe"
                                                                                        Imagebase:0x400000
                                                                                        File size:13'180'416 bytes
                                                                                        MD5 hash:38DF4E4C47840B37306FF102DD07903D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000003.1384034173.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000002.1689340348.0000000003130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                        Has exited:true

                                                                                        Target ID:21
                                                                                        Start time:03:11:09
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\netsh.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                        Imagebase:0x1770000
                                                                                        File size:82'432 bytes
                                                                                        MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:22
                                                                                        Start time:03:11:10
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:23
                                                                                        Start time:03:11:10
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        Target ID:24
                                                                                        Start time:03:11:18
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\SysWOW64\svchost.exe
                                                                                        Wow64 process (32bit):true
                                                                                        Commandline:svchost.exe
                                                                                        Imagebase:0x890000
                                                                                        File size:46'504 bytes
                                                                                        MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:true
                                                                                        Programmed in:C, C++ or other language
                                                                                        Yara matches:
                                                                                        • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                        • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                        • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                        Has exited:false

                                                                                        Target ID:26
                                                                                        Start time:04:21:11
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                        Imagebase:0x7ff7b4ee0000
                                                                                        File size:55'320 bytes
                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:false

                                                                                        Target ID:27
                                                                                        Start time:04:21:33
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                        Imagebase:0x7ff6a5ca0000
                                                                                        File size:468'120 bytes
                                                                                        MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Target ID:28
                                                                                        Start time:04:21:33
                                                                                        Start date:06/07/2024
                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                        Wow64 process (32bit):false
                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                        Imagebase:0x7ff75da10000
                                                                                        File size:862'208 bytes
                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                        Has elevated privileges:true
                                                                                        Has administrator privileges:false
                                                                                        Programmed in:C, C++ or other language
                                                                                        Has exited:true

                                                                                        Reset < >

                                                                                          Execution Graph

                                                                                          Execution Coverage:4.1%
                                                                                          Dynamic/Decrypted Code Coverage:2.1%
                                                                                          Signature Coverage:24.8%
                                                                                          Total number of Nodes:1539
                                                                                          Total number of Limit Nodes:19
                                                                                          execution_graph 14463 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14581 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14463->14581 14465 409a95 14466 409aa3 GetModuleHandleA GetModuleFileNameA 14465->14466 14471 40a3c7 14465->14471 14478 409ac4 14466->14478 14467 40a41c CreateThread WSAStartup 14753 40e52e 14467->14753 15604 40405e CreateEventA 14467->15604 14468 40a406 DeleteFileA 14468->14471 14472 40a40d 14468->14472 14470 409afd GetCommandLineA 14479 409b22 14470->14479 14471->14467 14471->14468 14471->14472 14474 40a3ed GetLastError 14471->14474 14472->14467 14473 40a445 14772 40eaaf 14473->14772 14474->14472 14476 40a3f8 Sleep 14474->14476 14476->14468 14477 40a44d 14776 401d96 14477->14776 14478->14470 14484 409c0c 14479->14484 14490 409b47 14479->14490 14481 40a457 14824 4080c9 14481->14824 14582 4096aa 14484->14582 14494 409b96 lstrlenA 14490->14494 14496 409b58 14490->14496 14491 40a1d2 14497 40a1e3 GetCommandLineA 14491->14497 14492 409c39 14495 40a167 GetModuleHandleA GetModuleFileNameA 14492->14495 14588 404280 CreateEventA 14492->14588 14494->14496 14499 409c05 ExitProcess 14495->14499 14500 40a189 14495->14500 14496->14499 14505 40675c 21 API calls 14496->14505 14524 40a205 14497->14524 14500->14499 14507 40a1b2 GetDriveTypeA 14500->14507 14508 409be3 14505->14508 14507->14499 14509 40a1c5 14507->14509 14508->14499 14690 406a60 CreateFileA 14508->14690 14734 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14509->14734 14516 40a491 14517 40a49f GetTickCount 14516->14517 14520 40a4be Sleep 14516->14520 14523 40a4b7 GetTickCount 14516->14523 14870 40c913 14516->14870 14517->14516 14517->14520 14518 409ca0 GetTempPathA 14519 409e3e 14518->14519 14522 409cba 14518->14522 14530 409e6b GetEnvironmentVariableA 14519->14530 14531 409e04 14519->14531 14520->14516 14643 4099d2 lstrcpyA 14522->14643 14523->14520 14527 40a285 lstrlenA 14524->14527 14540 40a239 14524->14540 14527->14540 14530->14531 14532 409e7d 14530->14532 14729 40ec2e 14531->14729 14533 4099d2 16 API calls 14532->14533 14534 409e9d 14533->14534 14534->14531 14539 409eb0 lstrcpyA lstrlenA 14534->14539 14536 409d5f 14709 406cc9 14536->14709 14538 40a3c2 14746 4098f2 14538->14746 14541 409ef4 14539->14541 14742 406ec3 14540->14742 14545 406dc2 6 API calls 14541->14545 14548 409f03 14541->14548 14544 40a35f 14544->14538 14544->14544 14550 40a37b 14544->14550 14545->14548 14546 40a39d StartServiceCtrlDispatcherA 14546->14538 14549 409f32 RegOpenKeyExA 14548->14549 14551 409f48 RegSetValueExA RegCloseKey 14549->14551 14555 409f70 14549->14555 14550->14546 14551->14555 14552 409cf6 14650 409326 14552->14650 14561 409f9d GetModuleHandleA GetModuleFileNameA 14555->14561 14556 409e0c DeleteFileA 14556->14519 14557 409dde GetFileAttributesExA 14557->14556 14558 409df7 14557->14558 14558->14531 14560 409dff 14558->14560 14719 4096ff 14560->14719 14563 409fc2 14561->14563 14580 40a093 14561->14580 14569 409ff1 GetDriveTypeA 14563->14569 14563->14580 14564 40a103 CreateProcessA 14566 40a13a 14564->14566 14567 40a12a DeleteFileA 14564->14567 14565 40a0a4 wsprintfA 14725 402544 14565->14725 14566->14531 14573 4096ff 3 API calls 14566->14573 14567->14566 14571 40a00d 14569->14571 14569->14580 14575 40a02d lstrcatA 14571->14575 14573->14531 14576 40a046 14575->14576 14577 40a052 lstrcatA 14576->14577 14578 40a064 lstrcatA 14576->14578 14577->14578 14579 40a081 lstrcatA 14578->14579 14578->14580 14579->14580 14580->14564 14580->14565 14581->14465 14583 4096b9 14582->14583 14973 4073ff 14583->14973 14585 4096e2 14586 4096f7 14585->14586 14993 40704c 14585->14993 14586->14491 14586->14492 14589 4042a5 14588->14589 14590 40429d 14588->14590 15018 403ecd 14589->15018 14590->14495 14615 40675c 14590->14615 14592 4042b0 15022 404000 14592->15022 14594 4043c1 CloseHandle 14594->14590 14595 4042b6 14595->14590 14595->14594 15028 403f18 WriteFile 14595->15028 14600 4043ba CloseHandle 14600->14594 14601 404318 14602 403f18 4 API calls 14601->14602 14603 404331 14602->14603 14604 403f18 4 API calls 14603->14604 14605 40434a 14604->14605 15036 40ebcc GetProcessHeap RtlAllocateHeap 14605->15036 14607 404350 14609 403f18 4 API calls 14607->14609 14610 404389 14609->14610 14611 40ec2e codecvt 4 API calls 14610->14611 14612 40438f 14611->14612 14613 403f8c 4 API calls 14612->14613 14614 40439f CloseHandle CloseHandle 14613->14614 14614->14590 14616 406784 CreateFileA 14615->14616 14617 40677a SetFileAttributesA 14615->14617 14618 4067a4 CreateFileA 14616->14618 14619 4067b5 14616->14619 14617->14616 14618->14619 14620 4067c5 14619->14620 14621 4067ba SetFileAttributesA 14619->14621 14622 406977 14620->14622 14623 4067cf GetFileSize 14620->14623 14621->14620 14622->14495 14622->14518 14622->14519 14624 4067e5 14623->14624 14642 406965 14623->14642 14625 4067ed ReadFile 14624->14625 14624->14642 14627 406811 SetFilePointer 14625->14627 14625->14642 14626 40696e FindCloseChangeNotification 14626->14622 14628 40682a ReadFile 14627->14628 14627->14642 14629 406848 SetFilePointer 14628->14629 14628->14642 14630 406867 14629->14630 14629->14642 14631 4068d5 14630->14631 14632 406878 ReadFile 14630->14632 14631->14626 14634 40ebcc 4 API calls 14631->14634 14633 4068d0 14632->14633 14636 406891 14632->14636 14633->14631 14635 4068f8 14634->14635 14637 406900 SetFilePointer 14635->14637 14635->14642 14636->14632 14636->14633 14638 40695a 14637->14638 14639 40690d ReadFile 14637->14639 14641 40ec2e codecvt 4 API calls 14638->14641 14639->14638 14640 406922 14639->14640 14640->14626 14641->14642 14642->14626 14644 4099eb 14643->14644 14645 409a2f lstrcatA 14644->14645 14646 40ee2a 14645->14646 14647 409a4b lstrcatA 14646->14647 14648 406a60 13 API calls 14647->14648 14649 409a60 14648->14649 14649->14519 14649->14552 14703 406dc2 14649->14703 15042 401910 14650->15042 14653 40934a GetModuleHandleA GetModuleFileNameA 14655 40937f 14653->14655 14656 4093a4 14655->14656 14657 4093d9 14655->14657 14658 4093c3 wsprintfA 14656->14658 14659 409401 wsprintfA 14657->14659 14661 409415 14658->14661 14659->14661 14660 4094a0 15044 406edd 14660->15044 14661->14660 14664 406cc9 5 API calls 14661->14664 14663 4094ac 14665 40962f 14663->14665 14668 4094e8 RegOpenKeyExA 14663->14668 14672 409439 14664->14672 14666 409639 VirtualProtect 14665->14666 14667 40967b 14665->14667 14669 40966d 14666->14669 14689 4095d6 14666->14689 15052 4091eb 14667->15052 14670 409502 14668->14670 14671 4094fb 14668->14671 14669->14667 14677 40951f RegQueryValueExA 14670->14677 14671->14665 14676 40958a 14671->14676 15057 40ef1e lstrlenA 14672->15057 14674 40960c 14674->14556 14674->14557 14676->14667 14681 409593 14676->14681 14678 409530 14677->14678 14679 409539 14677->14679 14682 40956e RegCloseKey 14678->14682 14683 409556 RegQueryValueExA 14679->14683 14680 409462 14684 40947e wsprintfA 14680->14684 14681->14674 15059 40f0e4 14681->15059 14682->14671 14683->14678 14683->14682 14684->14660 14686 4095bb 14686->14674 14687 4095c2 14686->14687 15066 4018e0 VirtualProtect 14687->15066 14689->14674 14691 406b8c GetLastError 14690->14691 14692 406a8f GetDiskFreeSpaceA 14690->14692 14694 406b86 14691->14694 14693 406ac5 14692->14693 14702 406ad7 14692->14702 15093 40eb0e 14693->15093 14694->14499 14698 406b56 FindCloseChangeNotification 14698->14694 14701 406b65 GetLastError CloseHandle 14698->14701 14699 406b36 GetLastError CloseHandle 14700 406b7f DeleteFileA 14699->14700 14700->14694 14701->14700 15087 406987 14702->15087 14704 406e24 14703->14704 14705 406dd7 14703->14705 14704->14536 14706 406cc9 5 API calls 14705->14706 14707 406ddc 14706->14707 14707->14704 14707->14707 14708 406e02 GetVolumeInformationA 14707->14708 14708->14704 14710 406cdc GetModuleHandleA GetProcAddress 14709->14710 14711 406dbe lstrcpyA lstrcatA lstrcatA 14709->14711 14712 406d12 GetSystemDirectoryA 14710->14712 14713 406cfd 14710->14713 14711->14552 14714 406d27 GetWindowsDirectoryA 14712->14714 14715 406d1e 14712->14715 14713->14712 14716 406d8b 14713->14716 14717 406d42 14714->14717 14715->14714 14715->14716 14716->14711 14718 40ef1e lstrlenA 14717->14718 14718->14716 14720 402544 14719->14720 14721 40972d RegOpenKeyExA 14720->14721 14722 409740 14721->14722 14723 409765 14721->14723 14724 40974f RegDeleteValueA RegCloseKey 14722->14724 14723->14531 14724->14723 14726 402554 lstrcatA 14725->14726 14727 40ee2a 14726->14727 14728 40a0ec lstrcatA 14727->14728 14728->14564 14730 40ec37 14729->14730 14731 40a15d 14729->14731 15101 40eba0 14730->15101 14731->14495 14731->14499 14735 402544 14734->14735 14736 40919e wsprintfA 14735->14736 14737 4091bb 14736->14737 15104 409064 GetTempPathA 14737->15104 14740 4091d5 ShellExecuteA 14741 4091e7 14740->14741 14741->14499 14743 406ed5 14742->14743 14744 406ecc 14742->14744 14743->14544 14745 406e36 2 API calls 14744->14745 14745->14743 14747 4098f6 14746->14747 14748 404280 30 API calls 14747->14748 14749 409904 Sleep 14747->14749 14750 409915 14747->14750 14748->14747 14749->14747 14749->14750 14752 409947 14750->14752 15111 40977c 14750->15111 14752->14471 15133 40dd05 GetTickCount 14753->15133 14755 40e538 15140 40dbcf 14755->15140 14757 40e544 14758 40e555 GetFileSize 14757->14758 14762 40e5b8 14757->14762 14759 40e5b1 CloseHandle 14758->14759 14760 40e566 14758->14760 14759->14762 15150 40db2e 14760->15150 15159 40e3ca RegOpenKeyExA 14762->15159 14764 40e576 ReadFile 14764->14759 14766 40e58d 14764->14766 15154 40e332 14766->15154 14768 40e5f2 14770 40e3ca 19 API calls 14768->14770 14771 40e629 14768->14771 14770->14771 14771->14473 14773 40eabe 14772->14773 14775 40eaba 14772->14775 14774 40dd05 6 API calls 14773->14774 14773->14775 14774->14775 14775->14477 14777 40ee2a 14776->14777 14778 401db4 GetVersionExA 14777->14778 14779 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14778->14779 14781 401e24 14779->14781 14782 401e16 GetCurrentProcess 14779->14782 15212 40e819 14781->15212 14782->14781 14784 401e3d 14785 40e819 11 API calls 14784->14785 14786 401e4e 14785->14786 14787 401e77 14786->14787 15219 40df70 14786->15219 15228 40ea84 14787->15228 14790 401e6c 14792 40df70 12 API calls 14790->14792 14792->14787 14793 40e819 11 API calls 14794 401e93 14793->14794 15232 40199c inet_addr LoadLibraryA 14794->15232 14797 40e819 11 API calls 14798 401eb9 14797->14798 14799 401ed8 14798->14799 14800 40f04e 4 API calls 14798->14800 14801 40e819 11 API calls 14799->14801 14802 401ec9 14800->14802 14803 401eee 14801->14803 14804 40ea84 30 API calls 14802->14804 14812 401f0a 14803->14812 15245 401b71 14803->15245 14804->14799 14805 40e819 11 API calls 14807 401f23 14805->14807 14817 401f3f 14807->14817 15249 401bdf 14807->15249 14808 401efd 14809 40ea84 30 API calls 14808->14809 14809->14812 14811 40e819 11 API calls 14814 401f5e 14811->14814 14812->14805 14816 401f77 14814->14816 14818 40ea84 30 API calls 14814->14818 14815 40ea84 30 API calls 14815->14817 15256 4030b5 14816->15256 14817->14811 14818->14816 14821 406ec3 2 API calls 14823 401f8e GetTickCount 14821->14823 14823->14481 14825 406ec3 2 API calls 14824->14825 14826 4080eb 14825->14826 14827 4080f9 14826->14827 14828 4080ef 14826->14828 14829 40704c 16 API calls 14827->14829 15304 407ee6 14828->15304 14831 408110 14829->14831 14833 408156 RegOpenKeyExA 14831->14833 14834 4080f4 14831->14834 14832 40675c 21 API calls 14837 408244 14832->14837 14833->14834 14835 40816d RegQueryValueExA 14833->14835 14834->14832 14842 408269 CreateThread 14834->14842 14836 4081f7 14835->14836 14841 40818d 14835->14841 14838 40820d RegCloseKey 14836->14838 14840 40ec2e codecvt 4 API calls 14836->14840 14839 40ec2e codecvt 4 API calls 14837->14839 14837->14842 14838->14834 14839->14842 14848 4081dd 14840->14848 14841->14836 14843 40ebcc 4 API calls 14841->14843 14849 405e6c 14842->14849 15634 40877e 14842->15634 14844 4081a0 14843->14844 14844->14838 14845 4081aa RegQueryValueExA 14844->14845 14845->14836 14846 4081c4 14845->14846 14847 40ebcc 4 API calls 14846->14847 14847->14848 14848->14838 15372 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14849->15372 14851 405e71 15373 40e654 14851->15373 14853 405ec1 14854 403132 14853->14854 14855 40df70 12 API calls 14854->14855 14856 40313b 14855->14856 14857 40c125 14856->14857 15384 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14857->15384 14859 40c12d 14860 40e654 13 API calls 14859->14860 14861 40c2bd 14860->14861 14862 40e654 13 API calls 14861->14862 14863 40c2c9 14862->14863 14864 40e654 13 API calls 14863->14864 14865 40a47a 14864->14865 14866 408db1 14865->14866 14867 408dbc 14866->14867 14868 40e654 13 API calls 14867->14868 14869 408dec Sleep 14868->14869 14869->14516 14871 40c92f 14870->14871 14872 40c93c 14871->14872 15385 40c517 14871->15385 14874 40ca2b 14872->14874 14875 40e819 11 API calls 14872->14875 14874->14516 14876 40c96a 14875->14876 14877 40e819 11 API calls 14876->14877 14878 40c97d 14877->14878 14879 40e819 11 API calls 14878->14879 14880 40c990 14879->14880 14881 40c9aa 14880->14881 14882 40ebcc 4 API calls 14880->14882 14881->14874 15402 402684 14881->15402 14882->14881 14887 40ca26 15409 40c8aa 14887->15409 14890 40ca44 14891 40ca4b closesocket 14890->14891 14892 40ca83 14890->14892 14891->14887 14893 40ea84 30 API calls 14892->14893 14894 40caac 14893->14894 14895 40f04e 4 API calls 14894->14895 14896 40cab2 14895->14896 14897 40ea84 30 API calls 14896->14897 14898 40caca 14897->14898 14899 40ea84 30 API calls 14898->14899 14900 40cad9 14899->14900 15417 40c65c 14900->15417 14903 40cb60 closesocket 14903->14874 14905 40dad2 closesocket 14906 40e318 23 API calls 14905->14906 14906->14874 14907 40df4c 20 API calls 14918 40cb70 14907->14918 14912 40e654 13 API calls 14912->14918 14918->14905 14918->14907 14918->14912 14919 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 14918->14919 14920 40d815 wsprintfA 14918->14920 14921 40cc1c GetTempPathA 14918->14921 14922 40ea84 30 API calls 14918->14922 14923 40d569 closesocket Sleep 14918->14923 14925 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 14918->14925 14926 407ead 6 API calls 14918->14926 14927 40c517 23 API calls 14918->14927 14929 40e8a1 30 API calls 14918->14929 14930 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 14918->14930 14931 40cfe3 GetSystemDirectoryA 14918->14931 14932 40675c 21 API calls 14918->14932 14933 40d027 GetSystemDirectoryA 14918->14933 14934 40cfad GetEnvironmentVariableA 14918->14934 14935 40d105 lstrcatA 14918->14935 14936 40ef1e lstrlenA 14918->14936 14937 40cc9f CreateFileA 14918->14937 14938 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 14918->14938 14939 40d15b CreateFileA 14918->14939 14945 40d149 SetFileAttributesA 14918->14945 14946 40d36e GetEnvironmentVariableA 14918->14946 14947 40d1bf SetFileAttributesA 14918->14947 14949 40d22d GetEnvironmentVariableA 14918->14949 14951 40d3af lstrcatA 14918->14951 14953 407fcf 64 API calls 14918->14953 14954 40d3f2 CreateFileA 14918->14954 14960 40d26e lstrcatA 14918->14960 14962 40d4b1 CreateProcessA 14918->14962 14963 40d3e0 SetFileAttributesA 14918->14963 14964 40d2b1 CreateFileA 14918->14964 14966 40d452 SetFileAttributesA 14918->14966 14968 407ee6 64 API calls 14918->14968 14969 40d29f SetFileAttributesA 14918->14969 14972 40d31d SetFileAttributesA 14918->14972 15425 40c75d 14918->15425 15437 407e2f 14918->15437 15459 407ead 14918->15459 15469 4031d0 14918->15469 15486 403c09 14918->15486 15496 403a00 14918->15496 15500 40e7b4 14918->15500 15503 40c06c 14918->15503 15509 406f5f GetUserNameA 14918->15509 15520 40e854 14918->15520 15530 407dd6 14918->15530 14919->14918 14920->14918 14921->14918 14922->14918 15464 40e318 14923->15464 14925->14918 14926->14918 14927->14918 14928 40d582 ExitProcess 14929->14918 14930->14918 14931->14918 14932->14918 14933->14918 14934->14918 14935->14918 14936->14918 14937->14918 14940 40ccc6 WriteFile 14937->14940 14938->14918 14939->14918 14943 40d182 WriteFile CloseHandle 14939->14943 14941 40cdcc CloseHandle 14940->14941 14942 40cced CloseHandle 14940->14942 14941->14918 14948 40cd2f 14942->14948 14943->14918 14944 40cd16 wsprintfA 14944->14948 14945->14939 14946->14918 14947->14918 14948->14944 15446 407fcf 14948->15446 14949->14918 14951->14918 14951->14954 14953->14918 14954->14918 14955 40d415 WriteFile CloseHandle 14954->14955 14955->14918 14956 40cd81 WaitForSingleObject CloseHandle CloseHandle 14958 40f04e 4 API calls 14956->14958 14957 40cda5 14959 407ee6 64 API calls 14957->14959 14958->14957 14961 40cdbd DeleteFileA 14959->14961 14960->14918 14960->14964 14961->14918 14962->14918 14965 40d4e8 CloseHandle CloseHandle 14962->14965 14963->14954 14964->14918 14967 40d2d8 WriteFile CloseHandle 14964->14967 14965->14918 14966->14918 14967->14918 14968->14918 14969->14964 14972->14918 14974 40741b 14973->14974 14975 406dc2 6 API calls 14974->14975 14976 40743f 14975->14976 14977 407469 RegOpenKeyExA 14976->14977 14979 4077f9 14977->14979 14988 407487 ___ascii_stricmp 14977->14988 14978 407703 RegEnumKeyA 14980 407714 RegCloseKey 14978->14980 14978->14988 14979->14585 14980->14979 14981 4074d2 RegOpenKeyExA 14981->14988 14982 40772c 14984 407742 RegCloseKey 14982->14984 14985 40774b 14982->14985 14983 407521 RegQueryValueExA 14983->14988 14984->14985 14986 4077ec RegCloseKey 14985->14986 14986->14979 14987 4076e4 RegCloseKey 14987->14988 14988->14978 14988->14981 14988->14982 14988->14983 14988->14987 14990 40f1a5 lstrlenA 14988->14990 14991 40777e GetFileAttributesExA 14988->14991 14992 407769 14988->14992 14989 4077e3 RegCloseKey 14989->14986 14990->14988 14991->14992 14992->14989 14994 407073 14993->14994 14995 4070b9 RegOpenKeyExA 14994->14995 14996 4070d0 14995->14996 15010 4071b8 14995->15010 14997 406dc2 6 API calls 14996->14997 15000 4070d5 14997->15000 14998 40719b RegEnumValueA 14999 4071af RegCloseKey 14998->14999 14998->15000 14999->15010 15000->14998 15002 4071d0 15000->15002 15016 40f1a5 lstrlenA 15000->15016 15003 407205 RegCloseKey 15002->15003 15004 407227 15002->15004 15003->15010 15005 4072b8 ___ascii_stricmp 15004->15005 15006 40728e RegCloseKey 15004->15006 15007 4072cd RegCloseKey 15005->15007 15008 4072dd 15005->15008 15006->15010 15007->15010 15009 407311 RegCloseKey 15008->15009 15012 407335 15008->15012 15009->15010 15010->14586 15011 4073d5 RegCloseKey 15013 4073e4 15011->15013 15012->15011 15014 40737e GetFileAttributesExA 15012->15014 15015 407397 15012->15015 15014->15015 15015->15011 15017 40f1c3 15016->15017 15017->15000 15019 403ee2 15018->15019 15020 403edc 15018->15020 15019->14592 15021 406dc2 6 API calls 15020->15021 15021->15019 15023 40400b CreateFileA 15022->15023 15024 40402c GetLastError 15023->15024 15026 404052 15023->15026 15025 404037 15024->15025 15024->15026 15025->15026 15027 404041 Sleep 15025->15027 15026->14595 15027->15023 15027->15026 15029 403f7c 15028->15029 15030 403f4e GetLastError 15028->15030 15032 403f8c ReadFile 15029->15032 15030->15029 15031 403f5b WaitForSingleObject GetOverlappedResult 15030->15031 15031->15029 15033 403fc2 GetLastError 15032->15033 15034 403ff0 15032->15034 15033->15034 15035 403fcf WaitForSingleObject GetOverlappedResult 15033->15035 15034->14600 15034->14601 15035->15034 15039 40eb74 15036->15039 15040 40eb7b GetProcessHeap HeapSize 15039->15040 15041 40eb93 15039->15041 15040->15041 15041->14607 15043 401924 GetVersionExA 15042->15043 15043->14653 15045 406eef AllocateAndInitializeSid 15044->15045 15051 406f55 15044->15051 15046 406f1c CheckTokenMembership 15045->15046 15049 406f44 15045->15049 15047 406f3b FreeSid 15046->15047 15048 406f2e 15046->15048 15047->15049 15048->15047 15049->15051 15071 406e36 GetUserNameW 15049->15071 15051->14663 15053 40920e 15052->15053 15056 409308 15052->15056 15054 4092f1 Sleep 15053->15054 15055 4092bf ShellExecuteA 15053->15055 15053->15056 15054->15053 15055->15053 15055->15056 15056->14674 15058 40ef32 15057->15058 15058->14680 15060 40f0f1 15059->15060 15061 40f0ed 15059->15061 15062 40f119 15060->15062 15063 40f0fa lstrlenA SysAllocStringByteLen 15060->15063 15061->14686 15065 40f11c MultiByteToWideChar 15062->15065 15064 40f117 15063->15064 15063->15065 15064->14686 15065->15064 15067 4018f9 15066->15067 15068 4018fd 15066->15068 15067->14689 15074 401280 15068->15074 15070 401908 15070->14689 15072 406e97 15071->15072 15073 406e5f LookupAccountNameW 15071->15073 15072->15051 15073->15072 15075 4012e1 15074->15075 15075->15075 15076 401373 ShellExecuteExW 15075->15076 15077 4016f9 GetLastError 15076->15077 15080 4013a8 15076->15080 15078 401699 15077->15078 15078->15070 15079 401570 lstrlenW 15079->15080 15080->15078 15080->15079 15080->15080 15081 4015be GetStartupInfoW 15080->15081 15082 4015ff CreateProcessWithLogonW 15080->15082 15086 401668 CloseHandle 15080->15086 15081->15080 15083 4016bf GetLastError 15082->15083 15084 40163f WaitForSingleObject 15082->15084 15083->15078 15084->15080 15085 401659 CloseHandle 15084->15085 15085->15080 15086->15080 15089 4069b9 WriteFile 15087->15089 15090 406a3c 15089->15090 15092 4069ff 15089->15092 15090->14698 15090->14699 15091 406a10 WriteFile 15091->15090 15091->15092 15092->15090 15092->15091 15094 40eb17 15093->15094 15095 40eb21 15093->15095 15097 40eae4 15094->15097 15095->14702 15098 40eb02 GetProcAddress 15097->15098 15099 40eaed LoadLibraryA 15097->15099 15098->15095 15099->15098 15100 40eb01 15099->15100 15100->15095 15102 40eba7 GetProcessHeap HeapSize 15101->15102 15103 40ebbf GetProcessHeap HeapFree 15101->15103 15102->15103 15103->14731 15105 40908d 15104->15105 15106 4090e2 wsprintfA 15105->15106 15107 40ee2a 15106->15107 15108 4090fd CreateFileA 15107->15108 15109 40911a lstrlenA WriteFile CloseHandle 15108->15109 15110 40913f 15108->15110 15109->15110 15110->14740 15110->14741 15112 40ee2a 15111->15112 15113 409794 CreateProcessA 15112->15113 15114 4097bb 15113->15114 15115 4097c2 15113->15115 15114->14752 15116 4097d4 GetThreadContext 15115->15116 15117 409801 15116->15117 15118 4097f5 15116->15118 15125 40637c 15117->15125 15119 4097f6 TerminateProcess 15118->15119 15119->15114 15121 409816 15121->15119 15122 40981e WriteProcessMemory 15121->15122 15122->15118 15123 40983b SetThreadContext 15122->15123 15123->15118 15124 409858 ResumeThread 15123->15124 15124->15114 15126 406386 15125->15126 15127 40638a GetModuleHandleA VirtualAlloc 15125->15127 15126->15121 15128 4063f5 15127->15128 15129 4063b6 15127->15129 15128->15121 15130 4063be VirtualAllocEx 15129->15130 15130->15128 15131 4063d6 15130->15131 15132 4063df WriteProcessMemory 15131->15132 15132->15128 15134 40dd41 InterlockedExchange 15133->15134 15135 40dd20 GetCurrentThreadId 15134->15135 15139 40dd4a 15134->15139 15136 40dd53 GetCurrentThreadId 15135->15136 15137 40dd2e GetTickCount 15135->15137 15136->14755 15138 40dd39 Sleep 15137->15138 15137->15139 15138->15134 15139->15136 15141 40dbf0 15140->15141 15173 40db67 GetEnvironmentVariableA 15141->15173 15143 40dc19 15144 40dcda 15143->15144 15145 40db67 3 API calls 15143->15145 15144->14757 15146 40dc5c 15145->15146 15146->15144 15147 40db67 3 API calls 15146->15147 15148 40dc9b 15147->15148 15148->15144 15149 40db67 3 API calls 15148->15149 15149->15144 15151 40db55 15150->15151 15152 40db3a 15150->15152 15151->14759 15151->14764 15177 40ebed 15152->15177 15186 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15154->15186 15156 40e3be 15156->14759 15158 40e342 15158->15156 15189 40de24 15158->15189 15160 40e528 15159->15160 15161 40e3f4 15159->15161 15160->14768 15162 40e434 RegQueryValueExA 15161->15162 15163 40e51d RegCloseKey 15162->15163 15164 40e458 15162->15164 15163->15160 15165 40e46e RegQueryValueExA 15164->15165 15165->15164 15166 40e488 15165->15166 15166->15163 15167 40db2e 8 API calls 15166->15167 15168 40e499 15167->15168 15168->15163 15169 40e4b9 RegQueryValueExA 15168->15169 15170 40e4e8 15168->15170 15169->15168 15169->15170 15170->15163 15171 40e332 14 API calls 15170->15171 15172 40e513 15171->15172 15172->15163 15174 40db89 lstrcpyA CreateFileA 15173->15174 15175 40dbca 15173->15175 15174->15143 15175->15143 15178 40ec01 15177->15178 15179 40ebf6 15177->15179 15181 40eba0 codecvt 2 API calls 15178->15181 15180 40ebcc 4 API calls 15179->15180 15182 40ebfe 15180->15182 15183 40ec0a GetProcessHeap HeapReAlloc 15181->15183 15182->15151 15184 40eb74 2 API calls 15183->15184 15185 40ec28 15184->15185 15185->15151 15200 40eb41 15186->15200 15190 40de3a 15189->15190 15196 40de4e 15190->15196 15204 40dd84 15190->15204 15193 40ebed 8 API calls 15198 40def6 15193->15198 15194 40de9e 15194->15193 15194->15196 15195 40de76 15208 40ddcf 15195->15208 15196->15158 15198->15196 15199 40ddcf lstrcmpA 15198->15199 15199->15196 15201 40eb4a 15200->15201 15203 40eb54 15200->15203 15202 40eae4 2 API calls 15201->15202 15202->15203 15203->15158 15205 40ddc5 15204->15205 15206 40dd96 15204->15206 15205->15194 15205->15195 15206->15205 15207 40ddad lstrcmpiA 15206->15207 15207->15205 15207->15206 15209 40de20 15208->15209 15210 40dddd 15208->15210 15209->15196 15210->15209 15211 40ddfa lstrcmpA 15210->15211 15211->15210 15213 40dd05 6 API calls 15212->15213 15214 40e821 15213->15214 15215 40dd84 lstrcmpiA 15214->15215 15216 40e82c 15215->15216 15217 40e844 15216->15217 15260 402480 15216->15260 15217->14784 15220 40dd05 6 API calls 15219->15220 15221 40df7c 15220->15221 15222 40dd84 lstrcmpiA 15221->15222 15226 40df89 15222->15226 15223 40dfc4 15223->14790 15224 40ddcf lstrcmpA 15224->15226 15225 40ec2e codecvt 4 API calls 15225->15226 15226->15223 15226->15224 15226->15225 15227 40dd84 lstrcmpiA 15226->15227 15227->15226 15229 40ea98 15228->15229 15269 40e8a1 15229->15269 15231 401e84 15231->14793 15233 4019d5 GetProcAddress GetProcAddress GetProcAddress 15232->15233 15236 4019ce 15232->15236 15234 401ab3 FreeLibrary 15233->15234 15235 401a04 15233->15235 15234->15236 15235->15234 15237 401a14 GetProcessHeap 15235->15237 15236->14797 15237->15236 15239 401a2e HeapAlloc 15237->15239 15239->15236 15240 401a42 15239->15240 15241 401a52 HeapReAlloc 15240->15241 15243 401a62 15240->15243 15241->15243 15242 401aa1 FreeLibrary 15242->15236 15243->15242 15244 401a96 HeapFree 15243->15244 15244->15242 15297 401ac3 LoadLibraryA 15245->15297 15248 401bcf 15248->14808 15250 401ac3 12 API calls 15249->15250 15251 401c09 15250->15251 15252 401c0d GetComputerNameA 15251->15252 15255 401c41 15251->15255 15253 401c45 GetVolumeInformationA 15252->15253 15254 401c1f 15252->15254 15253->15255 15254->15253 15254->15255 15255->14815 15257 40ee2a 15256->15257 15258 4030d0 gethostname gethostbyname 15257->15258 15259 401f82 15258->15259 15259->14821 15259->14823 15263 402419 lstrlenA 15260->15263 15262 402491 15262->15217 15264 40243d lstrlenA 15263->15264 15268 402474 15263->15268 15265 402464 lstrlenA 15264->15265 15266 40244e lstrcmpiA 15264->15266 15265->15264 15265->15268 15266->15265 15267 40245c 15266->15267 15267->15265 15267->15268 15268->15262 15270 40dd05 6 API calls 15269->15270 15271 40e8b4 15270->15271 15272 40dd84 lstrcmpiA 15271->15272 15273 40e8c0 15272->15273 15274 40e90a 15273->15274 15275 40e8c8 lstrcpynA 15273->15275 15276 402419 4 API calls 15274->15276 15285 40ea27 15274->15285 15277 40e8f5 15275->15277 15278 40e926 lstrlenA lstrlenA 15276->15278 15290 40df4c 15277->15290 15279 40e96a 15278->15279 15280 40e94c lstrlenA 15278->15280 15284 40ebcc 4 API calls 15279->15284 15279->15285 15280->15279 15282 40e901 15283 40dd84 lstrcmpiA 15282->15283 15283->15274 15286 40e98f 15284->15286 15285->15231 15286->15285 15287 40df4c 20 API calls 15286->15287 15288 40ea1e 15287->15288 15289 40ec2e codecvt 4 API calls 15288->15289 15289->15285 15291 40dd05 6 API calls 15290->15291 15292 40df51 15291->15292 15293 40f04e 4 API calls 15292->15293 15294 40df58 15293->15294 15295 40de24 10 API calls 15294->15295 15296 40df63 15295->15296 15296->15282 15298 401ae2 GetProcAddress 15297->15298 15301 401b68 GetComputerNameA GetVolumeInformationA 15297->15301 15299 401af5 15298->15299 15298->15301 15300 40ebed 8 API calls 15299->15300 15302 401b29 15299->15302 15300->15299 15301->15248 15302->15301 15303 40ec2e codecvt 4 API calls 15302->15303 15303->15301 15305 406ec3 2 API calls 15304->15305 15306 407ef4 15305->15306 15307 4073ff 17 API calls 15306->15307 15316 407fc9 15306->15316 15308 407f16 15307->15308 15308->15316 15317 407809 GetUserNameA 15308->15317 15310 407f63 15311 40ef1e lstrlenA 15310->15311 15310->15316 15312 407fa6 15311->15312 15313 40ef1e lstrlenA 15312->15313 15314 407fb7 15313->15314 15341 407a95 RegOpenKeyExA 15314->15341 15316->14834 15318 40783d LookupAccountNameA 15317->15318 15319 407a8d 15317->15319 15318->15319 15320 407874 GetLengthSid GetFileSecurityA 15318->15320 15319->15310 15320->15319 15321 4078a8 GetSecurityDescriptorOwner 15320->15321 15322 4078c5 EqualSid 15321->15322 15323 40791d GetSecurityDescriptorDacl 15321->15323 15322->15323 15324 4078dc LocalAlloc 15322->15324 15323->15319 15339 407941 15323->15339 15324->15323 15325 4078ef InitializeSecurityDescriptor 15324->15325 15326 407916 LocalFree 15325->15326 15327 4078fb SetSecurityDescriptorOwner 15325->15327 15326->15323 15327->15326 15329 40790b SetFileSecurityA 15327->15329 15328 40795b GetAce 15328->15339 15329->15326 15330 407980 EqualSid 15330->15339 15331 407a3d 15331->15319 15334 407a43 LocalAlloc 15331->15334 15332 4079be EqualSid 15332->15339 15333 40799d DeleteAce 15333->15339 15334->15319 15335 407a56 InitializeSecurityDescriptor 15334->15335 15336 407a62 SetSecurityDescriptorDacl 15335->15336 15337 407a86 LocalFree 15335->15337 15336->15337 15338 407a73 SetFileSecurityA 15336->15338 15337->15319 15338->15337 15340 407a83 15338->15340 15339->15319 15339->15328 15339->15330 15339->15331 15339->15332 15339->15333 15340->15337 15342 407ac4 15341->15342 15343 407acb GetUserNameA 15341->15343 15342->15316 15344 407da7 RegCloseKey 15343->15344 15345 407aed LookupAccountNameA 15343->15345 15344->15342 15345->15344 15346 407b24 RegGetKeySecurity 15345->15346 15346->15344 15347 407b49 GetSecurityDescriptorOwner 15346->15347 15348 407b63 EqualSid 15347->15348 15349 407bb8 GetSecurityDescriptorDacl 15347->15349 15348->15349 15350 407b74 LocalAlloc 15348->15350 15351 407da6 15349->15351 15358 407bdc 15349->15358 15350->15349 15352 407b8a InitializeSecurityDescriptor 15350->15352 15351->15344 15353 407bb1 LocalFree 15352->15353 15354 407b96 SetSecurityDescriptorOwner 15352->15354 15353->15349 15354->15353 15356 407ba6 RegSetKeySecurity 15354->15356 15355 407bf8 GetAce 15355->15358 15356->15353 15357 407c1d EqualSid 15357->15358 15358->15351 15358->15355 15358->15357 15359 407c5f EqualSid 15358->15359 15360 407cd9 15358->15360 15361 407c3a DeleteAce 15358->15361 15359->15358 15360->15351 15362 407d5a LocalAlloc 15360->15362 15364 407cf2 RegOpenKeyExA 15360->15364 15361->15358 15362->15351 15363 407d70 InitializeSecurityDescriptor 15362->15363 15365 407d7c SetSecurityDescriptorDacl 15363->15365 15366 407d9f LocalFree 15363->15366 15364->15362 15368 407d0f 15364->15368 15365->15366 15367 407d8c RegSetKeySecurity 15365->15367 15366->15351 15367->15366 15369 407d9c 15367->15369 15370 407d43 RegSetValueExA 15368->15370 15369->15366 15370->15362 15371 407d54 15370->15371 15371->15362 15372->14851 15374 40dd05 6 API calls 15373->15374 15377 40e65f 15374->15377 15375 40e6a5 15376 40ebcc 4 API calls 15375->15376 15381 40e6f5 15375->15381 15379 40e6b0 15376->15379 15377->15375 15378 40e68c lstrcmpA 15377->15378 15378->15377 15380 40e6e0 lstrcpynA 15379->15380 15379->15381 15383 40e6b7 15379->15383 15380->15381 15382 40e71d lstrcmpA 15381->15382 15381->15383 15382->15381 15383->14853 15384->14859 15386 40c525 15385->15386 15387 40c532 15385->15387 15386->15387 15390 40ec2e codecvt 4 API calls 15386->15390 15388 40c548 15387->15388 15537 40e7ff 15387->15537 15391 40c54f 15388->15391 15392 40e7ff lstrcmpiA 15388->15392 15390->15387 15391->14872 15394 40c615 15392->15394 15394->15391 15395 40ebcc 4 API calls 15394->15395 15395->15391 15396 40c5d1 15398 40ebcc 4 API calls 15396->15398 15397 40e819 11 API calls 15399 40c5b7 15397->15399 15398->15391 15400 40f04e 4 API calls 15399->15400 15401 40c5bf 15400->15401 15401->15388 15401->15396 15403 402692 inet_addr 15402->15403 15405 40268e 15402->15405 15404 40269e gethostbyname 15403->15404 15403->15405 15404->15405 15406 40f428 15405->15406 15540 40f315 15406->15540 15411 40c8d2 15409->15411 15410 40c907 15410->14874 15411->15410 15412 40c517 23 API calls 15411->15412 15412->15410 15413 40f43e 15414 40f473 recv 15413->15414 15415 40f458 15414->15415 15416 40f47c 15414->15416 15415->15414 15415->15416 15416->14890 15418 40c670 15417->15418 15419 40c67d 15417->15419 15420 40ebcc 4 API calls 15418->15420 15421 40ebcc 4 API calls 15419->15421 15422 40c699 15419->15422 15420->15419 15421->15422 15423 40c6f3 15422->15423 15424 40c73c send 15422->15424 15423->14903 15423->14918 15424->15423 15426 40c770 15425->15426 15427 40c77d 15425->15427 15428 40ebcc 4 API calls 15426->15428 15429 40c799 15427->15429 15430 40ebcc 4 API calls 15427->15430 15428->15427 15431 40c7b5 15429->15431 15432 40ebcc 4 API calls 15429->15432 15430->15429 15433 40f43e recv 15431->15433 15432->15431 15434 40c7cb 15433->15434 15435 40f43e recv 15434->15435 15436 40c7d3 15434->15436 15435->15436 15436->14918 15553 407db7 15437->15553 15440 407e70 15441 407e96 15440->15441 15443 40f04e 4 API calls 15440->15443 15441->14918 15442 40f04e 4 API calls 15444 407e4c 15442->15444 15443->15441 15444->15440 15445 40f04e 4 API calls 15444->15445 15445->15440 15447 406ec3 2 API calls 15446->15447 15448 407fdd 15447->15448 15449 4073ff 17 API calls 15448->15449 15450 4080c2 CreateProcessA 15448->15450 15451 407fff 15449->15451 15450->14956 15450->14957 15451->15450 15451->15451 15452 407809 21 API calls 15451->15452 15453 40804d 15452->15453 15453->15450 15454 40ef1e lstrlenA 15453->15454 15455 40809e 15454->15455 15456 40ef1e lstrlenA 15455->15456 15457 4080af 15456->15457 15458 407a95 24 API calls 15457->15458 15458->15450 15460 407db7 2 API calls 15459->15460 15461 407eb8 15460->15461 15462 40f04e 4 API calls 15461->15462 15463 407ece DeleteFileA 15462->15463 15463->14918 15465 40dd05 6 API calls 15464->15465 15466 40e31d 15465->15466 15557 40e177 15466->15557 15468 40e326 15468->14928 15470 4031f3 15469->15470 15480 4031ec 15469->15480 15471 40ebcc 4 API calls 15470->15471 15478 4031fc 15471->15478 15472 403459 15474 40f04e 4 API calls 15472->15474 15473 40349d 15475 40ec2e codecvt 4 API calls 15473->15475 15476 40345f 15474->15476 15475->15480 15477 4030fa 4 API calls 15476->15477 15477->15480 15479 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15478->15479 15478->15480 15481 40344d 15478->15481 15484 403141 lstrcmpiA 15478->15484 15485 40344b 15478->15485 15583 4030fa GetTickCount 15478->15583 15479->15478 15480->14918 15482 40ec2e codecvt 4 API calls 15481->15482 15482->15485 15484->15478 15485->15472 15485->15473 15487 4030fa 4 API calls 15486->15487 15488 403c1a 15487->15488 15489 403ce6 15488->15489 15588 403a72 15488->15588 15489->14918 15492 403a72 9 API calls 15495 403c5e 15492->15495 15493 403a72 9 API calls 15493->15495 15494 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15494->15495 15495->15489 15495->15493 15495->15494 15497 403a10 15496->15497 15498 4030fa 4 API calls 15497->15498 15499 403a1a 15498->15499 15499->14918 15501 40dd05 6 API calls 15500->15501 15502 40e7be 15501->15502 15502->14918 15504 40c07e wsprintfA 15503->15504 15508 40c105 15503->15508 15597 40bfce GetTickCount wsprintfA 15504->15597 15506 40c0ef 15598 40bfce GetTickCount wsprintfA 15506->15598 15508->14918 15510 406f88 LookupAccountNameA 15509->15510 15511 407047 15509->15511 15513 407025 15510->15513 15514 406fcb 15510->15514 15511->14918 15515 406edd 5 API calls 15513->15515 15517 406fdb ConvertSidToStringSidA 15514->15517 15516 40702a wsprintfA 15515->15516 15516->15511 15517->15513 15518 406ff1 15517->15518 15519 407013 LocalFree 15518->15519 15519->15513 15521 40dd05 6 API calls 15520->15521 15522 40e85c 15521->15522 15523 40dd84 lstrcmpiA 15522->15523 15524 40e867 15523->15524 15525 40e885 lstrcpyA 15524->15525 15599 4024a5 15524->15599 15602 40dd69 15525->15602 15531 407db7 2 API calls 15530->15531 15532 407de1 15531->15532 15533 407e16 15532->15533 15534 40f04e 4 API calls 15532->15534 15533->14918 15535 407df2 15534->15535 15535->15533 15536 40f04e 4 API calls 15535->15536 15536->15533 15538 40dd84 lstrcmpiA 15537->15538 15539 40c58e 15538->15539 15539->15388 15539->15396 15539->15397 15541 40ca1d 15540->15541 15542 40f33b 15540->15542 15541->14887 15541->15413 15543 40f347 htons socket 15542->15543 15544 40f382 ioctlsocket 15543->15544 15545 40f374 closesocket 15543->15545 15546 40f3aa connect select 15544->15546 15547 40f39d 15544->15547 15545->15541 15546->15541 15549 40f3f2 __WSAFDIsSet 15546->15549 15548 40f39f closesocket 15547->15548 15548->15541 15549->15548 15550 40f403 ioctlsocket 15549->15550 15552 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15550->15552 15552->15541 15554 407dc8 InterlockedExchange 15553->15554 15555 407dc0 Sleep 15554->15555 15556 407dd4 15554->15556 15555->15554 15556->15440 15556->15442 15558 40e184 15557->15558 15559 40e2e4 15558->15559 15560 40e223 15558->15560 15573 40dfe2 15558->15573 15559->15468 15560->15559 15562 40dfe2 8 API calls 15560->15562 15565 40e23c 15562->15565 15563 40e1be 15563->15560 15564 40dbcf 3 API calls 15563->15564 15566 40e1d6 15564->15566 15565->15559 15577 40e095 RegCreateKeyExA 15565->15577 15566->15560 15567 40e21a CloseHandle 15566->15567 15568 40e1f9 WriteFile 15566->15568 15567->15560 15568->15567 15570 40e213 15568->15570 15570->15567 15571 40e2a3 15571->15559 15572 40e095 4 API calls 15571->15572 15572->15559 15574 40dffc 15573->15574 15576 40e024 15573->15576 15575 40db2e 8 API calls 15574->15575 15574->15576 15575->15576 15576->15563 15578 40e172 15577->15578 15579 40e0c0 15577->15579 15578->15571 15580 40e13d 15579->15580 15582 40e115 RegSetValueExA 15579->15582 15581 40e14e RegDeleteValueA RegCloseKey 15580->15581 15581->15578 15582->15579 15582->15580 15584 403122 InterlockedExchange 15583->15584 15585 40312e 15584->15585 15586 40310f GetTickCount 15584->15586 15585->15478 15586->15585 15587 40311a Sleep 15586->15587 15587->15584 15589 40f04e 4 API calls 15588->15589 15596 403a83 15589->15596 15590 403ac1 15590->15489 15590->15492 15591 403be6 15593 40ec2e codecvt 4 API calls 15591->15593 15592 403bc0 15592->15591 15594 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15592->15594 15593->15590 15594->15592 15595 403b66 lstrlenA 15595->15590 15595->15596 15596->15590 15596->15592 15596->15595 15597->15506 15598->15508 15600 402419 4 API calls 15599->15600 15601 4024b6 15600->15601 15601->15525 15603 40dd79 lstrlenA 15602->15603 15603->14918 15605 404084 15604->15605 15606 40407d 15604->15606 15607 403ecd 6 API calls 15605->15607 15608 40408f 15607->15608 15609 404000 3 API calls 15608->15609 15613 404095 15609->15613 15610 404130 15611 403ecd 6 API calls 15610->15611 15612 404159 CreateNamedPipeA 15611->15612 15614 404167 Sleep 15612->15614 15615 404188 ConnectNamedPipe 15612->15615 15613->15610 15616 403f18 4 API calls 15613->15616 15614->15610 15619 404176 CloseHandle 15614->15619 15618 404195 GetLastError 15615->15618 15629 4041ab 15615->15629 15617 4040da 15616->15617 15620 403f8c 4 API calls 15617->15620 15621 40425e DisconnectNamedPipe 15618->15621 15618->15629 15619->15615 15622 4040ec 15620->15622 15621->15615 15623 4040f3 15622->15623 15624 404127 CloseHandle 15622->15624 15623->15624 15625 404101 15623->15625 15624->15610 15626 403f18 4 API calls 15625->15626 15627 40411c ExitProcess 15626->15627 15628 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15628->15629 15629->15615 15629->15621 15629->15628 15630 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15629->15630 15631 40426a CloseHandle CloseHandle 15629->15631 15630->15629 15632 40e318 23 API calls 15631->15632 15633 40427b 15632->15633 15633->15633 15635 408791 15634->15635 15636 40879f 15634->15636 15637 40f04e 4 API calls 15635->15637 15638 4087bc 15636->15638 15640 40f04e 4 API calls 15636->15640 15637->15636 15639 40e819 11 API calls 15638->15639 15641 4087d7 15639->15641 15640->15638 15654 408803 15641->15654 15656 4026b2 gethostbyaddr 15641->15656 15644 4087eb 15646 40e8a1 30 API calls 15644->15646 15644->15654 15646->15654 15649 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15649->15654 15650 40e819 11 API calls 15650->15654 15651 4088a0 Sleep 15651->15654 15653 4026b2 2 API calls 15653->15654 15654->15649 15654->15650 15654->15651 15654->15653 15655 40e8a1 30 API calls 15654->15655 15661 408cee 15654->15661 15669 40c4d6 15654->15669 15672 40c4e2 15654->15672 15675 402011 15654->15675 15710 408328 15654->15710 15655->15654 15657 4026fb 15656->15657 15658 4026cd 15656->15658 15657->15644 15659 4026e1 inet_ntoa 15658->15659 15660 4026de 15658->15660 15659->15660 15660->15644 15662 408d02 GetTickCount 15661->15662 15663 408dae 15661->15663 15662->15663 15666 408d19 15662->15666 15663->15654 15664 408da1 GetTickCount 15664->15663 15666->15664 15668 408d89 15666->15668 15762 40a677 15666->15762 15765 40a688 15666->15765 15668->15664 15773 40c2dc 15669->15773 15673 40c2dc 141 API calls 15672->15673 15674 40c4ec 15673->15674 15674->15654 15676 402020 15675->15676 15677 40202e 15675->15677 15679 40f04e 4 API calls 15676->15679 15678 40204b 15677->15678 15680 40f04e 4 API calls 15677->15680 15681 40206e GetTickCount 15678->15681 15682 40f04e 4 API calls 15678->15682 15679->15677 15680->15678 15683 4020db GetTickCount 15681->15683 15692 402090 15681->15692 15685 402068 15682->15685 15684 402132 GetTickCount GetTickCount 15683->15684 15695 4020e7 15683->15695 15687 40f04e 4 API calls 15684->15687 15685->15681 15686 4020d4 GetTickCount 15686->15683 15689 402159 15687->15689 15688 40212b GetTickCount 15688->15684 15694 40e854 13 API calls 15689->15694 15709 4021b4 15689->15709 15690 402684 2 API calls 15690->15692 15692->15686 15692->15690 15698 4020ce 15692->15698 16100 401978 15692->16100 15693 40f04e 4 API calls 15697 4021d1 15693->15697 15699 40218e 15694->15699 15695->15688 15700 402125 15695->15700 15702 401978 15 API calls 15695->15702 16105 402ef8 15695->16105 15703 40ea84 30 API calls 15697->15703 15707 4021f2 15697->15707 15698->15686 15701 40e819 11 API calls 15699->15701 15700->15688 15706 40219c 15701->15706 15702->15695 15704 4021ec 15703->15704 15705 40f04e 4 API calls 15704->15705 15705->15707 15706->15709 16113 401c5f 15706->16113 15707->15654 15709->15693 15711 407dd6 6 API calls 15710->15711 15712 40833c 15711->15712 15713 408340 15712->15713 15714 406ec3 2 API calls 15712->15714 15713->15654 15715 40834f 15714->15715 15716 40835c 15715->15716 15719 40846b 15715->15719 15717 4073ff 17 API calls 15716->15717 15736 408373 15717->15736 15718 40675c 21 API calls 15730 4085df 15718->15730 15721 4084a7 RegOpenKeyExA 15719->15721 15747 408450 15719->15747 15720 408626 GetTempPathA 15749 408638 15720->15749 15723 4084c0 RegQueryValueExA 15721->15723 15724 40852f 15721->15724 15727 408521 RegCloseKey 15723->15727 15728 4084dd 15723->15728 15731 408564 RegOpenKeyExA 15724->15731 15740 4085a5 15724->15740 15725 4086ad 15726 408762 15725->15726 15729 407e2f 6 API calls 15725->15729 15726->15713 15734 40ec2e codecvt 4 API calls 15726->15734 15727->15724 15728->15727 15735 40ebcc 4 API calls 15728->15735 15741 4086bb 15729->15741 15730->15720 15730->15726 15730->15749 15732 408573 RegSetValueExA RegCloseKey 15731->15732 15731->15740 15732->15740 15733 40875b DeleteFileA 15733->15726 15734->15713 15738 4084f0 15735->15738 15736->15713 15742 4083ea RegOpenKeyExA 15736->15742 15736->15747 15738->15727 15739 4084f8 RegQueryValueExA 15738->15739 15739->15727 15743 408515 15739->15743 15744 40ec2e codecvt 4 API calls 15740->15744 15740->15747 15741->15733 15748 4086e0 lstrcpyA lstrlenA 15741->15748 15745 4083fd RegQueryValueExA 15742->15745 15742->15747 15746 40ec2e codecvt 4 API calls 15743->15746 15744->15747 15750 40842d RegSetValueExA 15745->15750 15751 40841e 15745->15751 15753 40851d 15746->15753 15747->15718 15747->15730 15754 407fcf 64 API calls 15748->15754 16185 406ba7 IsBadCodePtr 15749->16185 15752 408447 RegCloseKey 15750->15752 15751->15750 15751->15752 15752->15747 15753->15727 15755 408719 CreateProcessA 15754->15755 15756 40873d CloseHandle CloseHandle 15755->15756 15757 40874f 15755->15757 15756->15726 15758 407ee6 64 API calls 15757->15758 15759 408754 15758->15759 15760 407ead 6 API calls 15759->15760 15761 40875a 15760->15761 15761->15733 15768 40a63d 15762->15768 15764 40a685 15764->15666 15766 40a63d GetTickCount 15765->15766 15767 40a696 15766->15767 15767->15666 15769 40a645 15768->15769 15770 40a64d 15768->15770 15769->15764 15771 40a66e 15770->15771 15772 40a65e GetTickCount 15770->15772 15771->15764 15772->15771 15789 40a4c7 GetTickCount 15773->15789 15776 40c300 GetTickCount 15778 40c337 15776->15778 15777 40c326 15777->15778 15779 40c32b GetTickCount 15777->15779 15782 40c363 GetTickCount 15778->15782 15788 40c45e 15778->15788 15779->15778 15780 40c4d2 15780->15654 15781 40c4ab InterlockedIncrement CreateThread 15781->15780 15783 40c4cb CloseHandle 15781->15783 15794 40b535 15781->15794 15784 40c373 15782->15784 15782->15788 15783->15780 15785 40c378 GetTickCount 15784->15785 15786 40c37f 15784->15786 15785->15786 15787 40c43b GetTickCount 15786->15787 15787->15788 15788->15780 15788->15781 15790 40a4f7 InterlockedExchange 15789->15790 15791 40a500 15790->15791 15792 40a4e4 GetTickCount 15790->15792 15791->15776 15791->15777 15791->15788 15792->15791 15793 40a4ef Sleep 15792->15793 15793->15790 15795 40b566 15794->15795 15796 40ebcc 4 API calls 15795->15796 15797 40b587 15796->15797 15798 40ebcc 4 API calls 15797->15798 15848 40b590 15798->15848 15799 40bdcd InterlockedDecrement 15801 40bde2 15799->15801 15802 40ec2e codecvt 4 API calls 15801->15802 15803 40bdea 15802->15803 15805 40ec2e codecvt 4 API calls 15803->15805 15804 40bdb7 Sleep 15804->15848 15806 40bdf2 15805->15806 15807 40be05 15806->15807 15809 40ec2e codecvt 4 API calls 15806->15809 15808 40bdcc 15808->15799 15809->15807 15810 40ebed 8 API calls 15810->15848 15813 40b6b6 lstrlenA 15813->15848 15814 4030b5 2 API calls 15814->15848 15815 40b6ed lstrcpyA 15869 405ce1 15815->15869 15816 40e819 11 API calls 15816->15848 15819 40b731 lstrlenA 15819->15848 15820 40b71f lstrcmpA 15820->15819 15820->15848 15821 40b772 GetTickCount 15821->15848 15822 40bd49 InterlockedIncrement 15963 40a628 15822->15963 15825 40b7ce InterlockedIncrement 15879 40acd7 15825->15879 15826 40bc5b InterlockedIncrement 15826->15848 15829 40b912 GetTickCount 15829->15848 15830 40b826 InterlockedIncrement 15830->15821 15831 40b932 GetTickCount 15833 40bc6d InterlockedIncrement 15831->15833 15831->15848 15832 40bcdc closesocket 15832->15848 15833->15848 15834 405ce1 22 API calls 15834->15848 15835 4038f0 6 API calls 15835->15848 15838 40bba6 InterlockedIncrement 15838->15848 15841 40bc4c closesocket 15841->15848 15843 40ba71 wsprintfA 15897 40a7c1 15843->15897 15845 40ab81 lstrcpynA InterlockedIncrement 15845->15848 15846 40a7c1 22 API calls 15846->15848 15847 40ef1e lstrlenA 15847->15848 15848->15799 15848->15804 15848->15808 15848->15810 15848->15813 15848->15814 15848->15815 15848->15816 15848->15819 15848->15820 15848->15821 15848->15822 15848->15825 15848->15826 15848->15829 15848->15830 15848->15831 15848->15832 15848->15834 15848->15835 15848->15838 15848->15841 15848->15843 15848->15845 15848->15846 15848->15847 15849 405ded 12 API calls 15848->15849 15850 40a688 GetTickCount 15848->15850 15851 403e10 15848->15851 15854 403e4f 15848->15854 15857 40384f 15848->15857 15877 40a7a3 inet_ntoa 15848->15877 15884 40abee 15848->15884 15896 401feb GetTickCount 15848->15896 15917 403cfb 15848->15917 15920 40b3c5 15848->15920 15951 40ab81 15848->15951 15849->15848 15850->15848 15852 4030fa 4 API calls 15851->15852 15853 403e1d 15852->15853 15853->15848 15855 4030fa 4 API calls 15854->15855 15856 403e5c 15855->15856 15856->15848 15858 4030fa 4 API calls 15857->15858 15859 403863 15858->15859 15860 4038b9 15859->15860 15861 403889 15859->15861 15868 4038b2 15859->15868 15972 4035f9 15860->15972 15966 403718 15861->15966 15866 4035f9 6 API calls 15866->15868 15867 403718 6 API calls 15867->15868 15868->15848 15870 405cf4 15869->15870 15871 405cec 15869->15871 15873 404bd1 4 API calls 15870->15873 15978 404bd1 GetTickCount 15871->15978 15874 405d02 15873->15874 15983 405472 15874->15983 15878 40a7b9 15877->15878 15878->15848 15880 40f315 14 API calls 15879->15880 15881 40aceb 15880->15881 15882 40f315 14 API calls 15881->15882 15883 40acff 15881->15883 15882->15883 15883->15848 15885 40abfb 15884->15885 15888 40ac65 15885->15888 16046 402f22 15885->16046 15887 40f315 14 API calls 15887->15888 15888->15887 15889 40ac6f 15888->15889 15890 40ac8a 15888->15890 15891 40ab81 2 API calls 15889->15891 15890->15848 15892 40ac81 15891->15892 16054 4038f0 15892->16054 15893 402684 2 API calls 15894 40ac23 15893->15894 15894->15888 15894->15893 15896->15848 15898 40a87d lstrlenA send 15897->15898 15899 40a7df 15897->15899 15900 40a899 15898->15900 15901 40a8bf 15898->15901 15899->15898 15906 40a7fa wsprintfA 15899->15906 15907 40a80a 15899->15907 15910 40a8f2 15899->15910 15904 40a8a5 wsprintfA 15900->15904 15916 40a89e 15900->15916 15902 40a8c4 send 15901->15902 15901->15910 15905 40a8d8 wsprintfA 15902->15905 15902->15910 15903 40a978 recv 15909 40a982 15903->15909 15903->15910 15904->15916 15905->15916 15906->15907 15907->15898 15908 40a9b0 wsprintfA 15908->15916 15911 4030b5 2 API calls 15909->15911 15909->15916 15910->15903 15910->15908 15910->15909 15912 40ab05 15911->15912 15913 40e819 11 API calls 15912->15913 15914 40ab17 15913->15914 15915 40a7a3 inet_ntoa 15914->15915 15915->15916 15916->15848 15918 4030fa 4 API calls 15917->15918 15919 403d0b 15918->15919 15919->15848 15921 405ce1 22 API calls 15920->15921 15922 40b3e6 15921->15922 15923 405ce1 22 API calls 15922->15923 15925 40b404 15923->15925 15924 40b440 15927 40ef7c 3 API calls 15924->15927 15925->15924 15926 40ef7c 3 API calls 15925->15926 15928 40b42b 15926->15928 15929 40b458 wsprintfA 15927->15929 15930 40ef7c 3 API calls 15928->15930 15931 40ef7c 3 API calls 15929->15931 15930->15924 15932 40b480 15931->15932 15933 40ef7c 3 API calls 15932->15933 15934 40b493 15933->15934 15935 40ef7c 3 API calls 15934->15935 15936 40b4bb 15935->15936 16068 40ad89 GetLocalTime SystemTimeToFileTime 15936->16068 15940 40b4cc 15941 40ef7c 3 API calls 15940->15941 15942 40b4dd 15941->15942 15943 40b211 7 API calls 15942->15943 15944 40b4ec 15943->15944 15945 40ef7c 3 API calls 15944->15945 15946 40b4fd 15945->15946 15947 40b211 7 API calls 15946->15947 15948 40b509 15947->15948 15949 40ef7c 3 API calls 15948->15949 15950 40b51a 15949->15950 15950->15848 15953 40abe9 GetTickCount 15951->15953 15954 40ab8c 15951->15954 15952 40aba8 lstrcpynA 15952->15954 15956 40a51d 15953->15956 15954->15952 15954->15953 15955 40abe1 InterlockedIncrement 15954->15955 15955->15954 15957 40a4c7 4 API calls 15956->15957 15958 40a52c 15957->15958 15959 40a542 GetTickCount 15958->15959 15961 40a539 GetTickCount 15958->15961 15959->15961 15962 40a56c 15961->15962 15962->15848 15964 40a4c7 4 API calls 15963->15964 15965 40a633 15964->15965 15965->15848 15967 40f04e 4 API calls 15966->15967 15969 40372a 15967->15969 15968 403847 15968->15867 15968->15868 15969->15968 15970 4037b3 GetCurrentThreadId 15969->15970 15970->15969 15971 4037c8 GetCurrentThreadId 15970->15971 15971->15969 15973 40f04e 4 API calls 15972->15973 15977 40360c 15973->15977 15974 4036f1 15974->15866 15974->15868 15975 4036da GetCurrentThreadId 15975->15974 15976 4036e5 GetCurrentThreadId 15975->15976 15976->15974 15977->15974 15977->15975 15979 404bff InterlockedExchange 15978->15979 15980 404c08 15979->15980 15981 404bec GetTickCount 15979->15981 15980->15870 15981->15980 15982 404bf7 Sleep 15981->15982 15982->15979 16002 404763 15983->16002 15985 405b58 16012 404699 15985->16012 15988 404763 lstrlenA 15989 405b6e 15988->15989 16033 404f9f 15989->16033 15991 405b79 15991->15848 15993 405549 lstrlenA 16000 40548a 15993->16000 15995 40558d lstrcpynA 15995->16000 15996 405a9f lstrcpyA 15996->16000 15997 405472 13 API calls 15997->16000 15998 405935 lstrcpynA 15998->16000 15999 4058e7 lstrcpyA 15999->16000 16000->15985 16000->15995 16000->15996 16000->15997 16000->15998 16000->15999 16001 404ae6 8 API calls 16000->16001 16006 404ae6 16000->16006 16010 40ef7c lstrlenA lstrlenA lstrlenA 16000->16010 16001->16000 16004 40477a 16002->16004 16003 404859 16003->16000 16004->16003 16005 40480d lstrlenA 16004->16005 16005->16004 16007 404af3 16006->16007 16009 404b03 16006->16009 16008 40ebed 8 API calls 16007->16008 16008->16009 16009->15993 16011 40efb4 16010->16011 16011->16000 16038 4045b3 16012->16038 16015 4045b3 7 API calls 16016 4046c6 16015->16016 16017 4045b3 7 API calls 16016->16017 16018 4046d8 16017->16018 16019 4045b3 7 API calls 16018->16019 16020 4046ea 16019->16020 16021 4045b3 7 API calls 16020->16021 16022 4046ff 16021->16022 16023 4045b3 7 API calls 16022->16023 16024 404711 16023->16024 16025 4045b3 7 API calls 16024->16025 16026 404723 16025->16026 16027 40ef7c 3 API calls 16026->16027 16028 404735 16027->16028 16029 40ef7c 3 API calls 16028->16029 16030 40474a 16029->16030 16031 40ef7c 3 API calls 16030->16031 16032 40475c 16031->16032 16032->15988 16034 404fac 16033->16034 16037 404fb0 16033->16037 16034->15991 16035 404ffd 16035->15991 16036 404fd5 IsBadCodePtr 16036->16037 16037->16035 16037->16036 16039 4045c1 16038->16039 16040 4045c8 16038->16040 16041 40ebcc 4 API calls 16039->16041 16042 40ebcc 4 API calls 16040->16042 16044 4045e1 16040->16044 16041->16040 16042->16044 16043 404691 16043->16015 16044->16043 16045 40ef7c 3 API calls 16044->16045 16045->16044 16061 402d21 GetModuleHandleA 16046->16061 16049 402f4f 16051 402f6b GetProcessHeap HeapFree 16049->16051 16050 402fcf GetProcessHeap HeapFree 16053 402f44 16050->16053 16051->16053 16052 402f85 16052->16050 16053->15894 16055 403900 16054->16055 16057 403980 16054->16057 16056 4030fa 4 API calls 16055->16056 16060 40390a 16056->16060 16057->15890 16058 40391b GetCurrentThreadId 16058->16060 16059 403939 GetCurrentThreadId 16059->16060 16060->16057 16060->16058 16060->16059 16062 402d46 LoadLibraryA 16061->16062 16063 402d5b GetProcAddress 16061->16063 16062->16063 16065 402d54 16062->16065 16063->16065 16067 402d6b 16063->16067 16064 402d97 GetProcessHeap HeapAlloc 16064->16065 16064->16067 16065->16049 16065->16052 16065->16053 16066 402db5 lstrcpynA 16066->16067 16067->16064 16067->16065 16067->16066 16069 40adbf 16068->16069 16093 40ad08 gethostname 16069->16093 16072 4030b5 2 API calls 16073 40add3 16072->16073 16074 40a7a3 inet_ntoa 16073->16074 16081 40ade4 16073->16081 16074->16081 16075 40ae85 wsprintfA 16076 40ef7c 3 API calls 16075->16076 16077 40aebb 16076->16077 16080 40ef7c 3 API calls 16077->16080 16078 40ae36 wsprintfA wsprintfA 16079 40ef7c 3 API calls 16078->16079 16079->16081 16082 40aed2 16080->16082 16081->16075 16081->16078 16083 40b211 16082->16083 16084 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16083->16084 16085 40b2af GetLocalTime 16083->16085 16086 40b2d2 16084->16086 16085->16086 16087 40b2d9 SystemTimeToFileTime 16086->16087 16088 40b31c GetTimeZoneInformation 16086->16088 16089 40b2ec 16087->16089 16090 40b33a wsprintfA 16088->16090 16091 40b312 FileTimeToSystemTime 16089->16091 16090->15940 16091->16088 16094 40ad71 16093->16094 16098 40ad26 lstrlenA 16093->16098 16095 40ad85 16094->16095 16096 40ad79 lstrcpyA 16094->16096 16095->16072 16096->16095 16098->16094 16099 40ad68 lstrlenA 16098->16099 16099->16094 16101 40f428 14 API calls 16100->16101 16102 40198a 16101->16102 16103 401990 closesocket 16102->16103 16104 401998 16102->16104 16103->16104 16104->15692 16106 402d21 6 API calls 16105->16106 16107 402f01 16106->16107 16110 402f0f 16107->16110 16121 402df2 GetModuleHandleA 16107->16121 16109 402684 2 API calls 16111 402f1d 16109->16111 16110->16109 16112 402f1f 16110->16112 16111->15695 16112->15695 16114 401c80 16113->16114 16115 401cc2 wsprintfA 16114->16115 16116 401d1c 16114->16116 16120 401d79 16114->16120 16117 402684 2 API calls 16115->16117 16116->16116 16118 401d47 wsprintfA 16116->16118 16117->16114 16119 402684 2 API calls 16118->16119 16119->16120 16120->15709 16122 402e10 LoadLibraryA 16121->16122 16123 402e0b 16121->16123 16124 402e17 16122->16124 16123->16122 16123->16124 16125 402ef1 16124->16125 16126 402e28 GetProcAddress 16124->16126 16125->16110 16126->16125 16127 402e3e GetProcessHeap HeapAlloc 16126->16127 16129 402e62 16127->16129 16128 402ede GetProcessHeap HeapFree 16128->16125 16129->16125 16129->16128 16130 402e7f htons inet_addr 16129->16130 16131 402ea5 gethostbyname 16129->16131 16133 402ceb 16129->16133 16130->16129 16130->16131 16131->16129 16134 402cf2 16133->16134 16136 402d1c 16134->16136 16137 402d0e Sleep 16134->16137 16138 402a62 GetProcessHeap HeapAlloc 16134->16138 16136->16129 16137->16134 16137->16136 16139 402a92 16138->16139 16140 402a99 socket 16138->16140 16139->16134 16141 402cd3 GetProcessHeap HeapFree 16140->16141 16142 402ab4 16140->16142 16141->16139 16142->16141 16156 402abd 16142->16156 16143 402adb htons 16158 4026ff 16143->16158 16145 402b04 select 16145->16156 16146 402cb3 GetProcessHeap HeapFree closesocket 16146->16139 16147 402b3f recv 16147->16156 16148 402b66 htons 16149 402ca4 16148->16149 16148->16156 16149->16146 16150 402b87 htons 16150->16149 16150->16156 16153 402bf3 GetProcessHeap HeapAlloc 16153->16156 16154 402c17 htons 16173 402871 16154->16173 16156->16143 16156->16145 16156->16146 16156->16147 16156->16148 16156->16149 16156->16150 16156->16153 16156->16154 16157 402c4d GetProcessHeap HeapFree 16156->16157 16165 402923 16156->16165 16177 402904 16156->16177 16157->16156 16159 40271d 16158->16159 16160 402717 16158->16160 16162 40272b GetTickCount htons 16159->16162 16161 40ebcc 4 API calls 16160->16161 16161->16159 16163 4027cc htons htons sendto 16162->16163 16164 40278a 16162->16164 16163->16156 16164->16163 16166 402944 16165->16166 16168 40293d 16165->16168 16181 402816 htons 16166->16181 16168->16156 16169 402871 htons 16172 402950 16169->16172 16170 4029bd htons htons htons 16170->16168 16171 4029f6 GetProcessHeap HeapAlloc 16170->16171 16171->16168 16171->16172 16172->16168 16172->16169 16172->16170 16174 4028e3 16173->16174 16176 402889 16173->16176 16174->16156 16175 4028c3 htons 16175->16174 16175->16176 16176->16174 16176->16175 16178 402921 16177->16178 16179 402908 16177->16179 16178->16156 16180 402909 GetProcessHeap HeapFree 16179->16180 16180->16178 16180->16180 16182 40286b 16181->16182 16183 402836 16181->16183 16182->16172 16183->16182 16184 40285c htons 16183->16184 16184->16182 16184->16183 16186 406bc0 16185->16186 16187 406bbc 16185->16187 16188 40ebcc 4 API calls 16186->16188 16190 406bd4 16186->16190 16187->15725 16189 406be4 16188->16189 16189->16190 16191 406c07 CreateFileA 16189->16191 16192 406bfc 16189->16192 16190->15725 16193 406c34 WriteFile 16191->16193 16194 406c2a 16191->16194 16195 40ec2e codecvt 4 API calls 16192->16195 16197 406c49 CloseHandle DeleteFileA 16193->16197 16198 406c5a CloseHandle 16193->16198 16196 40ec2e codecvt 4 API calls 16194->16196 16195->16190 16196->16190 16197->16194 16199 40ec2e codecvt 4 API calls 16198->16199 16199->16190 14435 29c0005 14440 29c092b GetPEB 14435->14440 14437 29c0030 14442 29c003c 14437->14442 14441 29c0972 14440->14441 14441->14437 14443 29c0049 14442->14443 14457 29c0e0f SetErrorMode SetErrorMode 14443->14457 14448 29c0265 14449 29c02ce VirtualProtect 14448->14449 14451 29c030b 14449->14451 14450 29c0439 VirtualFree 14455 29c05f4 LoadLibraryA 14450->14455 14456 29c04be 14450->14456 14451->14450 14452 29c04e3 LoadLibraryA 14452->14456 14454 29c08c7 14455->14454 14456->14452 14456->14455 14458 29c0223 14457->14458 14459 29c0d90 14458->14459 14460 29c0dad 14459->14460 14461 29c0dbb GetPEB 14460->14461 14462 29c0238 VirtualAlloc 14460->14462 14461->14462 14462->14448 16200 28e6612 16203 28e661c 16200->16203 16204 28e662b 16203->16204 16207 28e6dbc 16204->16207 16213 28e6dd7 16207->16213 16208 28e6de0 CreateToolhelp32Snapshot 16209 28e6dfc Module32First 16208->16209 16208->16213 16210 28e6e0b 16209->16210 16211 28e661b 16209->16211 16214 28e6a7b 16210->16214 16213->16208 16213->16209 16215 28e6aa6 16214->16215 16216 28e6ab7 VirtualAlloc 16215->16216 16217 28e6aef 16215->16217 16216->16217 16217->16217
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                            • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                          • ExitProcess.KERNEL32 ref: 00409C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                          • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                          • wsprintfA.USER32 ref: 0040A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                            • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                          • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                          • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                          • API String ID: 2089075347-2824936573
                                                                                          • Opcode ID: 408deff44febd3916874fa53db5e5f0dd1b788e316581794cedda39bc3a0aab8
                                                                                          • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                          • Opcode Fuzzy Hash: 408deff44febd3916874fa53db5e5f0dd1b788e316581794cedda39bc3a0aab8
                                                                                          • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 532 409502-40952e call 402544 RegQueryValueExA 520->532 533 4094fb-409500 520->533 523 409634-409637 521->523 526 409639-40964a VirtualProtect 523->526 527 40967b-409682 523->527 530 40964c-409662 526->530 531 40966d-409679 526->531 534 409683 call 4091eb 527->534 536 409664-40966b 530->536 537 40962b-40962d 530->537 531->534 548 409530-409537 532->548 549 409539-409565 call 402544 RegQueryValueExA 532->549 538 40957a-40957f 533->538 542 409688-409690 534->542 536->537 544 4096a2-4096a9 537->544 545 409581-409584 538->545 546 40958a-40958d 538->546 550 409692 542->550 551 409698-4096a0 542->551 545->523 545->546 546->527 553 409593-40959a 546->553 554 40956e-409577 RegCloseKey 548->554 549->554 563 409567 549->563 550->551 551->544 557 40961a-40961f 553->557 558 40959c-4095a1 553->558 554->538 561 409625 557->561 558->557 562 4095a3-4095c0 call 40f0e4 558->562 561->537 568 4095c2-4095db call 4018e0 562->568 569 40960c-409618 562->569 563->554 568->544 572 4095e1-4095f9 568->572 569->561 572->544 573 4095ff-409607 572->573 573->544
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                          • wsprintfA.USER32 ref: 004093CE
                                                                                          • wsprintfA.USER32 ref: 0040940C
                                                                                          • wsprintfA.USER32 ref: 0040948D
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: PromptOnSecureDesktop$runas
                                                                                          • API String ID: 3696105349-2220793183
                                                                                          • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                          • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 574 40405e-40407b CreateEventA 575 404084-4040a8 call 403ecd call 404000 574->575 576 40407d-404081 574->576 581 404130-40413e call 40ee2a 575->581 582 4040ae-4040be call 40ee2a 575->582 587 40413f-404165 call 403ecd CreateNamedPipeA 581->587 582->581 588 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 582->588 593 404167-404174 Sleep 587->593 594 404188-404193 ConnectNamedPipe 587->594 605 4040f3-4040ff 588->605 606 404127-40412a CloseHandle 588->606 593->587 599 404176-404182 CloseHandle 593->599 597 404195-4041a5 GetLastError 594->597 598 4041ab-4041c0 call 403f8c 594->598 597->598 601 40425e-404265 DisconnectNamedPipe 597->601 598->594 607 4041c2-4041f2 call 403f18 call 403f8c 598->607 599->594 601->594 605->606 608 404101-404121 call 403f18 ExitProcess 605->608 606->581 607->601 615 4041f4-404200 607->615 615->601 616 404202-40420b call 403f8c 615->616 618 404210-404215 616->618 618->601 619 404217-40421b 618->619 619->601 620 40421d-404230 call 403f8c 619->620 620->601 623 404232-404236 620->623 623->594 624 40423c-404251 call 403f18 623->624 627 404253-404259 624->627 628 40426a-404276 CloseHandle * 2 call 40e318 624->628 627->594 630 40427b 628->630 630->630
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                          • ExitProcess.KERNEL32 ref: 00404121
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2404124870-2980165447
                                                                                          • Opcode ID: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                          • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                          • Opcode Fuzzy Hash: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                          • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 669 406a60-406a89 CreateFileA 670 406b8c-406ba1 GetLastError 669->670 671 406a8f-406ac3 GetDiskFreeSpaceA 669->671 674 406ba3-406ba6 670->674 672 406ac5-406adc call 40eb0e 671->672 673 406b1d-406b34 call 406987 671->673 672->673 681 406ade 672->681 679 406b56-406b63 FindCloseChangeNotification 673->679 680 406b36-406b54 GetLastError CloseHandle 673->680 683 406b65-406b7d GetLastError CloseHandle 679->683 684 406b86-406b8a 679->684 682 406b7f-406b80 DeleteFileA 680->682 685 406ae0-406ae5 681->685 686 406ae7-406afb call 40eca5 681->686 682->684 683->682 684->674 685->686 687 406afd-406aff 685->687 686->673 687->673 690 406b01 687->690 691 406b03-406b08 690->691 692 406b0a-406b17 call 40eca5 690->692 691->673 691->692 692->673
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1251348514-2980165447
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                          • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                          • Opcode Fuzzy Hash: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                          • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 873 28e6dbc-28e6dd5 874 28e6dd7-28e6dd9 873->874 875 28e6ddb 874->875 876 28e6de0-28e6dec CreateToolhelp32Snapshot 874->876 875->876 877 28e6dee-28e6df4 876->877 878 28e6dfc-28e6e09 Module32First 876->878 877->878 885 28e6df6-28e6dfa 877->885 879 28e6e0b-28e6e0c call 28e6a7b 878->879 880 28e6e12-28e6e1a 878->880 883 28e6e11 879->883 883->880 885->874 885->878
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 028E6DE4
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 028E6E04
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 028E2000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_28e2000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: c2c9c6b2fe92bf2741dc21397852692fb31cf94e2c46c9b0eae69dd74a3d63bd
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: 07F0623D6007256BDB203AB9988DB6F76ECAF5A624F500568E647D10C0EB71F8454A61
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                            • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocateSize
                                                                                          • String ID:
                                                                                          • API String ID: 2559512979-0
                                                                                          • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                          • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                          • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                          • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 332 4075dc 329->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00407472
                                                                                          • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004074F0
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00407528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004076E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00407717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00407745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004077EF
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 3433985886-3108538426
                                                                                          • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                          • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 403 40719b-4071a9 RegEnumValueA 397->403 404 4071cb-4071cf 398->404 405 4070fb-4070fd 403->405 406 4071af-4071b2 RegCloseKey 403->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->403 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 434 407222-407225 432->434 435 407214-407221 call 40ef00 432->435 436 407230-407256 call 40ef00 call 40ed23 433->436 437 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->437 434->404 435->434 436->437 449 407258 436->449 451 4072b8-4072cb call 40ed77 437->451 452 40728e-40729a RegCloseKey 437->452 449->437 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->404 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->404 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004070C2
                                                                                          • RegEnumValueA.KERNELBASE(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0040719E
                                                                                          • RegCloseKey.KERNELBASE(771B0F10,?,771B0F10,00000000), ref: 004071B2
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00407208
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00407291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 004072D0
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00407314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 004073D8
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"$PromptOnSecureDesktop
                                                                                          • API String ID: 4293430545-98143240
                                                                                          • Opcode ID: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                          • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                          • Opcode Fuzzy Hash: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                          • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 631 40675c-406778 632 406784-4067a2 CreateFileA 631->632 633 40677a-40677e SetFileAttributesA 631->633 634 4067a4-4067b2 CreateFileA 632->634 635 4067b5-4067b8 632->635 633->632 634->635 636 4067c5-4067c9 635->636 637 4067ba-4067bf SetFileAttributesA 635->637 638 406977-406986 636->638 639 4067cf-4067df GetFileSize 636->639 637->636 640 4067e5-4067e7 639->640 641 40696b 639->641 640->641 642 4067ed-40680b ReadFile 640->642 643 40696e-406971 FindCloseChangeNotification 641->643 642->641 644 406811-406824 SetFilePointer 642->644 643->638 644->641 645 40682a-406842 ReadFile 644->645 645->641 646 406848-406861 SetFilePointer 645->646 646->641 647 406867-406876 646->647 648 4068d5-4068df 647->648 649 406878-40688f ReadFile 647->649 648->643 650 4068e5-4068eb 648->650 651 406891-40689e 649->651 652 4068d2 649->652 653 4068f0-4068fe call 40ebcc 650->653 654 4068ed 650->654 655 4068a0-4068b5 651->655 656 4068b7-4068ba 651->656 652->648 653->641 662 406900-40690b SetFilePointer 653->662 654->653 658 4068bd-4068c3 655->658 656->658 660 4068c5 658->660 661 4068c8-4068ce 658->661 660->661 661->649 663 4068d0 661->663 664 40695a-406969 call 40ec2e 662->664 665 40690d-406920 ReadFile 662->665 663->648 664->643 665->664 666 406922-406958 665->666 666->643
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                          • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                          • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,771B0F10,00000000), ref: 0040688B
                                                                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00406906
                                                                                          • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,771B0F10,00000000), ref: 0040691C
                                                                                          • FindCloseChangeNotification.KERNELBASE(000000FF,?,771B0F10,00000000), ref: 00406971
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 1400801100-0
                                                                                          • Opcode ID: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                          • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                          • Opcode Fuzzy Hash: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                          • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 695 29c003c-29c0047 696 29c004c-29c0263 call 29c0a3f call 29c0e0f call 29c0d90 VirtualAlloc 695->696 697 29c0049 695->697 712 29c028b-29c0292 696->712 713 29c0265-29c0289 call 29c0a69 696->713 697->696 715 29c02a1-29c02b0 712->715 717 29c02ce-29c03c2 VirtualProtect call 29c0cce call 29c0ce7 713->717 715->717 718 29c02b2-29c02cc 715->718 724 29c03d1-29c03e0 717->724 718->715 725 29c0439-29c04b8 VirtualFree 724->725 726 29c03e2-29c0437 call 29c0ce7 724->726 728 29c04be-29c04cd 725->728 729 29c05f4-29c05fe 725->729 726->724 731 29c04d3-29c04dd 728->731 732 29c077f-29c0789 729->732 733 29c0604-29c060d 729->733 731->729 737 29c04e3-29c0505 LoadLibraryA 731->737 735 29c078b-29c07a3 732->735 736 29c07a6-29c07b0 732->736 733->732 738 29c0613-29c0637 733->738 735->736 739 29c086e-29c08be LoadLibraryA 736->739 740 29c07b6-29c07cb 736->740 741 29c0517-29c0520 737->741 742 29c0507-29c0515 737->742 743 29c063e-29c0648 738->743 747 29c08c7-29c08f9 739->747 744 29c07d2-29c07d5 740->744 745 29c0526-29c0547 741->745 742->745 743->732 746 29c064e-29c065a 743->746 748 29c0824-29c0833 744->748 749 29c07d7-29c07e0 744->749 750 29c054d-29c0550 745->750 746->732 751 29c0660-29c066a 746->751 753 29c08fb-29c0901 747->753 754 29c0902-29c091d 747->754 752 29c0839-29c083c 748->752 755 29c07e4-29c0822 749->755 756 29c07e2 749->756 757 29c0556-29c056b 750->757 758 29c05e0-29c05ef 750->758 759 29c067a-29c0689 751->759 752->739 760 29c083e-29c0847 752->760 753->754 755->744 756->748 763 29c056d 757->763 764 29c056f-29c057a 757->764 758->731 761 29c068f-29c06b2 759->761 762 29c0750-29c077a 759->762 767 29c0849 760->767 768 29c084b-29c086c 760->768 769 29c06ef-29c06fc 761->769 770 29c06b4-29c06ed 761->770 762->743 763->758 765 29c057c-29c0599 764->765 766 29c059b-29c05bb 764->766 778 29c05bd-29c05db 765->778 766->778 767->739 768->752 772 29c06fe-29c0748 769->772 773 29c074b 769->773 770->769 772->773 773->759 778->750
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 029C024D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: cess$kernel32.dll
                                                                                          • API String ID: 4275171209-1230238691
                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction ID: efaa1d7d26af55e79ec8504546794ef3e715198f52718c2fe88bf1d14a41d913
                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction Fuzzy Hash: D5526974A01229DFDB64CF58C984BACBBB5BF09304F1480E9E94DAB351DB30AA95CF15

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                          • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                          • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4131120076-2980165447
                                                                                          • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                          • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                          • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                          • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 794 404000-404008 795 40400b-40402a CreateFileA 794->795 796 404057 795->796 797 40402c-404035 GetLastError 795->797 798 404059-40405c 796->798 799 404052 797->799 800 404037-40403a 797->800 801 404054-404056 798->801 799->801 800->799 802 40403c-40403f 800->802 802->798 803 404041-404050 Sleep 802->803 803->795 803->799
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                          • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 408151869-2980165447
                                                                                          • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                          • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 804 403f8c-403fc0 ReadFile 805 403ff0-403ff3 804->805 806 403fc2-403fcd GetLastError 804->806 807 403ffa 805->807 809 403ff5-403ff8 805->809 806->807 808 403fcf-403fee WaitForSingleObject GetOverlappedResult 806->808 810 403ffc-403fff 807->810 808->805 808->807 809->810
                                                                                          APIs
                                                                                          • ReadFile.KERNELBASE(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                          • GetLastError.KERNEL32 ref: 00403FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 811 406987-4069b7 812 4069e0 811->812 813 4069b9-4069be 811->813 815 4069e4-4069fd WriteFile 812->815 813->812 814 4069c0-4069d0 813->814 816 4069d2 814->816 817 4069d5-4069de 814->817 818 406a4d-406a51 815->818 819 4069ff-406a02 815->819 816->817 817->815 821 406a53-406a56 818->821 822 406a59 818->822 819->818 820 406a04-406a08 819->820 823 406a0a-406a0d 820->823 824 406a3c-406a3e 820->824 821->822 825 406a5b-406a5f 822->825 826 406a10-406a2e WriteFile 823->826 824->825 827 406a40-406a4b 826->827 828 406a30-406a33 826->828 827->825 828->827 829 406a35-406a3a 828->829 829->824 829->826
                                                                                          APIs
                                                                                          • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                          • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,k@
                                                                                          • API String ID: 3934441357-1053005162
                                                                                          • Opcode ID: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                          • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                          • Opcode Fuzzy Hash: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                          • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 831 4091eb-409208 832 409308 831->832 833 40920e-40921c call 40ed03 831->833 835 40930b-40930f 832->835 837 40921e-40922c call 40ed03 833->837 838 40923f-409249 833->838 837->838 844 40922e-409230 837->844 840 409250-409270 call 40ee08 838->840 841 40924b 838->841 846 409272-40927f 840->846 847 4092dd-4092e1 840->847 841->840 848 409233-409238 844->848 849 409281-409285 846->849 850 40929b-40929e 846->850 851 4092e3-4092e5 847->851 852 4092e7-4092e8 847->852 848->848 853 40923a-40923c 848->853 849->849 854 409287 849->854 856 4092a0 850->856 857 40928e-409293 850->857 851->852 855 4092ea-4092ef 851->855 852->847 853->838 854->850 860 4092f1-4092f6 Sleep 855->860 861 4092fc-409302 855->861 862 4092a8-4092ab 856->862 858 409295-409298 857->858 859 409289-40928c 857->859 858->862 863 40929a 858->863 859->857 859->863 860->861 861->832 861->833 864 4092a2-4092a5 862->864 865 4092ad-4092b0 862->865 863->850 866 4092b2 864->866 867 4092a7 864->867 865->866 868 4092bd 865->868 870 4092b5-4092b9 866->870 867->862 869 4092bf-4092db ShellExecuteA 868->869 869->847 871 409310-409324 869->871 870->870 872 4092bb 870->872 871->835 872->869
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                          • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-0
                                                                                          • Opcode ID: 0dc9418032d7fae7e99f7ff6decd2e171138db246ccd5078cf7f6b69033b9994
                                                                                          • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                          • Opcode Fuzzy Hash: 0dc9418032d7fae7e99f7ff6decd2e171138db246ccd5078cf7f6b69033b9994
                                                                                          • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 886 29c0e0f-29c0e24 SetErrorMode * 2 887 29c0e2b-29c0e2c 886->887 888 29c0e26 886->888 888->887
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,029C0223,?,?), ref: 029C0E19
                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,029C0223,?,?), ref: 029C0E1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction ID: 009e48eb130ead0992d2560500b46c4144bfb721bf901a4af9774b3f20ef8929
                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction Fuzzy Hash: 5DD01231145128B7D7003A94DC09BCD7B1CDF05B66F108011FB0DD9081C770954046E6
                                                                                          APIs
                                                                                            • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1823874839-0
                                                                                          • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                          • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 028E6ACC
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 028E2000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_28e2000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: 9620e6d9832911e87f0f134c0f63f6ad43d6d99cf64f6947643a62a8a8e92e7a
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: 72113C79A00208EFDB01DF98C985E98BFF5AF09351F058094F949AB361D371EA50DF80
                                                                                          APIs
                                                                                          • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                          • closesocket.WS2_32(?), ref: 0040CB63
                                                                                          • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                          • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                          • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                          • wsprintfA.USER32 ref: 0040CD21
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                          • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                          • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                          • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                          • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                          • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                          • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                          • closesocket.WS2_32(?), ref: 0040D56C
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                          • ExitProcess.KERNEL32 ref: 0040D583
                                                                                          • wsprintfA.USER32 ref: 0040D81F
                                                                                            • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                          • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                          • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                          • API String ID: 562065436-3791576231
                                                                                          • Opcode ID: 58c16bf96f04c64393462683c7350eaf522ff62be46463dd462b2a21f2a14f1c
                                                                                          • Instruction ID: e3e311afffee0f8fdcefab3b6ad12dcdc3eb324b3d868ccf40e5e7320ccd552c
                                                                                          • Opcode Fuzzy Hash: 58c16bf96f04c64393462683c7350eaf522ff62be46463dd462b2a21f2a14f1c
                                                                                          • Instruction Fuzzy Hash: BDB2C471D00209BBEB209FA4DD85FEA7BB9AB08304F14457BF505B22D1D7789A89CB5C
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                          • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                          • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                          • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                          • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                          • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                          • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                          • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                          • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                          • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                          • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                          • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                          • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                          • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                          • Opcode Fuzzy Hash: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                          • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                          • wsprintfA.USER32 ref: 0040B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                          • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                          • Opcode Fuzzy Hash: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                          • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                          • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                          • Opcode Fuzzy Hash: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                          • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                          • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                          • Opcode Fuzzy Hash: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                          • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                            • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                          • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00402A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00402A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                          • htons.WS2_32(00000000), ref: 00402ADB
                                                                                          • select.WS2_32 ref: 00402B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                          • htons.WS2_32(?), ref: 00402B71
                                                                                          • htons.WS2_32(?), ref: 00402B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                          • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                          • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                          • Opcode Fuzzy Hash: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                          • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *p@
                                                                                          • API String ID: 3429775523-2474123842
                                                                                          • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                          • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                          • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                          • Opcode Fuzzy Hash: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                          • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 029C65F6
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 029C6610
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029C6631
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029C6652
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction ID: 9192f060f6a62aafe21a7a5296de299d7fd381c1f8a415300dc4090e7f874b1f
                                                                                          • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction Fuzzy Hash: 92117771600218BFDB119F65DD49F9B3FACEB457A5F204029FA04D7250D7B1DD00CAA5
                                                                                          APIs
                                                                                          • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                          • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                            • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                            • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                          • String ID:
                                                                                          • API String ID: 3754425949-0
                                                                                          • Opcode ID: 7316c1f4b5cb1443490bb148765e0df43b8208094f0d347aba08efc86f487165
                                                                                          • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                          • Opcode Fuzzy Hash: 7316c1f4b5cb1443490bb148765e0df43b8208094f0d347aba08efc86f487165
                                                                                          • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID: .$GetProcAddress.$l
                                                                                          • API String ID: 0-2784972518
                                                                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                          • Instruction ID: 7a47b97b5e64dbf48010a1d9dc5b22c0d457724c2e04feebab4f7bc212d34119
                                                                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                          • Instruction Fuzzy Hash: 9F3148B6900609DFEB10CF99C880BAEBBF9FF48324F24404AD441A7310D771EA45CBA5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                          • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                          • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                          • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3694703474.00000000028E2000.00000040.00000020.00020000.00000000.sdmp, Offset: 028E2000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_28e2000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction ID: bc5788c29358339c19985297edcd16430e39049177e056ba862e48b32619e435
                                                                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                          • Instruction Fuzzy Hash: A411C2BA340110AFDB50CF55DC81EA273EEEB9A324B198165ED09CB312E775E801C760
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                          • Instruction ID: a0384b15779899da731877abe0586fec8d2dc5f538297ece355bcc05251b702a
                                                                                          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                          • Instruction Fuzzy Hash: 0301A776610704CFDF21CF24C844BAA33E9EF85215F5544A9D5069B281E774A9418B91
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32 ref: 029C9E6D
                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 029C9FE1
                                                                                          • lstrcat.KERNEL32(?,?), ref: 029C9FF2
                                                                                          • lstrcat.KERNEL32(?,0041070C), ref: 029CA004
                                                                                          • GetFileAttributesExA.KERNEL32(?,?,?), ref: 029CA054
                                                                                          • DeleteFileA.KERNEL32(?), ref: 029CA09F
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 029CA0D6
                                                                                          • lstrcpy.KERNEL32 ref: 029CA12F
                                                                                          • lstrlen.KERNEL32(00000022), ref: 029CA13C
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 029C9F13
                                                                                            • Part of subcall function 029C7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 029C7081
                                                                                            • Part of subcall function 029C6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\fdcgtgix,029C7043), ref: 029C6F4E
                                                                                            • Part of subcall function 029C6F30: GetProcAddress.KERNEL32(00000000), ref: 029C6F55
                                                                                            • Part of subcall function 029C6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029C6F7B
                                                                                            • Part of subcall function 029C6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029C6F92
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 029CA1A2
                                                                                          • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029CA1C5
                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 029CA214
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 029CA21B
                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 029CA265
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 029CA29F
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 029CA2C5
                                                                                          • lstrcat.KERNEL32(?,00000022), ref: 029CA2D9
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 029CA2F4
                                                                                          • wsprintfA.USER32 ref: 029CA31D
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 029CA345
                                                                                          • lstrcat.KERNEL32(?,?), ref: 029CA364
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 029CA387
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 029CA398
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029CA1D1
                                                                                            • Part of subcall function 029C9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029C999D
                                                                                            • Part of subcall function 029C9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 029C99BD
                                                                                            • Part of subcall function 029C9966: RegCloseKey.ADVAPI32(?), ref: 029C99C6
                                                                                          • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 029CA3DB
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 029CA3E2
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 029CA41D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                          • String ID: "$"$"$D$P$\
                                                                                          • API String ID: 1653845638-2605685093
                                                                                          • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction ID: 80b2359da728af6a6a845c81fc5e8f7303b7b7c2b4f54b8be065115ac32d2944
                                                                                          • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction Fuzzy Hash: 6BF140B1D4025DAFDF11DFA08C48FEF7BBDAB09304F2444AAE605E2141E7758A848F66
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2976863881-1403908072
                                                                                          • Opcode ID: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                          • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                          • Opcode Fuzzy Hash: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                          • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 029C7D21
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 029C7D46
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029C7D7D
                                                                                          • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 029C7DA2
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029C7DC0
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029C7DD1
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 029C7DE5
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029C7DF3
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029C7E03
                                                                                          • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 029C7E12
                                                                                          • LocalFree.KERNEL32(00000000), ref: 029C7E19
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029C7E35
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2976863881-1403908072
                                                                                          • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction ID: 43b702ea4071be57236086f9d746f9114e81e30f0633ff9578fb234f901e0cd8
                                                                                          • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction Fuzzy Hash: 8BA15CB2900219AFDF21CFA0DD88FEEBBBDFB08344F148169E505E6150D7758A85CB65
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                          • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                          • Opcode Fuzzy Hash: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                          • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                          • wsprintfA.USER32 ref: 0040A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                          • wsprintfA.USER32 ref: 0040A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                          • wsprintfA.USER32 ref: 0040A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                          • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                          • Opcode Fuzzy Hash: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                          • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 029C7A96
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029C7ACD
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 029C7ADF
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 029C7B01
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029C7B1F
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029C7B39
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 029C7B4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029C7B58
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029C7B68
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 029C7B77
                                                                                          • LocalFree.KERNEL32(00000000), ref: 029C7B7E
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029C7B9A
                                                                                          • GetAce.ADVAPI32(?,?,?), ref: 029C7BCA
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029C7BF1
                                                                                          • DeleteAce.ADVAPI32(?,?), ref: 029C7C0A
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029C7C2C
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 029C7CB1
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029C7CBF
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 029C7CD0
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 029C7CE0
                                                                                          • LocalFree.KERNEL32(00000000), ref: 029C7CEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: 32385409833fa30625b73ad9d661f335a1bc22703a3a277feb5036ee7e11f233
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 7D815C7194021AAFEB21CFE4DD84FEEBBBCAF08344F14806AE515E6250D7758A41CFA5
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                          • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                          • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                          • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: PromptOnSecureDesktop$localcfg
                                                                                          • API String ID: 237177642-1678164370
                                                                                          • Opcode ID: 96b744c21c97554fe267b79c97f5d976ed6b4de3d9a18d44cb0f3305665f7017
                                                                                          • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                          • Opcode Fuzzy Hash: 96b744c21c97554fe267b79c97f5d976ed6b4de3d9a18d44cb0f3305665f7017
                                                                                          • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 835516345-270533642
                                                                                          • Opcode ID: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                          • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                          • Opcode Fuzzy Hash: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                          • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 029C865A
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 029C867B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 029C86A8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 029C86B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 237177642-3108538426
                                                                                          • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction ID: b2dae8da84ce2fcc169ee3b69ef56760e489780a2a1faca55faddddd0aeb5018
                                                                                          • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction Fuzzy Hash: BFC181B1900149BEEB12EBA4DD84EEF7BBDFB48304F24407EF605E6050E7714A948B66
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 029C1601
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 029C17D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $<$@$D
                                                                                          • API String ID: 1628651668-1974347203
                                                                                          • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction ID: 4d8ef404f3b3d8cafdc88869f0321901fc3923cf4eb726cf09e044a40ba9cb53
                                                                                          • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction Fuzzy Hash: 9FF1AFB11083419FD720CF64D888BABB7E9FB88304F20892DF59A97291D7B4D944CB5B
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029C76D9
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 029C7757
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 029C778F
                                                                                          • ___ascii_stricmp.LIBCMT ref: 029C78B4
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C794E
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029C796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C797E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C79AC
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C7A56
                                                                                            • Part of subcall function 029CF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,029C772A,?), ref: 029CF414
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 029C79F6
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C7A4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "$PromptOnSecureDesktop
                                                                                          • API String ID: 3433985886-3108538426
                                                                                          • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction ID: dc2c0da8f9d0c1cccc57cab08f3376f9e6bc54e3ffc9ec2cacb18f740d1fa0eb
                                                                                          • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction Fuzzy Hash: 33C17471900109AFDB11DBA4DC44FEEBBBEEF49710F3440AAE545E6190EB719A84CF62
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 029C2CED
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 029C2D07
                                                                                          • htons.WS2_32(00000000), ref: 029C2D42
                                                                                          • select.WS2_32 ref: 029C2D8F
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 029C2DB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029C2E62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 127016686-0
                                                                                          • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction ID: b753a85bf31eb53a500745dfd22672427db77dfcfb5ad980b733062140b5a082
                                                                                          • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction Fuzzy Hash: 0361CFB1904309ABD3209F64DC08B6BBBE8EB88755F25482DFD84A7150D7B5D880CBA7
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                            • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                          • wsprintfA.USER32 ref: 0040AEA5
                                                                                            • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                          • wsprintfA.USER32 ref: 0040AE4F
                                                                                          • wsprintfA.USER32 ref: 0040AE5E
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                          • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                          • Opcode Fuzzy Hash: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                          • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                          • htons.WS2_32(00000035), ref: 00402E88
                                                                                          • inet_addr.WS2_32(?), ref: 00402E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                          • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                          • Opcode Fuzzy Hash: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                          • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?), ref: 029C95A7
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029C95D5
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 029C95DC
                                                                                          • wsprintfA.USER32 ref: 029C9635
                                                                                          • wsprintfA.USER32 ref: 029C9673
                                                                                          • wsprintfA.USER32 ref: 029C96F4
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029C9758
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029C978D
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029C97D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3696105349-2980165447
                                                                                          • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction ID: e77bcdcfa7b5a603a514a67604050b02472de1562d3dea4cd432d72740f381a5
                                                                                          • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction Fuzzy Hash: 7AA16FB1900248EFFB21DFA0CC85FEA3BADEB44745F20402AFA1596151E775D684CFA6
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-142018493
                                                                                          • Opcode ID: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                          • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                          • Opcode Fuzzy Hash: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                          • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040B467
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                          • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                          • Opcode Fuzzy Hash: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                          • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 029C202D
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 029C204F
                                                                                          • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 029C206A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 029C2071
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 029C2082
                                                                                          • GetTickCount.KERNEL32 ref: 029C2230
                                                                                            • Part of subcall function 029C1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 029C1E7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                          • API String ID: 4207808166-1391650218
                                                                                          • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction ID: 8759b384ef9c726a355504968f42c8b33284226090dfd069cf01c6516c8590ef
                                                                                          • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction Fuzzy Hash: 8A51F9B09003486FE330AF758C85F67BAECEF94744F50491DFD9682242D7B9A544CB66
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00402078
                                                                                          • GetTickCount.KERNEL32 ref: 004020D4
                                                                                          • GetTickCount.KERNEL32 ref: 004020DB
                                                                                          • GetTickCount.KERNEL32 ref: 0040212B
                                                                                          • GetTickCount.KERNEL32 ref: 00402132
                                                                                          • GetTickCount.KERNEL32 ref: 00402142
                                                                                            • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                            • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                            • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                            • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                            • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                          • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                          • Opcode Fuzzy Hash: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                          • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                          APIs
                                                                                          • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                          • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                          APIs
                                                                                            • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0040C363
                                                                                          • GetTickCount.KERNEL32 ref: 0040C378
                                                                                          • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                          • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                          • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                          • Opcode Fuzzy Hash: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                          • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 029C3068
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 029C3078
                                                                                          • GetProcAddress.KERNEL32(00000000,00410408), ref: 029C3095
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 029C30B6
                                                                                          • htons.WS2_32(00000035), ref: 029C30EF
                                                                                          • inet_addr.WS2_32(?), ref: 029C30FA
                                                                                          • gethostbyname.WS2_32(?), ref: 029C310D
                                                                                          • HeapFree.KERNEL32(00000000), ref: 029C314D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: iphlpapi.dll
                                                                                          • API String ID: 2869546040-3565520932
                                                                                          • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction ID: fa11eb47cb8194c02ae31ca194d93498a462f97c43744243d53d5c5a7d7f060f
                                                                                          • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction Fuzzy Hash: 1331A431A00206AFDB119BB89C48BAE77BCAF05764F24C1A9E518E7390DB74D5418B5E
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 3560063639-3847274415
                                                                                          • Opcode ID: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                          • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                          • Opcode Fuzzy Hash: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                          • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                          • API String ID: 1082366364-2834986871
                                                                                          • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                          • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                          • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                          • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D$PromptOnSecureDesktop
                                                                                          • API String ID: 2981417381-1403908072
                                                                                          • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                          • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                          APIs
                                                                                          • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 029C67C3
                                                                                          • htonl.WS2_32(?), ref: 029C67DF
                                                                                          • htonl.WS2_32(?), ref: 029C67EE
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 029C68F1
                                                                                          • ExitProcess.KERNEL32 ref: 029C69BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Processhtonl$CurrentExitHugeRead
                                                                                          • String ID: except_info$localcfg
                                                                                          • API String ID: 1150517154-3605449297
                                                                                          • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction ID: 8849537c9c5f5bf11510654b3a9c2b8103dccafd7bb4a38027b52a977126109b
                                                                                          • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction Fuzzy Hash: FD617E71A40208AFDB609FB4DC45FEA77E9FB48300F24806AFA6DD2161EB759990CF14
                                                                                          APIs
                                                                                          • htons.WS2_32(029CCC84), ref: 029CF5B4
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 029CF5CE
                                                                                          • closesocket.WS2_32(00000000), ref: 029CF5DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction ID: 6b45681ec4d6f7db941ec21eb8b8ecd9fd83cdc8d2ecca41462ff660efa488bf
                                                                                          • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction Fuzzy Hash: D9316E7290011CABDB10DFA5DC88DEE7BBDEF88314F20456AF915D3150E7709A81CBA5
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                          • wsprintfA.USER32 ref: 00407036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                          • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?), ref: 029C2FA1
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 029C2FB1
                                                                                          • GetProcAddress.KERNEL32(00000000,004103F0), ref: 029C2FC8
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029C3000
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 029C3007
                                                                                          • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 029C3032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: dnsapi.dll
                                                                                          • API String ID: 1242400761-3175542204
                                                                                          • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction ID: 5524188a049d1c4babbcc403d8234a90db8a19823d9511f9bcc805e463a7bdb0
                                                                                          • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction Fuzzy Hash: E621A771D00619BBCB21DF54DC44AEEBBBCEF08B10F108465F901E7540D7749A8187E9
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3609698214-2980165447
                                                                                          • Opcode ID: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                          • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                          • Opcode Fuzzy Hash: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                          • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\fdcgtgix,029C7043), ref: 029C6F4E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 029C6F55
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029C6F7B
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029C6F92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\fdcgtgix
                                                                                          • API String ID: 1082366364-520682941
                                                                                          • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction ID: 6167e80366f3b58c416d873eca87d69aedbf6447538bf1d98ef4d86c26bdcfce
                                                                                          • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction Fuzzy Hash: B521F3217413407AF72297319C88FFB2E4D8B92724F2840ADF844E6591DBD984D687AF
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                          • wsprintfA.USER32 ref: 004090E9
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2439722600-2980165447
                                                                                          • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                          • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?), ref: 029C92E2
                                                                                          • wsprintfA.USER32 ref: 029C9350
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029C9375
                                                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 029C9389
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 029C9394
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 029C939B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2439722600-2980165447
                                                                                          • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction ID: d7a9b2d26258fb76366f848d1ec9b5b3b70627850d9a57f004fd3b9618b4f11c
                                                                                          • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction Fuzzy Hash: F71172B17401147BE7206771EC0DFEF3A6EDBC8B10F108079BB0AA5090EAB54A418B65
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 029C9A18
                                                                                          • GetThreadContext.KERNEL32(?,?), ref: 029C9A52
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 029C9A60
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 029C9A98
                                                                                          • SetThreadContext.KERNEL32(?,00010002), ref: 029C9AB5
                                                                                          • ResumeThread.KERNEL32(?), ref: 029C9AC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction ID: 93b5125ee430950a87c3979bb526f3d411eb504b9bdfd600483675ae6048ffec
                                                                                          • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction Fuzzy Hash: 58213BB1A01219BBEB11DBA1DC09EEF7BBCEF04750F504065FA19E5050E7758A44CBA5
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(004102D8), ref: 029C1C18
                                                                                          • LoadLibraryA.KERNEL32(004102C8), ref: 029C1C26
                                                                                          • GetProcessHeap.KERNEL32 ref: 029C1C84
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 029C1C9D
                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 029C1CC1
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000), ref: 029C1D02
                                                                                          • FreeLibrary.KERNEL32(?), ref: 029C1D0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 2324436984-0
                                                                                          • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction ID: a31df93a1759c4dabd3d2f0eb0f92c09f5d450c39bc024064a92b5b35994c360
                                                                                          • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction Fuzzy Hash: CE315C32E00209BFCB119FA4DC888EEBAB9EF45315B34447EF509A2111D7B54E80DB99
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                          • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1586453840-2980165447
                                                                                          • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                          • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                          • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1371578007-2980165447
                                                                                          • Opcode ID: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                          • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                          • Opcode Fuzzy Hash: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                          • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 029C6CE4
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029C6D22
                                                                                          • GetLastError.KERNEL32 ref: 029C6DA7
                                                                                          • CloseHandle.KERNEL32(?), ref: 029C6DB5
                                                                                          • GetLastError.KERNEL32 ref: 029C6DD6
                                                                                          • DeleteFileA.KERNEL32(?), ref: 029C6DE7
                                                                                          • GetLastError.KERNEL32 ref: 029C6DFD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3873183294-0
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: 7f60ee9415d0823f8afd5d4e8b8df0818a9553f689188d3f70b220d75faeee87
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: 9631E376900249BFCB01DFA4DD44ADE7FBDEF88310F24847AE251E3250D7708A558BA6
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                          • CharToOemA.USER32(?,?), ref: 00409174
                                                                                          • wsprintfA.USER32 ref: 004091A9
                                                                                            • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                            • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3857584221-2980165447
                                                                                          • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                          • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029C93C6
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 029C93CD
                                                                                          • CharToOemA.USER32(?,?), ref: 029C93DB
                                                                                          • wsprintfA.USER32 ref: 029C9410
                                                                                            • Part of subcall function 029C92CB: GetTempPathA.KERNEL32(00000400,?), ref: 029C92E2
                                                                                            • Part of subcall function 029C92CB: wsprintfA.USER32 ref: 029C9350
                                                                                            • Part of subcall function 029C92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029C9375
                                                                                            • Part of subcall function 029C92CB: lstrlen.KERNEL32(?,?,00000000), ref: 029C9389
                                                                                            • Part of subcall function 029C92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 029C9394
                                                                                            • Part of subcall function 029C92CB: CloseHandle.KERNEL32(00000000), ref: 029C939B
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029C9448
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3857584221-2980165447
                                                                                          • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction ID: a2da427887c117fbf8499d8352bd0e1b664af9504d65fcedf9bc2a4268d80c46
                                                                                          • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction Fuzzy Hash: 790152F69001187BE721A7619D89EDF377CDB95701F0040A6BB49E2080DAB497C58F75
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: $localcfg
                                                                                          • API String ID: 1659193697-2018645984
                                                                                          • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction ID: 673fe83b06efaa2e9f65a32284bb6c59a4ecb582d53ca7c7b2ff62d10f249c11
                                                                                          • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction Fuzzy Hash: 45712971A4030CAADF218E94EC85FEE376EAF40719F34446FF905A60D0DF6299848B5B
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                          • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                          APIs
                                                                                            • Part of subcall function 029CDF6C: GetCurrentThreadId.KERNEL32 ref: 029CDFBA
                                                                                          • lstrcmp.KERNEL32(00410178,00000000), ref: 029CE8FA
                                                                                          • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,029C6128), ref: 029CE950
                                                                                          • lstrcmp.KERNEL32(?,00000008), ref: 029CE989
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 2920362961-1846390581
                                                                                          • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction ID: 82ac7471e01db044a2f895092095ee5ad02195c1b0468331dfc33b417454f9d6
                                                                                          • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction Fuzzy Hash: 01319C31A047059BDB79CF24C884BA67BE8FB09764F60892EE5D687651D370E880CB93
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction ID: f14f9e44d49d42ea3763d8802c7cf9e727fadc1c69f2bde0a95850e4be8feab1
                                                                                          • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction Fuzzy Hash: 982142B2104119FFDB119BB1FC48EDF7FADDB896A5B20842AF502D2090EB70DA50D675
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0040E538,?,771B0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                          • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                          • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 029CC6B4
                                                                                          • InterlockedIncrement.KERNEL32(029CC74B), ref: 029CC715
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,029CC747), ref: 029CC728
                                                                                          • CloseHandle.KERNEL32(00000000,?,029CC747,00413588,029C8A77), ref: 029CC733
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1026198776-1857712256
                                                                                          • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction ID: b248d93761d5b1b270cdf1511e9b86a98c9c98524d2189ee261f77e41f6cf9c9
                                                                                          • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction Fuzzy Hash: 16514BB1A01B468FD7249F69C6D462ABBE9FB48304B60593FE18BC7A90D774F844CB11
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0040815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004081BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408210
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                            • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 124786226-2980165447
                                                                                          • Opcode ID: 50e144e5c66517dd62c9eb504a4f9f7b4843c8d6198543f26dab993f1630d953
                                                                                          • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                          • Opcode Fuzzy Hash: 50e144e5c66517dd62c9eb504a4f9f7b4843c8d6198543f26dab993f1630d953
                                                                                          • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                          • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                          • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2667537340-2980165447
                                                                                          • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                          • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,029CE50A,00000000,00000000,00000000,00020106,00000000,029CE50A,00000000,000000E4), ref: 029CE319
                                                                                          • RegSetValueExA.ADVAPI32(029CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029CE38E
                                                                                          • RegDeleteValueA.ADVAPI32(029CE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029CE3BF
                                                                                          • RegCloseKey.ADVAPI32(029CE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029CE50A), ref: 029CE3C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 2667537340-2980165447
                                                                                          • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction ID: ba775650c145f99a1908e57553c5c162a75460460757242659337fc9964162c6
                                                                                          • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction Fuzzy Hash: 00214A71A0021DABDF219FA4EC89EEE7F7DEF08760F108025F945A6150E3719A54DBA1
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 029C71E1
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029C7228
                                                                                          • LocalFree.KERNEL32(?,?,?), ref: 029C7286
                                                                                          • wsprintfA.USER32 ref: 029C729D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                          • String ID: |
                                                                                          • API String ID: 2539190677-2343686810
                                                                                          • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction ID: 73079d3558238009d5b9ed7756f381ba905b9ac302e2fafb62525d234aff1b5b
                                                                                          • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction Fuzzy Hash: A5311A72900208BBDB01DFA8DC45BDA7BADEF04314F24C06AF959DB244EB75D6488F95
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                          • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 029CB51A
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 029CB529
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 029CB548
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 029CB590
                                                                                          • wsprintfA.USER32 ref: 029CB61E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4026320513-0
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 6a8e380ccb890cad47d0e2eb1f8e2467e23cfd5fbf209ed6805b59745499288e
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: A85130B1D0021CAACF14CFD5D8899EEBBB9BF48304F10812AF501B6150E7B84AC9CF98
                                                                                          APIs
                                                                                          • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 029C6303
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 029C632A
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 029C63B1
                                                                                          • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 029C6405
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: HugeRead$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 3498078134-0
                                                                                          • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction ID: a66c792c0b583b6da9f7d32b37722633001d7139c40a0fd01ece10e126d50b6c
                                                                                          • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction Fuzzy Hash: 49414CB1A04209EFDB14CF58C884BA9B7BCFF84358F24856DE865D7290E771E941CB51
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                          • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                          • lstrcmpA.KERNEL32(?,00000008,?,771B0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: A$ A
                                                                                          • API String ID: 3343386518-686259309
                                                                                          • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                          • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040272E
                                                                                          • htons.WS2_32(00000001), ref: 00402752
                                                                                          • htons.WS2_32(0000000F), ref: 004027D5
                                                                                          • htons.WS2_32(00000001), ref: 004027E3
                                                                                          • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                            • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1128258776-0
                                                                                          • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                          • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                          • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                          • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                          • Opcode Fuzzy Hash: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                          • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                          • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                          • CloseHandle.KERNEL32(00000000,?,771B0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 3683885500-2980165447
                                                                                          • Opcode ID: e52c754b5c4df7ac7535869be25ad2b94008d4c8a4726cb9c757c49838e9d70c
                                                                                          • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                          • Opcode Fuzzy Hash: e52c754b5c4df7ac7535869be25ad2b94008d4c8a4726cb9c757c49838e9d70c
                                                                                          • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                          APIs
                                                                                            • Part of subcall function 029CDF6C: GetCurrentThreadId.KERNEL32 ref: 029CDFBA
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,029CA6AC), ref: 029CE7BF
                                                                                          • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,029CA6AC), ref: 029CE7EA
                                                                                          • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,029CA6AC), ref: 029CE819
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1396056608-2980165447
                                                                                          • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                          • Instruction ID: c43398b038594cb4ff01351c96befb7af9fc1b3f72a9ad83e863073f25b2a0f2
                                                                                          • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                          • Instruction Fuzzy Hash: 8821F9B1A443007AF22177219C45FEB3E1DDFA5B60F30003DFA4AB51D3EA5595508AB7
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 2574300362-1087626847
                                                                                          • Opcode ID: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                          • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                          • Opcode Fuzzy Hash: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                          • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029C76D9
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029C796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C797E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseEnumOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 1332880857-2980165447
                                                                                          • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                          • Instruction ID: 91a9d41131a10e96f2bf09e3571275dee73db3935cb63376c038fba62acd15bf
                                                                                          • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                          • Instruction Fuzzy Hash: 3911CA70A00109AFDB119BA9EC44EEEBF7DAB81714F240169F510E6290E3B08A408F62
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2777991786-2393279970
                                                                                          • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                          • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                          • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                          • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteOpenValue
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 849931509-2980165447
                                                                                          • Opcode ID: c32bd2a19c33d57a97dc38e480cb8eff028dd4ac8e1228206779d83c5918f3cf
                                                                                          • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                          • Opcode Fuzzy Hash: c32bd2a19c33d57a97dc38e480cb8eff028dd4ac8e1228206779d83c5918f3cf
                                                                                          • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029C999D
                                                                                          • RegDeleteValueA.ADVAPI32(?,00000000), ref: 029C99BD
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029C99C6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseDeleteOpenValue
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 849931509-2980165447
                                                                                          • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                          • Instruction ID: b6573a5a3e1ca7dce4bb35ad655fdf95d54669ddeff2ecbc6e82aa0dae34fd37
                                                                                          • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                          • Instruction Fuzzy Hash: F1F0F6B2A80208BBF7106B54EC46FDB3A2DDB94B10F200075FA05B5081F6E59B9086BA
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg$u6A
                                                                                          • API String ID: 1594361348-1940331995
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 23ce6c5d49f2aec6002fa53e00286fc9d37299601e7585bb6a782c5292ac9aaf
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9FE01230A085119FDB50DB2CF848AD577E9EF4A230F158599F854D71A0C774DCC19755
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 029C69E5
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 029C6A26
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 029C6A3A
                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 029C6BD8
                                                                                            • Part of subcall function 029CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029C1DCF,?), ref: 029CEEA8
                                                                                            • Part of subcall function 029CEE95: HeapFree.KERNEL32(00000000), ref: 029CEEAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 3384756699-0
                                                                                          • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction ID: c9c750c142d375a173ee5b41ecce7a9b3900eaa96eae165cd73d39ebaa0fc3c2
                                                                                          • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction Fuzzy Hash: 9171057190421DEFEB11DFA4CC80AEEBBBDFB48354F20456EE515A6190D7309E92DB60
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                          • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                          • GetLastError.KERNEL32 ref: 00403F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029C421F
                                                                                          • GetLastError.KERNEL32 ref: 029C4229
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 029C423A
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029C424D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: b1d0fe786a3419c8af4a0debf174dd513f3fa537d0f51993fe313a0ac2f4aa59
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: 5701C472A11209AFDF01DF90EE85BEF7BACEB08256F108465F901E6050D770EA548BB6
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029C41AB
                                                                                          • GetLastError.KERNEL32 ref: 029C41B5
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 029C41C6
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029C41D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: cc52364752808eeb0dd046eae7273d1ec9d7cba023f9e7642f912381b9c5a22f
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: 30010C7651110AAFDF01DF90ED88BEF7B6CEB18295F104065F901E2150D770DA548BB6
                                                                                          APIs
                                                                                          • lstrcmp.KERNEL32(?,80000009), ref: 029CE066
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 1534048567-1846390581
                                                                                          • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction ID: 2124820c3ce42339cdb9a13c9e1a4ebda46d1664827d2d333bd0a44f0e42c532
                                                                                          • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction Fuzzy Hash: FCF062312047069BCB30CF25D884A92B7EDFB05335B64862EE596D3060D374A498CB96
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                          • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                          • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                          • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                          • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00403103
                                                                                          • GetTickCount.KERNEL32 ref: 0040310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                          • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                          • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                            • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4151426672-2980165447
                                                                                          • Opcode ID: a7932ee6e11f51e31df66d5708ae860d6aff00331a4d04ea59eecfc3ddd3bc48
                                                                                          • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                          • Opcode Fuzzy Hash: a7932ee6e11f51e31df66d5708ae860d6aff00331a4d04ea59eecfc3ddd3bc48
                                                                                          • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000001,029C44E2,00000000,00000000,00000000), ref: 029CE470
                                                                                          • CloseHandle.KERNEL32(00000001,00000003), ref: 029CE484
                                                                                            • Part of subcall function 029CE2FC: RegCreateKeyExA.ADVAPI32(80000001,029CE50A,00000000,00000000,00000000,00020106,00000000,029CE50A,00000000,000000E4), ref: 029CE319
                                                                                            • Part of subcall function 029CE2FC: RegSetValueExA.ADVAPI32(029CE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029CE38E
                                                                                            • Part of subcall function 029CE2FC: RegDeleteValueA.ADVAPI32(029CE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 029CE3BF
                                                                                            • Part of subcall function 029CE2FC: RegCloseKey.ADVAPI32(029CE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,029CE50A), ref: 029CE3C8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 4151426672-2980165447
                                                                                          • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                          • Instruction ID: 45da85043db2864e4522c4220e3edcd89d6ce4fd9aa1155bd31e343463be4764
                                                                                          • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                          • Instruction Fuzzy Hash: D541D6B2D00218BBEF206F518C45FEB3B6DEB44764F24803DFE4A94091E7B59650DAB6
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 029C83C6
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 029C8477
                                                                                            • Part of subcall function 029C69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 029C69E5
                                                                                            • Part of subcall function 029C69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 029C6A26
                                                                                            • Part of subcall function 029C69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 029C6A3A
                                                                                            • Part of subcall function 029CEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029C1DCF,?), ref: 029CEEA8
                                                                                            • Part of subcall function 029CEE95: HeapFree.KERNEL32(00000000), ref: 029CEEAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 359188348-2980165447
                                                                                          • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction ID: 9b6d129aba509a7c9fdb47b5cc25dad3d991a12577dcda7d8640d592dded57ec
                                                                                          • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction Fuzzy Hash: C7415FB2900109BFEB12EBA09D80EFF776EFB44344F2444AEE549D7150E7B05A948B66
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,029CE859,00000000,00020119,029CE859,PromptOnSecureDesktop), ref: 029CE64D
                                                                                          • RegCloseKey.ADVAPI32(029CE859,?,?,?,?,000000C8,000000E4), ref: 029CE787
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseOpen
                                                                                          • String ID: PromptOnSecureDesktop
                                                                                          • API String ID: 47109696-2980165447
                                                                                          • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                          • Instruction ID: b93a31c7f05ea214b643ee3ea18ef720372e9914e1e03c115ba9e04612098848
                                                                                          • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                          • Instruction Fuzzy Hash: 4B4106B2D0011DBFDF11AF94DC85EEEBB7EEB04304F24446AEA01B6150E3719A559B61
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 029CAFFF
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 029CB00D
                                                                                            • Part of subcall function 029CAF6F: gethostname.WS2_32(?,00000080), ref: 029CAF83
                                                                                            • Part of subcall function 029CAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 029CAFE6
                                                                                            • Part of subcall function 029C331C: gethostname.WS2_32(?,00000080), ref: 029C333F
                                                                                            • Part of subcall function 029C331C: gethostbyname.WS2_32(?), ref: 029C3349
                                                                                            • Part of subcall function 029CAA0A: inet_ntoa.WS2_32(00000000), ref: 029CAA10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %OUTLOOK_BND_
                                                                                          • API String ID: 1981676241-3684217054
                                                                                          • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction ID: 5f299d56529433ac0a21e47bac1110e2f808d6c19789518a3d0d4cc3733ad488
                                                                                          • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction Fuzzy Hash: B441817290024CABDB21EFA0DC45EEE3BAEFF48314F24442BF92992151EA75DA448F55
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 029C9536
                                                                                          • Sleep.KERNEL32(000001F4), ref: 029C955D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-3916222277
                                                                                          • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction ID: f87978965b4a2b29d063abacdbb5c20b0ab5d4dc25f930011aee6ef7d443f850
                                                                                          • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction Fuzzy Hash: 324127B18083D46EFB368B64D89C7B63BAC9B02314F3400ADD88697192D7744980C723
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 029CB9D9
                                                                                          • InterlockedIncrement.KERNEL32(00413648), ref: 029CBA3A
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 029CBA94
                                                                                          • GetTickCount.KERNEL32 ref: 029CBB79
                                                                                          • GetTickCount.KERNEL32 ref: 029CBB99
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 029CBE15
                                                                                          • closesocket.WS2_32(00000000), ref: 029CBEB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountIncrementInterlockedTick$closesocket
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 1869671989-2903620461
                                                                                          • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction ID: 45b40c7df081a157735c01f3d751bf5e120392ed1cabed12d100dcd8f9d04202
                                                                                          • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction Fuzzy Hash: A1319CB1400248DFDF24DFA4DC95BEAB7B9EB48704F20446AFA2493160DB30DA85CF52
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f585014306f6c3250efaa4e73719a74caf3cdfa730fd8078cc8a6a0845b45eb1
                                                                                          • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                          • Opcode Fuzzy Hash: f585014306f6c3250efaa4e73719a74caf3cdfa730fd8078cc8a6a0845b45eb1
                                                                                          • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                          • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                            • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                          • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                          • Opcode Fuzzy Hash: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                          • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 029C70BC
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 029C70F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID: |
                                                                                          • API String ID: 2370142434-2343686810
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: 229773682f4de4b77a5085649330724ef488e8eb64a74401effa05ddb920840c
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 3B11FA72900118EBDB11CFD4DC84AEEB7BDAB04719F2481AAE501E6294D7709B88CFA1
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2777991786-1857712256
                                                                                          • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                          • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                          • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                          • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000), ref: 0040EAF2
                                                                                          • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                          • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                          APIs
                                                                                            • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3691594909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                          • Associated: 00000000.00000002.3691594909.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_400000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                          • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                          • Opcode Fuzzy Hash: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                          • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                          APIs
                                                                                            • Part of subcall function 029C2F88: GetModuleHandleA.KERNEL32(?), ref: 029C2FA1
                                                                                            • Part of subcall function 029C2F88: LoadLibraryA.KERNEL32(?), ref: 029C2FB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 029C31DA
                                                                                          • HeapFree.KERNEL32(00000000), ref: 029C31E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000000.00000002.3695092546.00000000029C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029C0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_0_2_29c0000_vyrcclmm.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction ID: a012d79f59e986a63eb59656a3aa4b658dd50b46dbb3bc9664c265d8c596cdef
                                                                                          • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction Fuzzy Hash: E9517D7190024AAFCF01DF64D888AFAB779FF05305F2485A9EC96C7210E732DA19CB95

                                                                                          Execution Graph

                                                                                          Execution Coverage:3.4%
                                                                                          Dynamic/Decrypted Code Coverage:2.1%
                                                                                          Signature Coverage:0%
                                                                                          Total number of Nodes:1550
                                                                                          Total number of Limit Nodes:12
                                                                                          execution_graph 14435 409961 RegisterServiceCtrlHandlerA 14436 40997d 14435->14436 14443 4099cb 14435->14443 14445 409892 14436->14445 14438 40999a 14439 4099ba 14438->14439 14440 409892 SetServiceStatus 14438->14440 14442 409892 SetServiceStatus 14439->14442 14439->14443 14441 4099aa 14440->14441 14441->14439 14448 4098f2 14441->14448 14442->14443 14446 4098c2 SetServiceStatus 14445->14446 14446->14438 14449 4098f6 14448->14449 14451 409904 Sleep 14449->14451 14453 409917 14449->14453 14456 404280 CreateEventA 14449->14456 14451->14449 14452 409915 14451->14452 14452->14453 14455 409947 14453->14455 14483 40977c 14453->14483 14455->14439 14457 4042a5 14456->14457 14458 40429d 14456->14458 14497 403ecd 14457->14497 14458->14449 14460 4042b0 14501 404000 14460->14501 14462 4043c1 FindCloseChangeNotification 14462->14458 14463 4042b6 14463->14458 14463->14462 14507 403f18 WriteFile 14463->14507 14467 4042fb 14468 404306 14467->14468 14469 4043ba CloseHandle 14467->14469 14468->14469 14470 404318 14468->14470 14469->14462 14471 403f18 4 API calls 14470->14471 14472 404331 14471->14472 14473 403f18 4 API calls 14472->14473 14474 40434a 14473->14474 14515 40ebcc GetProcessHeap HeapAlloc 14474->14515 14477 403f18 4 API calls 14478 404389 14477->14478 14518 40ec2e 14478->14518 14481 403f8c 4 API calls 14482 40439f CloseHandle CloseHandle 14481->14482 14482->14458 14547 40ee2a 14483->14547 14486 4097bb 14486->14455 14487 4097c2 14488 4097d4 Wow64GetThreadContext 14487->14488 14489 409801 14488->14489 14490 4097f5 14488->14490 14549 40637c 14489->14549 14491 4097f6 TerminateProcess 14490->14491 14491->14486 14493 409816 14493->14491 14494 40981e WriteProcessMemory 14493->14494 14494->14490 14495 40983b Wow64SetThreadContext 14494->14495 14495->14490 14496 409858 ResumeThread 14495->14496 14496->14486 14498 403ee2 14497->14498 14499 403edc 14497->14499 14498->14460 14523 406dc2 14499->14523 14502 40400b CreateFileA 14501->14502 14503 40402c GetLastError 14502->14503 14504 404052 14502->14504 14503->14504 14505 404037 14503->14505 14504->14463 14505->14504 14506 404041 Sleep 14505->14506 14506->14502 14506->14504 14508 403f7c 14507->14508 14509 403f4e GetLastError 14507->14509 14511 403f8c ReadFile 14508->14511 14509->14508 14510 403f5b WaitForSingleObject GetOverlappedResult 14509->14510 14510->14508 14512 403ff0 14511->14512 14513 403fc2 GetLastError 14511->14513 14512->14467 14513->14512 14514 403fcf WaitForSingleObject GetOverlappedResult 14513->14514 14514->14512 14541 40eb74 14515->14541 14519 40ec37 14518->14519 14520 40438f 14518->14520 14544 40eba0 14519->14544 14520->14481 14524 406dd7 14523->14524 14528 406e24 14523->14528 14529 406cc9 14524->14529 14526 406ddc 14527 406e02 GetVolumeInformationA 14526->14527 14526->14528 14527->14528 14528->14498 14530 406cdc GetModuleHandleA GetProcAddress 14529->14530 14531 406dbe 14529->14531 14532 406d12 GetSystemDirectoryA 14530->14532 14533 406cfd 14530->14533 14531->14526 14534 406d27 GetWindowsDirectoryA 14532->14534 14535 406d1e 14532->14535 14533->14532 14537 406d8b 14533->14537 14536 406d42 14534->14536 14535->14534 14535->14537 14539 40ef1e lstrlenA 14536->14539 14537->14531 14540 40ef32 14539->14540 14540->14537 14542 40eb7b GetProcessHeap HeapSize 14541->14542 14543 404350 14541->14543 14542->14543 14543->14477 14545 40eba7 GetProcessHeap HeapSize 14544->14545 14546 40ebbf GetProcessHeap HeapFree 14544->14546 14545->14546 14546->14520 14548 409794 CreateProcessA 14547->14548 14548->14486 14548->14487 14550 406386 14549->14550 14551 40638a GetModuleHandleA VirtualAlloc 14549->14551 14550->14493 14552 4063f5 14551->14552 14553 4063b6 14551->14553 14552->14493 14554 4063be VirtualAllocEx 14553->14554 14554->14552 14555 4063d6 14554->14555 14556 4063df WriteProcessMemory 14555->14556 14556->14552 14575 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14692 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14575->14692 14577 409a95 14578 409aa3 GetModuleHandleA GetModuleFileNameA 14577->14578 14584 40a3c7 14577->14584 14592 409ac4 14578->14592 14579 40a41c CreateThread WSAStartup 14803 40e52e 14579->14803 15603 40405e CreateEventA 14579->15603 14581 409afd GetCommandLineA 14590 409b22 14581->14590 14582 40a406 DeleteFileA 14582->14584 14585 40a40d 14582->14585 14583 40a445 14822 40eaaf 14583->14822 14584->14579 14584->14582 14584->14585 14587 40a3ed GetLastError 14584->14587 14585->14579 14587->14585 14589 40a3f8 Sleep 14587->14589 14588 40a44d 14826 401d96 14588->14826 14589->14582 14595 409c0c 14590->14595 14604 409b47 14590->14604 14592->14581 14593 40a457 14874 4080c9 14593->14874 14693 4096aa 14595->14693 14601 40a1d2 14612 40a1e3 GetCommandLineA 14601->14612 14602 409c39 14605 40a167 GetModuleHandleA GetModuleFileNameA 14602->14605 14610 409c4b 14602->14610 14607 409b96 lstrlenA 14604->14607 14611 409b58 14604->14611 14608 409c05 ExitProcess 14605->14608 14609 40a189 14605->14609 14607->14611 14609->14608 14621 40a1b2 GetDriveTypeA 14609->14621 14610->14605 14615 404280 30 API calls 14610->14615 14611->14608 14616 409bd2 14611->14616 14637 40a205 14612->14637 14618 409c5b 14615->14618 14705 40675c 14616->14705 14618->14605 14624 40675c 21 API calls 14618->14624 14621->14608 14623 40a1c5 14621->14623 14795 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14623->14795 14626 409c79 14624->14626 14626->14605 14633 409ca0 GetTempPathA 14626->14633 14634 409e3e 14626->14634 14627 409bff 14627->14608 14629 40a491 14630 40a49f GetTickCount 14629->14630 14631 40a4be Sleep 14629->14631 14636 40a4b7 GetTickCount 14629->14636 14920 40c913 14629->14920 14630->14629 14630->14631 14631->14629 14633->14634 14635 409cba 14633->14635 14640 409e6b GetEnvironmentVariableA 14634->14640 14644 409e04 14634->14644 14743 4099d2 lstrcpyA 14635->14743 14636->14631 14641 40a285 lstrlenA 14637->14641 14651 40a239 14637->14651 14638 40ec2e codecvt 4 API calls 14642 40a15d 14638->14642 14640->14644 14645 409e7d 14640->14645 14641->14651 14642->14605 14642->14608 14644->14638 14646 4099d2 16 API calls 14645->14646 14647 409e9d 14646->14647 14647->14644 14653 409eb0 lstrcpyA lstrlenA 14647->14653 14648 406dc2 6 API calls 14649 409d5f 14648->14649 14654 406cc9 5 API calls 14649->14654 14701 406ec3 14651->14701 14652 40a3c2 14655 4098f2 41 API calls 14652->14655 14656 409ef4 14653->14656 14659 409d72 lstrcpyA lstrcatA lstrcatA 14654->14659 14655->14584 14657 406dc2 6 API calls 14656->14657 14660 409f03 14656->14660 14657->14660 14658 40a39d StartServiceCtrlDispatcherA 14658->14652 14661 409cf6 14659->14661 14662 409f32 RegOpenKeyExA 14660->14662 14750 409326 14661->14750 14664 409f48 RegSetValueExA RegCloseKey 14662->14664 14667 409f70 14662->14667 14663 40a35f 14663->14652 14663->14658 14664->14667 14672 409f9d GetModuleHandleA GetModuleFileNameA 14667->14672 14668 409e0c DeleteFileA 14668->14634 14669 409dde GetFileAttributesExA 14669->14668 14671 409df7 14669->14671 14671->14644 14787 4096ff 14671->14787 14674 409fc2 14672->14674 14675 40a093 14672->14675 14674->14675 14681 409ff1 GetDriveTypeA 14674->14681 14676 40a103 CreateProcessA 14675->14676 14679 40a0a4 wsprintfA 14675->14679 14677 40a13a 14676->14677 14678 40a12a DeleteFileA 14676->14678 14677->14644 14685 4096ff 3 API calls 14677->14685 14678->14677 14793 402544 14679->14793 14681->14675 14683 40a00d 14681->14683 14687 40a02d lstrcatA 14683->14687 14684 40ee2a 14686 40a0ec lstrcatA 14684->14686 14685->14644 14686->14676 14688 40a046 14687->14688 14689 40a052 lstrcatA 14688->14689 14690 40a064 lstrcatA 14688->14690 14689->14690 14690->14675 14691 40a081 lstrcatA 14690->14691 14691->14675 14692->14577 14694 4096b9 14693->14694 15023 4073ff 14694->15023 14696 4096e2 14697 4096e9 14696->14697 14698 4096fa 14696->14698 15043 40704c 14697->15043 14698->14601 14698->14602 14700 4096f7 14700->14698 14702 406ed5 14701->14702 14703 406ecc 14701->14703 14702->14663 15068 406e36 GetUserNameW 14703->15068 14706 406784 CreateFileA 14705->14706 14707 40677a SetFileAttributesA 14705->14707 14708 4067a4 CreateFileA 14706->14708 14709 4067b5 14706->14709 14707->14706 14708->14709 14710 4067c5 14709->14710 14711 4067ba SetFileAttributesA 14709->14711 14712 406977 14710->14712 14713 4067cf GetFileSize 14710->14713 14711->14710 14712->14608 14730 406a60 CreateFileA 14712->14730 14714 4067e5 14713->14714 14728 406922 14713->14728 14716 4067ed ReadFile 14714->14716 14714->14728 14715 40696e CloseHandle 14715->14712 14717 406811 SetFilePointer 14716->14717 14716->14728 14718 40682a ReadFile 14717->14718 14717->14728 14719 406848 SetFilePointer 14718->14719 14718->14728 14720 406867 14719->14720 14719->14728 14721 406878 ReadFile 14720->14721 14725 4068d0 14720->14725 14721->14720 14721->14725 14722 40ebcc 4 API calls 14723 4068f8 14722->14723 14724 406900 SetFilePointer 14723->14724 14723->14728 14726 40695a 14724->14726 14727 40690d ReadFile 14724->14727 14725->14715 14725->14722 14729 40ec2e codecvt 4 API calls 14726->14729 14727->14726 14727->14728 14728->14715 14729->14728 14731 406b8c GetLastError 14730->14731 14732 406a8f GetDiskFreeSpaceA 14730->14732 14733 406b86 14731->14733 14734 406ac5 14732->14734 14741 406ad7 14732->14741 14733->14627 15071 40eb0e 14734->15071 14738 406b56 CloseHandle 14738->14733 14740 406b65 GetLastError CloseHandle 14738->14740 14739 406b36 GetLastError CloseHandle 14742 406b7f DeleteFileA 14739->14742 14740->14742 15075 406987 14741->15075 14742->14733 14744 4099eb 14743->14744 14745 409a2f lstrcatA 14744->14745 14746 40ee2a 14745->14746 14747 409a4b lstrcatA 14746->14747 14748 406a60 13 API calls 14747->14748 14749 409a60 14748->14749 14749->14634 14749->14648 14749->14661 15085 401910 14750->15085 14753 40934a GetModuleHandleA GetModuleFileNameA 14755 40937f 14753->14755 14756 4093a4 14755->14756 14757 4093d9 14755->14757 14759 4093c3 wsprintfA 14756->14759 14758 409401 wsprintfA 14757->14758 14760 409415 14758->14760 14759->14760 14763 406cc9 5 API calls 14760->14763 14783 4094a0 14760->14783 14762 4094ac 14764 40962f 14762->14764 14768 4094e8 RegOpenKeyExA 14762->14768 14765 409439 14763->14765 14766 409639 VirtualProtect 14764->14766 14767 40966d 14764->14767 14774 40ef1e lstrlenA 14765->14774 14766->14767 14779 4095d6 14766->14779 15107 4091eb 14767->15107 14769 409502 14768->14769 14771 4094fb 14768->14771 14773 40951f RegQueryValueExA 14769->14773 14771->14764 14772 40958a 14771->14772 14772->14767 14775 409593 14772->14775 14776 409530 14773->14776 14777 409539 14773->14777 14778 409462 14774->14778 14775->14779 15095 40f0e4 14775->15095 14780 40956e RegCloseKey 14776->14780 14781 409556 RegQueryValueExA 14777->14781 14782 40947e wsprintfA 14778->14782 14779->14668 14779->14669 14780->14771 14781->14776 14781->14780 14782->14783 15087 406edd 14783->15087 14785 4095bb 14785->14779 15102 4018e0 VirtualProtect 14785->15102 14788 402544 14787->14788 14789 40972d RegOpenKeyExA 14788->14789 14790 409740 14789->14790 14791 409765 14789->14791 14792 40974f RegDeleteValueA RegCloseKey 14790->14792 14791->14644 14792->14791 14794 402554 lstrcatA 14793->14794 14794->14684 14796 402544 14795->14796 14797 40919e wsprintfA 14796->14797 14798 4091bb 14797->14798 15125 409064 GetTempPathA 14798->15125 14801 4091d5 ShellExecuteA 14802 4091e7 14801->14802 14802->14627 15132 40dd05 GetTickCount 14803->15132 14805 40e538 15139 40dbcf 14805->15139 14807 40e544 14808 40e555 GetFileSize 14807->14808 14811 40e5b8 14807->14811 14809 40e5b1 CloseHandle 14808->14809 14810 40e566 14808->14810 14809->14811 15149 40db2e 14810->15149 15158 40e3ca RegOpenKeyExA 14811->15158 14814 40e576 ReadFile 14814->14809 14816 40e58d 14814->14816 15153 40e332 14816->15153 14818 40e5f2 14820 40e3ca 19 API calls 14818->14820 14821 40e629 14818->14821 14820->14821 14821->14583 14823 40eabe 14822->14823 14825 40eaba 14822->14825 14824 40dd05 6 API calls 14823->14824 14823->14825 14824->14825 14825->14588 14827 40ee2a 14826->14827 14828 401db4 GetVersionExA 14827->14828 14829 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 14828->14829 14831 401e24 14829->14831 14832 401e16 GetCurrentProcess 14829->14832 15211 40e819 14831->15211 14832->14831 14834 401e3d 14835 40e819 11 API calls 14834->14835 14836 401e4e 14835->14836 14837 401e77 14836->14837 15218 40df70 14836->15218 15227 40ea84 14837->15227 14841 401e6c 14842 40df70 12 API calls 14841->14842 14842->14837 14843 40e819 11 API calls 14844 401e93 14843->14844 15231 40199c inet_addr LoadLibraryA 14844->15231 14847 40e819 11 API calls 14848 401eb9 14847->14848 14849 401ed8 14848->14849 14851 40f04e 4 API calls 14848->14851 14850 40e819 11 API calls 14849->14850 14853 401eee 14850->14853 14852 401ec9 14851->14852 14854 40ea84 30 API calls 14852->14854 14855 401f0a 14853->14855 15244 401b71 14853->15244 14854->14849 14857 40e819 11 API calls 14855->14857 14859 401f23 14857->14859 14858 401efd 14860 40ea84 30 API calls 14858->14860 14861 401f3f 14859->14861 15248 401bdf 14859->15248 14860->14855 14862 40e819 11 API calls 14861->14862 14865 401f5e 14862->14865 14867 401f77 14865->14867 14868 40ea84 30 API calls 14865->14868 14866 40ea84 30 API calls 14866->14861 15255 4030b5 14867->15255 14868->14867 14872 406ec3 2 API calls 14873 401f8e GetTickCount 14872->14873 14873->14593 14875 406ec3 2 API calls 14874->14875 14876 4080eb 14875->14876 14877 4080f9 14876->14877 14878 4080ef 14876->14878 14880 40704c 16 API calls 14877->14880 15303 407ee6 14878->15303 14882 408110 14880->14882 14881 408269 CreateThread 14899 405e6c 14881->14899 15633 40877e 14881->15633 14884 408156 RegOpenKeyExA 14882->14884 14885 4080f4 14882->14885 14883 40675c 21 API calls 14889 408244 14883->14889 14884->14885 14886 40816d RegQueryValueExA 14884->14886 14885->14881 14885->14883 14887 4081f7 14886->14887 14888 40818d 14886->14888 14890 40820d RegCloseKey 14887->14890 14892 40ec2e codecvt 4 API calls 14887->14892 14888->14887 14893 40ebcc 4 API calls 14888->14893 14889->14881 14891 40ec2e codecvt 4 API calls 14889->14891 14890->14885 14891->14881 14898 4081dd 14892->14898 14894 4081a0 14893->14894 14894->14890 14895 4081aa RegQueryValueExA 14894->14895 14895->14887 14896 4081c4 14895->14896 14897 40ebcc 4 API calls 14896->14897 14897->14898 14898->14890 15371 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14899->15371 14901 405e71 15372 40e654 14901->15372 14903 405ec1 14904 403132 14903->14904 14905 40df70 12 API calls 14904->14905 14906 40313b 14905->14906 14907 40c125 14906->14907 15383 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14907->15383 14909 40c12d 14910 40e654 13 API calls 14909->14910 14911 40c2bd 14910->14911 14912 40e654 13 API calls 14911->14912 14913 40c2c9 14912->14913 14914 40e654 13 API calls 14913->14914 14915 40a47a 14914->14915 14916 408db1 14915->14916 14917 408dbc 14916->14917 14918 40e654 13 API calls 14917->14918 14919 408dec Sleep 14918->14919 14919->14629 14921 40c92f 14920->14921 14922 40c93c 14921->14922 15384 40c517 14921->15384 14924 40ca2b 14922->14924 14925 40e819 11 API calls 14922->14925 14924->14629 14926 40c96a 14925->14926 14927 40e819 11 API calls 14926->14927 14928 40c97d 14927->14928 14929 40e819 11 API calls 14928->14929 14930 40c990 14929->14930 14931 40c9aa 14930->14931 14932 40ebcc 4 API calls 14930->14932 14931->14924 15401 402684 14931->15401 14932->14931 14937 40ca26 15408 40c8aa 14937->15408 14940 40ca44 14941 40ca4b closesocket 14940->14941 14942 40ca83 14940->14942 14941->14937 14943 40ea84 30 API calls 14942->14943 14944 40caac 14943->14944 14945 40f04e 4 API calls 14944->14945 14946 40cab2 14945->14946 14947 40ea84 30 API calls 14946->14947 14948 40caca 14947->14948 14949 40ea84 30 API calls 14948->14949 14950 40cad9 14949->14950 15416 40c65c 14950->15416 14953 40cb60 closesocket 14953->14924 14955 40dad2 closesocket 14956 40e318 23 API calls 14955->14956 14956->14924 14957 40df4c 20 API calls 14970 40cb70 14957->14970 14962 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 14962->14970 14963 40e654 13 API calls 14963->14970 14966 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 14966->14970 14970->14955 14970->14957 14970->14962 14970->14963 14970->14966 14971 40ea84 30 API calls 14970->14971 14972 40cc1c GetTempPathA 14970->14972 14973 40d569 closesocket Sleep 14970->14973 14974 40d815 wsprintfA 14970->14974 14975 40c517 23 API calls 14970->14975 14977 40e8a1 30 API calls 14970->14977 14979 40cfe3 GetSystemDirectoryA 14970->14979 14980 40cfad GetEnvironmentVariableA 14970->14980 14981 40675c 21 API calls 14970->14981 14982 40d027 GetSystemDirectoryA 14970->14982 14983 40d105 lstrcatA 14970->14983 14984 40ef1e lstrlenA 14970->14984 14985 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 14970->14985 14986 40cc9f CreateFileA 14970->14986 14987 40d15b CreateFileA 14970->14987 14989 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 14970->14989 14993 40d149 SetFileAttributesA 14970->14993 14995 40d36e GetEnvironmentVariableA 14970->14995 14996 40d1bf SetFileAttributesA 14970->14996 14998 407ead 6 API calls 14970->14998 14999 40d22d GetEnvironmentVariableA 14970->14999 15000 40d3af lstrcatA 14970->15000 15002 407fcf 64 API calls 14970->15002 15003 40d3f2 CreateFileA 14970->15003 15011 40d4b1 CreateProcessA 14970->15011 15012 40d3e0 SetFileAttributesA 14970->15012 15013 40d26e lstrcatA 14970->15013 15015 40d2b1 CreateFileA 14970->15015 15016 407ee6 64 API calls 14970->15016 15017 40d452 SetFileAttributesA 14970->15017 15020 40d29f SetFileAttributesA 14970->15020 15022 40d31d SetFileAttributesA 14970->15022 15424 40c75d 14970->15424 15436 407e2f 14970->15436 15458 407ead 14970->15458 15468 4031d0 14970->15468 15485 403c09 14970->15485 15495 403a00 14970->15495 15499 40e7b4 14970->15499 15502 40c06c 14970->15502 15508 406f5f GetUserNameA 14970->15508 15519 40e854 14970->15519 15529 407dd6 14970->15529 14971->14970 14972->14970 15463 40e318 14973->15463 14974->14970 14975->14970 14977->14970 14978 40d582 ExitProcess 14979->14970 14980->14970 14981->14970 14982->14970 14983->14970 14984->14970 14985->14970 14986->14970 14988 40ccc6 WriteFile 14986->14988 14987->14970 14990 40d182 WriteFile CloseHandle 14987->14990 14991 40cdcc CloseHandle 14988->14991 14992 40cced CloseHandle 14988->14992 14989->14970 14990->14970 14991->14970 14997 40cd2f 14992->14997 14993->14987 14994 40cd16 wsprintfA 14994->14997 14995->14970 14996->14970 14997->14994 15445 407fcf 14997->15445 14998->14970 14999->14970 15000->14970 15000->15003 15002->14970 15003->14970 15005 40d415 WriteFile CloseHandle 15003->15005 15005->14970 15006 40cd81 WaitForSingleObject CloseHandle CloseHandle 15009 40f04e 4 API calls 15006->15009 15007 40cda5 15008 407ee6 64 API calls 15007->15008 15010 40cdbd DeleteFileA 15008->15010 15009->15007 15010->14970 15011->14970 15014 40d4e8 CloseHandle CloseHandle 15011->15014 15012->15003 15013->14970 15013->15015 15014->14970 15015->14970 15018 40d2d8 WriteFile CloseHandle 15015->15018 15016->14970 15017->14970 15018->14970 15020->15015 15022->14970 15024 40741b 15023->15024 15025 406dc2 6 API calls 15024->15025 15026 40743f 15025->15026 15027 407469 RegOpenKeyExA 15026->15027 15028 4077f9 15027->15028 15038 407487 ___ascii_stricmp 15027->15038 15028->14696 15029 407703 RegEnumKeyA 15030 407714 RegCloseKey 15029->15030 15029->15038 15030->15028 15031 4074d2 RegOpenKeyExA 15031->15038 15032 40772c 15034 407742 RegCloseKey 15032->15034 15035 40774b 15032->15035 15033 407521 RegQueryValueExA 15033->15038 15034->15035 15036 4077ec RegCloseKey 15035->15036 15036->15028 15037 4076e4 RegCloseKey 15037->15038 15038->15029 15038->15031 15038->15032 15038->15033 15038->15037 15040 40f1a5 lstrlenA 15038->15040 15041 40777e GetFileAttributesExA 15038->15041 15042 407769 15038->15042 15039 4077e3 RegCloseKey 15039->15036 15040->15038 15041->15042 15042->15039 15044 407073 15043->15044 15045 4070b9 RegOpenKeyExA 15044->15045 15046 4070d0 15045->15046 15060 4071b8 15045->15060 15047 406dc2 6 API calls 15046->15047 15050 4070d5 15047->15050 15048 40719b RegEnumValueA 15049 4071af RegCloseKey 15048->15049 15048->15050 15049->15060 15050->15048 15052 4071d0 15050->15052 15066 40f1a5 lstrlenA 15050->15066 15053 407205 RegCloseKey 15052->15053 15054 407227 15052->15054 15053->15060 15055 4072b8 ___ascii_stricmp 15054->15055 15056 40728e RegCloseKey 15054->15056 15057 4072cd RegCloseKey 15055->15057 15058 4072dd 15055->15058 15056->15060 15057->15060 15059 407311 RegCloseKey 15058->15059 15062 407335 15058->15062 15059->15060 15060->14700 15061 4073d5 RegCloseKey 15063 4073e4 15061->15063 15062->15061 15064 40737e GetFileAttributesExA 15062->15064 15065 407397 15062->15065 15064->15065 15065->15061 15067 40f1c3 15066->15067 15067->15050 15069 406e97 15068->15069 15070 406e5f LookupAccountNameW 15068->15070 15069->14702 15070->15069 15072 40eb17 15071->15072 15074 40eb21 15071->15074 15081 40eae4 15072->15081 15074->14741 15077 4069b9 WriteFile 15075->15077 15078 406a3c 15077->15078 15080 4069ff 15077->15080 15078->14738 15078->14739 15079 406a10 WriteFile 15079->15078 15079->15080 15080->15078 15080->15079 15082 40eb02 GetProcAddress 15081->15082 15083 40eaed LoadLibraryA 15081->15083 15082->15074 15083->15082 15084 40eb01 15083->15084 15084->15074 15086 401924 GetVersionExA 15085->15086 15086->14753 15088 406f55 15087->15088 15089 406eef AllocateAndInitializeSid 15087->15089 15088->14762 15090 406f44 15089->15090 15091 406f1c CheckTokenMembership 15089->15091 15090->15088 15094 406e36 2 API calls 15090->15094 15092 406f3b FreeSid 15091->15092 15093 406f2e 15091->15093 15092->15090 15093->15092 15094->15088 15096 40f0f1 15095->15096 15097 40f0ed 15095->15097 15098 40f119 15096->15098 15099 40f0fa lstrlenA SysAllocStringByteLen 15096->15099 15097->14785 15101 40f11c MultiByteToWideChar 15098->15101 15100 40f117 15099->15100 15099->15101 15100->14785 15101->15100 15103 4018f9 15102->15103 15104 4018fd 15102->15104 15103->14779 15112 401280 15104->15112 15106 401908 15106->14779 15108 409308 15107->15108 15110 40920e 15107->15110 15108->14779 15109 4092f1 Sleep 15109->15110 15110->15108 15110->15109 15110->15110 15111 4092bf ShellExecuteA 15110->15111 15111->15108 15111->15110 15115 4012e1 ShellExecuteExW 15112->15115 15114 4016f9 GetLastError 15117 401699 15114->15117 15115->15114 15116 4013a8 15115->15116 15116->15117 15118 401570 lstrlenW 15116->15118 15119 4015be GetStartupInfoW 15116->15119 15120 4015ff CreateProcessWithLogonW 15116->15120 15124 401668 CloseHandle 15116->15124 15117->15106 15118->15116 15119->15116 15121 4016bf GetLastError 15120->15121 15122 40163f WaitForSingleObject 15120->15122 15121->15117 15122->15116 15123 401659 CloseHandle 15122->15123 15123->15116 15124->15116 15126 40908d 15125->15126 15127 4090e2 wsprintfA 15126->15127 15128 40ee2a 15127->15128 15129 4090fd CreateFileA 15128->15129 15130 40911a lstrlenA WriteFile CloseHandle 15129->15130 15131 40913f 15129->15131 15130->15131 15131->14801 15131->14802 15133 40dd41 InterlockedExchange 15132->15133 15134 40dd20 GetCurrentThreadId 15133->15134 15135 40dd4a 15133->15135 15136 40dd53 GetCurrentThreadId 15134->15136 15137 40dd2e GetTickCount 15134->15137 15135->15136 15136->14805 15137->15135 15138 40dd39 Sleep 15137->15138 15138->15133 15140 40dbf0 15139->15140 15172 40db67 GetEnvironmentVariableA 15140->15172 15142 40dc19 15143 40dcda 15142->15143 15144 40db67 3 API calls 15142->15144 15143->14807 15145 40dc5c 15144->15145 15145->15143 15146 40db67 3 API calls 15145->15146 15147 40dc9b 15146->15147 15147->15143 15148 40db67 3 API calls 15147->15148 15148->15143 15150 40db3a 15149->15150 15152 40db55 15149->15152 15176 40ebed 15150->15176 15152->14809 15152->14814 15185 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15153->15185 15155 40e3be 15155->14809 15157 40e342 15157->15155 15188 40de24 15157->15188 15159 40e528 15158->15159 15160 40e3f4 15158->15160 15159->14818 15161 40e434 RegQueryValueExA 15160->15161 15162 40e458 15161->15162 15163 40e51d RegCloseKey 15161->15163 15164 40e46e RegQueryValueExA 15162->15164 15163->15159 15164->15162 15165 40e488 15164->15165 15165->15163 15166 40db2e 8 API calls 15165->15166 15167 40e499 15166->15167 15167->15163 15168 40e4b9 RegQueryValueExA 15167->15168 15169 40e4e8 15167->15169 15168->15167 15168->15169 15169->15163 15170 40e332 14 API calls 15169->15170 15171 40e513 15170->15171 15171->15163 15173 40db89 lstrcpyA CreateFileA 15172->15173 15174 40dbca 15172->15174 15173->15142 15174->15142 15177 40ec01 15176->15177 15178 40ebf6 15176->15178 15180 40eba0 codecvt 2 API calls 15177->15180 15179 40ebcc 4 API calls 15178->15179 15182 40ebfe 15179->15182 15181 40ec0a GetProcessHeap HeapReAlloc 15180->15181 15183 40eb74 2 API calls 15181->15183 15182->15152 15184 40ec28 15183->15184 15184->15152 15199 40eb41 15185->15199 15189 40de3a 15188->15189 15194 40de4e 15189->15194 15203 40dd84 15189->15203 15192 40ebed 8 API calls 15197 40def6 15192->15197 15193 40de9e 15193->15192 15193->15194 15194->15157 15195 40de76 15207 40ddcf 15195->15207 15197->15194 15198 40ddcf lstrcmpA 15197->15198 15198->15194 15200 40eb4a 15199->15200 15202 40eb54 15199->15202 15201 40eae4 2 API calls 15200->15201 15201->15202 15202->15157 15204 40ddc5 15203->15204 15205 40dd96 15203->15205 15204->15193 15204->15195 15205->15204 15206 40ddad lstrcmpiA 15205->15206 15206->15204 15206->15205 15208 40de20 15207->15208 15209 40dddd 15207->15209 15208->15194 15209->15208 15210 40ddfa lstrcmpA 15209->15210 15210->15209 15212 40dd05 6 API calls 15211->15212 15213 40e821 15212->15213 15214 40dd84 lstrcmpiA 15213->15214 15215 40e82c 15214->15215 15216 40e844 15215->15216 15259 402480 15215->15259 15216->14834 15219 40dd05 6 API calls 15218->15219 15220 40df7c 15219->15220 15221 40dd84 lstrcmpiA 15220->15221 15222 40df89 15221->15222 15223 40dfc4 15222->15223 15224 40ddcf lstrcmpA 15222->15224 15225 40ec2e codecvt 4 API calls 15222->15225 15226 40dd84 lstrcmpiA 15222->15226 15223->14841 15224->15222 15225->15222 15226->15222 15228 40ea98 15227->15228 15268 40e8a1 15228->15268 15230 401e84 15230->14843 15232 4019d5 GetProcAddress GetProcAddress GetProcAddress 15231->15232 15236 4019ce 15231->15236 15233 401ab3 FreeLibrary 15232->15233 15234 401a04 15232->15234 15233->15236 15234->15233 15235 401a14 GetProcessHeap 15234->15235 15235->15236 15238 401a2e HeapAlloc 15235->15238 15236->14847 15238->15236 15239 401a42 15238->15239 15240 401a52 HeapReAlloc 15239->15240 15242 401a62 15239->15242 15240->15242 15241 401aa1 FreeLibrary 15241->15236 15242->15241 15243 401a96 HeapFree 15242->15243 15243->15241 15296 401ac3 LoadLibraryA 15244->15296 15247 401bcf 15247->14858 15249 401ac3 12 API calls 15248->15249 15250 401c09 15249->15250 15251 401c41 15250->15251 15252 401c0d GetComputerNameA 15250->15252 15251->14866 15253 401c45 GetVolumeInformationA 15252->15253 15254 401c1f 15252->15254 15253->15251 15254->15251 15254->15253 15256 40ee2a 15255->15256 15257 4030d0 gethostname gethostbyname 15256->15257 15258 401f82 15257->15258 15258->14872 15258->14873 15262 402419 lstrlenA 15259->15262 15261 402491 15261->15216 15263 402474 15262->15263 15264 40243d lstrlenA 15262->15264 15263->15261 15265 402464 lstrlenA 15264->15265 15266 40244e lstrcmpiA 15264->15266 15265->15263 15265->15264 15266->15265 15267 40245c 15266->15267 15267->15263 15267->15265 15269 40dd05 6 API calls 15268->15269 15270 40e8b4 15269->15270 15271 40dd84 lstrcmpiA 15270->15271 15272 40e8c0 15271->15272 15273 40e8c8 lstrcpynA 15272->15273 15282 40e90a 15272->15282 15274 40e8f5 15273->15274 15289 40df4c 15274->15289 15275 402419 4 API calls 15276 40e926 lstrlenA lstrlenA 15275->15276 15278 40e96a 15276->15278 15279 40e94c lstrlenA 15276->15279 15283 40ebcc 4 API calls 15278->15283 15284 40ea27 15278->15284 15279->15278 15280 40e901 15281 40dd84 lstrcmpiA 15280->15281 15281->15282 15282->15275 15282->15284 15285 40e98f 15283->15285 15284->15230 15285->15284 15286 40df4c 20 API calls 15285->15286 15287 40ea1e 15286->15287 15288 40ec2e codecvt 4 API calls 15287->15288 15288->15284 15290 40dd05 6 API calls 15289->15290 15291 40df51 15290->15291 15292 40f04e 4 API calls 15291->15292 15293 40df58 15292->15293 15294 40de24 10 API calls 15293->15294 15295 40df63 15294->15295 15295->15280 15297 401ae2 GetProcAddress 15296->15297 15302 401b68 GetComputerNameA GetVolumeInformationA 15296->15302 15298 401af5 15297->15298 15297->15302 15299 40ebed 8 API calls 15298->15299 15300 401b29 15298->15300 15299->15298 15300->15300 15301 40ec2e codecvt 4 API calls 15300->15301 15300->15302 15301->15302 15302->15247 15304 406ec3 2 API calls 15303->15304 15305 407ef4 15304->15305 15306 407fc9 15305->15306 15307 4073ff 17 API calls 15305->15307 15306->14885 15308 407f16 15307->15308 15308->15306 15316 407809 GetUserNameA 15308->15316 15310 407f63 15310->15306 15311 40ef1e lstrlenA 15310->15311 15312 407fa6 15311->15312 15313 40ef1e lstrlenA 15312->15313 15314 407fb7 15313->15314 15340 407a95 RegOpenKeyExA 15314->15340 15317 40783d LookupAccountNameA 15316->15317 15318 407a8d 15316->15318 15317->15318 15319 407874 GetLengthSid GetFileSecurityA 15317->15319 15318->15310 15319->15318 15320 4078a8 GetSecurityDescriptorOwner 15319->15320 15321 4078c5 EqualSid 15320->15321 15322 40791d GetSecurityDescriptorDacl 15320->15322 15321->15322 15323 4078dc LocalAlloc 15321->15323 15322->15318 15338 407941 15322->15338 15323->15322 15324 4078ef InitializeSecurityDescriptor 15323->15324 15325 407916 LocalFree 15324->15325 15326 4078fb SetSecurityDescriptorOwner 15324->15326 15325->15322 15326->15325 15328 40790b SetFileSecurityA 15326->15328 15327 40795b GetAce 15327->15338 15328->15325 15329 407980 EqualSid 15329->15338 15330 407a3d 15330->15318 15333 407a43 LocalAlloc 15330->15333 15331 4079be EqualSid 15331->15338 15332 40799d DeleteAce 15332->15338 15333->15318 15334 407a56 InitializeSecurityDescriptor 15333->15334 15335 407a62 SetSecurityDescriptorDacl 15334->15335 15336 407a86 LocalFree 15334->15336 15335->15336 15337 407a73 SetFileSecurityA 15335->15337 15336->15318 15337->15336 15339 407a83 15337->15339 15338->15318 15338->15327 15338->15329 15338->15330 15338->15331 15338->15332 15339->15336 15341 407ac4 15340->15341 15342 407acb GetUserNameA 15340->15342 15341->15306 15343 407da7 RegCloseKey 15342->15343 15344 407aed LookupAccountNameA 15342->15344 15343->15341 15344->15343 15345 407b24 RegGetKeySecurity 15344->15345 15345->15343 15346 407b49 GetSecurityDescriptorOwner 15345->15346 15347 407b63 EqualSid 15346->15347 15348 407bb8 GetSecurityDescriptorDacl 15346->15348 15347->15348 15349 407b74 LocalAlloc 15347->15349 15350 407da6 15348->15350 15358 407bdc 15348->15358 15349->15348 15351 407b8a InitializeSecurityDescriptor 15349->15351 15350->15343 15352 407bb1 LocalFree 15351->15352 15353 407b96 SetSecurityDescriptorOwner 15351->15353 15352->15348 15353->15352 15355 407ba6 RegSetKeySecurity 15353->15355 15354 407bf8 GetAce 15354->15358 15355->15352 15356 407c1d EqualSid 15356->15358 15357 407c5f EqualSid 15357->15358 15358->15350 15358->15354 15358->15356 15358->15357 15359 407c3a DeleteAce 15358->15359 15360 407cd9 15358->15360 15359->15358 15360->15350 15361 407d5a LocalAlloc 15360->15361 15362 407cf2 RegOpenKeyExA 15360->15362 15361->15350 15363 407d70 InitializeSecurityDescriptor 15361->15363 15362->15361 15368 407d0f 15362->15368 15364 407d7c SetSecurityDescriptorDacl 15363->15364 15365 407d9f LocalFree 15363->15365 15364->15365 15366 407d8c RegSetKeySecurity 15364->15366 15365->15350 15366->15365 15367 407d9c 15366->15367 15367->15365 15369 407d43 RegSetValueExA 15368->15369 15369->15361 15370 407d54 15369->15370 15370->15361 15371->14901 15373 40dd05 6 API calls 15372->15373 15377 40e65f 15373->15377 15374 40e6a5 15375 40ebcc 4 API calls 15374->15375 15382 40e6f5 15374->15382 15376 40e6b0 15375->15376 15378 40e6b7 15376->15378 15381 40e6e0 lstrcpynA 15376->15381 15376->15382 15377->15374 15379 40e68c lstrcmpA 15377->15379 15378->14903 15379->15377 15380 40e71d lstrcmpA 15380->15382 15381->15382 15382->15378 15382->15380 15383->14909 15385 40c525 15384->15385 15386 40c532 15384->15386 15385->15386 15389 40ec2e codecvt 4 API calls 15385->15389 15387 40c548 15386->15387 15536 40e7ff 15386->15536 15390 40e7ff lstrcmpiA 15387->15390 15398 40c54f 15387->15398 15389->15386 15391 40c615 15390->15391 15392 40ebcc 4 API calls 15391->15392 15391->15398 15392->15398 15393 40c5d1 15396 40ebcc 4 API calls 15393->15396 15395 40e819 11 API calls 15397 40c5b7 15395->15397 15396->15398 15399 40f04e 4 API calls 15397->15399 15398->14922 15400 40c5bf 15399->15400 15400->15387 15400->15393 15402 402692 inet_addr 15401->15402 15403 40268e 15401->15403 15402->15403 15404 40269e gethostbyname 15402->15404 15405 40f428 15403->15405 15404->15403 15539 40f315 15405->15539 15410 40c8d2 15408->15410 15409 40c907 15409->14924 15410->15409 15411 40c517 23 API calls 15410->15411 15411->15409 15412 40f43e 15413 40f473 recv 15412->15413 15414 40f458 15413->15414 15415 40f47c 15413->15415 15414->15413 15414->15415 15415->14940 15417 40c670 15416->15417 15418 40c67d 15416->15418 15419 40ebcc 4 API calls 15417->15419 15420 40ebcc 4 API calls 15418->15420 15422 40c699 15418->15422 15419->15418 15420->15422 15421 40c6f3 15421->14953 15421->14970 15422->15421 15423 40c73c send 15422->15423 15423->15421 15425 40c770 15424->15425 15426 40c77d 15424->15426 15428 40ebcc 4 API calls 15425->15428 15427 40c799 15426->15427 15429 40ebcc 4 API calls 15426->15429 15430 40c7b5 15427->15430 15431 40ebcc 4 API calls 15427->15431 15428->15426 15429->15427 15432 40f43e recv 15430->15432 15431->15430 15433 40c7cb 15432->15433 15434 40f43e recv 15433->15434 15435 40c7d3 15433->15435 15434->15435 15435->14970 15552 407db7 15436->15552 15439 40f04e 4 API calls 15441 407e4c 15439->15441 15440 407e96 15440->14970 15443 40f04e 4 API calls 15441->15443 15444 407e70 15441->15444 15442 40f04e 4 API calls 15442->15440 15443->15444 15444->15440 15444->15442 15446 406ec3 2 API calls 15445->15446 15447 407fdd 15446->15447 15448 4073ff 17 API calls 15447->15448 15449 4080c2 CreateProcessA 15447->15449 15450 407fff 15448->15450 15449->15006 15449->15007 15450->15449 15451 407809 21 API calls 15450->15451 15452 40804d 15451->15452 15452->15449 15453 40ef1e lstrlenA 15452->15453 15454 40809e 15453->15454 15455 40ef1e lstrlenA 15454->15455 15456 4080af 15455->15456 15457 407a95 24 API calls 15456->15457 15457->15449 15459 407db7 2 API calls 15458->15459 15460 407eb8 15459->15460 15461 40f04e 4 API calls 15460->15461 15462 407ece DeleteFileA 15461->15462 15462->14970 15464 40dd05 6 API calls 15463->15464 15465 40e31d 15464->15465 15556 40e177 15465->15556 15467 40e326 15467->14978 15469 4031f3 15468->15469 15470 4031ec 15468->15470 15471 40ebcc 4 API calls 15469->15471 15470->14970 15484 4031fc 15471->15484 15472 40344b 15473 403459 15472->15473 15474 40349d 15472->15474 15476 40f04e 4 API calls 15473->15476 15475 40ec2e codecvt 4 API calls 15474->15475 15475->15470 15477 40345f 15476->15477 15478 4030fa 4 API calls 15477->15478 15478->15470 15479 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15479->15484 15480 40344d 15481 40ec2e codecvt 4 API calls 15480->15481 15481->15472 15483 403141 lstrcmpiA 15483->15484 15484->15470 15484->15472 15484->15479 15484->15480 15484->15483 15582 4030fa GetTickCount 15484->15582 15486 4030fa 4 API calls 15485->15486 15487 403c1a 15486->15487 15488 403ce6 15487->15488 15587 403a72 15487->15587 15488->14970 15491 403a72 9 API calls 15494 403c5e 15491->15494 15492 403a72 9 API calls 15492->15494 15493 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15493->15494 15494->15488 15494->15492 15494->15493 15496 403a10 15495->15496 15497 4030fa 4 API calls 15496->15497 15498 403a1a 15497->15498 15498->14970 15500 40dd05 6 API calls 15499->15500 15501 40e7be 15500->15501 15501->14970 15503 40c105 15502->15503 15504 40c07e wsprintfA 15502->15504 15503->14970 15596 40bfce GetTickCount wsprintfA 15504->15596 15506 40c0ef 15597 40bfce GetTickCount wsprintfA 15506->15597 15509 406f88 LookupAccountNameA 15508->15509 15510 407047 15508->15510 15512 407025 15509->15512 15513 406fcb 15509->15513 15510->14970 15514 406edd 5 API calls 15512->15514 15515 406fdb ConvertSidToStringSidA 15513->15515 15516 40702a wsprintfA 15514->15516 15515->15512 15517 406ff1 15515->15517 15516->15510 15518 407013 LocalFree 15517->15518 15518->15512 15520 40dd05 6 API calls 15519->15520 15521 40e85c 15520->15521 15522 40dd84 lstrcmpiA 15521->15522 15524 40e867 15522->15524 15523 40e885 lstrcpyA 15601 40dd69 15523->15601 15524->15523 15598 4024a5 15524->15598 15530 407db7 2 API calls 15529->15530 15531 407de1 15530->15531 15532 40f04e 4 API calls 15531->15532 15535 407e16 15531->15535 15533 407df2 15532->15533 15534 40f04e 4 API calls 15533->15534 15533->15535 15534->15535 15535->14970 15537 40dd84 lstrcmpiA 15536->15537 15538 40c58e 15537->15538 15538->15387 15538->15393 15538->15395 15540 40ca1d 15539->15540 15541 40f33b 15539->15541 15540->14937 15540->15412 15542 40f347 htons socket 15541->15542 15543 40f382 ioctlsocket 15542->15543 15544 40f374 closesocket 15542->15544 15545 40f3aa connect select 15543->15545 15546 40f39d 15543->15546 15544->15540 15545->15540 15548 40f3f2 __WSAFDIsSet 15545->15548 15547 40f39f closesocket 15546->15547 15547->15540 15548->15547 15549 40f403 ioctlsocket 15548->15549 15551 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15549->15551 15551->15540 15553 407dc8 InterlockedExchange 15552->15553 15554 407dc0 Sleep 15553->15554 15555 407dd4 15553->15555 15554->15553 15555->15439 15555->15444 15557 40e184 15556->15557 15558 40e223 15557->15558 15570 40e2e4 15557->15570 15572 40dfe2 15557->15572 15560 40dfe2 8 API calls 15558->15560 15558->15570 15564 40e23c 15560->15564 15561 40e1be 15561->15558 15562 40dbcf 3 API calls 15561->15562 15565 40e1d6 15562->15565 15563 40e21a CloseHandle 15563->15558 15564->15570 15576 40e095 RegCreateKeyExA 15564->15576 15565->15558 15565->15563 15566 40e1f9 WriteFile 15565->15566 15566->15563 15568 40e213 15566->15568 15568->15563 15569 40e2a3 15569->15570 15571 40e095 4 API calls 15569->15571 15570->15467 15571->15570 15573 40dffc 15572->15573 15575 40e024 15572->15575 15574 40db2e 8 API calls 15573->15574 15573->15575 15574->15575 15575->15561 15577 40e172 15576->15577 15579 40e0c0 15576->15579 15577->15569 15578 40e13d 15580 40e14e RegDeleteValueA RegCloseKey 15578->15580 15579->15578 15581 40e115 RegSetValueExA 15579->15581 15580->15577 15581->15578 15581->15579 15583 403122 InterlockedExchange 15582->15583 15584 40312e 15583->15584 15585 40310f GetTickCount 15583->15585 15584->15484 15585->15584 15586 40311a Sleep 15585->15586 15586->15583 15588 40f04e 4 API calls 15587->15588 15589 403a83 15588->15589 15591 403bc0 15589->15591 15593 403ac1 15589->15593 15595 403b66 lstrlenA 15589->15595 15590 403be6 15592 40ec2e codecvt 4 API calls 15590->15592 15591->15590 15594 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15591->15594 15592->15593 15593->15488 15593->15491 15594->15591 15595->15589 15595->15593 15596->15506 15597->15503 15599 402419 4 API calls 15598->15599 15600 4024b6 15599->15600 15600->15523 15602 40dd79 lstrlenA 15601->15602 15602->14970 15604 404084 15603->15604 15605 40407d 15603->15605 15606 403ecd 6 API calls 15604->15606 15607 40408f 15606->15607 15608 404000 3 API calls 15607->15608 15612 404095 15608->15612 15609 404130 15610 403ecd 6 API calls 15609->15610 15611 404159 CreateNamedPipeA 15610->15611 15613 404167 Sleep 15611->15613 15614 404188 ConnectNamedPipe 15611->15614 15612->15609 15615 403f18 4 API calls 15612->15615 15613->15609 15616 404176 CloseHandle 15613->15616 15618 404195 GetLastError 15614->15618 15629 4041ab 15614->15629 15617 4040da 15615->15617 15616->15614 15619 403f8c 4 API calls 15617->15619 15620 40425e DisconnectNamedPipe 15618->15620 15618->15629 15621 4040ec 15619->15621 15620->15614 15622 4040f3 15621->15622 15623 404127 CloseHandle 15621->15623 15622->15623 15625 404101 15622->15625 15623->15609 15624 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15624->15629 15626 403f18 4 API calls 15625->15626 15628 40411c ExitProcess 15626->15628 15627 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15627->15629 15629->15614 15629->15620 15629->15624 15629->15627 15630 40426a CloseHandle CloseHandle 15629->15630 15631 40e318 23 API calls 15630->15631 15632 40427b 15631->15632 15632->15632 15634 408791 15633->15634 15635 40879f 15633->15635 15636 40f04e 4 API calls 15634->15636 15637 4087bc 15635->15637 15639 40f04e 4 API calls 15635->15639 15636->15635 15638 40e819 11 API calls 15637->15638 15640 4087d7 15638->15640 15639->15637 15653 408803 15640->15653 15655 4026b2 gethostbyaddr 15640->15655 15643 4087eb 15645 40e8a1 30 API calls 15643->15645 15643->15653 15645->15653 15648 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15648->15653 15649 40e819 11 API calls 15649->15653 15650 4088a0 Sleep 15650->15653 15652 4026b2 2 API calls 15652->15653 15653->15648 15653->15649 15653->15650 15653->15652 15654 40e8a1 30 API calls 15653->15654 15660 408cee 15653->15660 15668 40c4d6 15653->15668 15671 40c4e2 15653->15671 15674 402011 15653->15674 15709 408328 15653->15709 15654->15653 15656 4026fb 15655->15656 15657 4026cd 15655->15657 15656->15643 15658 4026e1 inet_ntoa 15657->15658 15659 4026de 15657->15659 15658->15659 15659->15643 15661 408d02 GetTickCount 15660->15661 15662 408dae 15660->15662 15661->15662 15664 408d19 15661->15664 15662->15653 15663 408da1 GetTickCount 15663->15662 15664->15663 15667 408d89 15664->15667 15761 40a677 15664->15761 15764 40a688 15664->15764 15667->15663 15772 40c2dc 15668->15772 15672 40c2dc 141 API calls 15671->15672 15673 40c4ec 15672->15673 15673->15653 15675 402020 15674->15675 15677 40202e 15674->15677 15676 40f04e 4 API calls 15675->15676 15676->15677 15678 40f04e 4 API calls 15677->15678 15679 40204b 15677->15679 15678->15679 15680 40206e GetTickCount 15679->15680 15682 40f04e 4 API calls 15679->15682 15681 4020db GetTickCount 15680->15681 15691 402090 15680->15691 15684 402132 GetTickCount GetTickCount 15681->15684 15693 4020e7 15681->15693 15685 402068 15682->15685 15683 4020d4 GetTickCount 15683->15681 15686 40f04e 4 API calls 15684->15686 15685->15680 15689 402159 15686->15689 15687 40212b GetTickCount 15687->15684 15688 402684 2 API calls 15688->15691 15692 4021b4 15689->15692 15695 40e854 13 API calls 15689->15695 15691->15683 15691->15688 15698 4020ce 15691->15698 16099 401978 15691->16099 15694 40f04e 4 API calls 15692->15694 15693->15687 15700 401978 15 API calls 15693->15700 15701 402125 15693->15701 16104 402ef8 15693->16104 15697 4021d1 15694->15697 15699 40218e 15695->15699 15702 4021f2 15697->15702 15705 40ea84 30 API calls 15697->15705 15698->15683 15703 40e819 11 API calls 15699->15703 15700->15693 15701->15687 15702->15653 15704 40219c 15703->15704 15704->15692 16112 401c5f 15704->16112 15706 4021ec 15705->15706 15707 40f04e 4 API calls 15706->15707 15707->15702 15710 407dd6 6 API calls 15709->15710 15711 40833c 15710->15711 15712 406ec3 2 API calls 15711->15712 15737 408340 15711->15737 15713 40834f 15712->15713 15714 40835c 15713->15714 15719 40846b 15713->15719 15715 4073ff 17 API calls 15714->15715 15738 408373 15715->15738 15716 4085df 15717 408626 GetTempPathA 15716->15717 15725 408762 15716->15725 15729 408638 15716->15729 15717->15729 15718 40675c 21 API calls 15718->15716 15721 4084a7 RegOpenKeyExA 15719->15721 15742 408450 15719->15742 15723 4084c0 RegQueryValueExA 15721->15723 15724 40852f 15721->15724 15722 4086ad 15722->15725 15728 407e2f 6 API calls 15722->15728 15726 408521 RegCloseKey 15723->15726 15727 4084dd 15723->15727 15730 408564 RegOpenKeyExA 15724->15730 15741 4085a5 15724->15741 15735 40ec2e codecvt 4 API calls 15725->15735 15725->15737 15726->15724 15727->15726 15733 40ebcc 4 API calls 15727->15733 15731 4086bb 15728->15731 16184 406ba7 IsBadCodePtr 15729->16184 15732 408573 RegSetValueExA RegCloseKey 15730->15732 15730->15741 15734 40875b DeleteFileA 15731->15734 15748 4086e0 lstrcpyA lstrlenA 15731->15748 15732->15741 15736 4084f0 15733->15736 15734->15725 15735->15737 15736->15726 15740 4084f8 RegQueryValueExA 15736->15740 15737->15653 15738->15737 15738->15742 15743 4083ea RegOpenKeyExA 15738->15743 15740->15726 15744 408515 15740->15744 15741->15742 15745 40ec2e codecvt 4 API calls 15741->15745 15742->15716 15742->15718 15743->15742 15746 4083fd RegQueryValueExA 15743->15746 15747 40ec2e codecvt 4 API calls 15744->15747 15745->15742 15749 40842d RegSetValueExA 15746->15749 15750 40841e 15746->15750 15752 40851d 15747->15752 15753 407fcf 64 API calls 15748->15753 15751 408447 RegCloseKey 15749->15751 15750->15749 15750->15751 15751->15742 15752->15726 15754 408719 CreateProcessA 15753->15754 15755 40873d CloseHandle CloseHandle 15754->15755 15756 40874f 15754->15756 15755->15725 15757 407ee6 64 API calls 15756->15757 15758 408754 15757->15758 15759 407ead 6 API calls 15758->15759 15760 40875a 15759->15760 15760->15734 15767 40a63d 15761->15767 15763 40a685 15763->15664 15765 40a63d GetTickCount 15764->15765 15766 40a696 15765->15766 15766->15664 15768 40a645 15767->15768 15769 40a64d 15767->15769 15768->15763 15770 40a66e 15769->15770 15771 40a65e GetTickCount 15769->15771 15770->15763 15771->15770 15788 40a4c7 GetTickCount 15772->15788 15775 40c45e 15780 40c4d2 15775->15780 15781 40c4ab InterlockedIncrement CreateThread 15775->15781 15776 40c300 GetTickCount 15778 40c337 15776->15778 15777 40c326 15777->15778 15779 40c32b GetTickCount 15777->15779 15778->15775 15783 40c363 GetTickCount 15778->15783 15779->15778 15780->15653 15781->15780 15782 40c4cb CloseHandle 15781->15782 15793 40b535 15781->15793 15782->15780 15783->15775 15784 40c373 15783->15784 15785 40c378 GetTickCount 15784->15785 15786 40c37f 15784->15786 15785->15786 15787 40c43b GetTickCount 15786->15787 15787->15775 15789 40a4f7 InterlockedExchange 15788->15789 15790 40a500 15789->15790 15791 40a4e4 GetTickCount 15789->15791 15790->15775 15790->15776 15790->15777 15791->15790 15792 40a4ef Sleep 15791->15792 15792->15789 15794 40b566 15793->15794 15795 40ebcc 4 API calls 15794->15795 15796 40b587 15795->15796 15797 40ebcc 4 API calls 15796->15797 15798 40b590 15797->15798 15799 40bdcd InterlockedDecrement 15798->15799 15805 40bdb7 Sleep 15798->15805 15808 40bdcc 15798->15808 15810 40ebed 8 API calls 15798->15810 15813 40b6b6 lstrlenA 15798->15813 15814 4030b5 2 API calls 15798->15814 15815 40e819 11 API calls 15798->15815 15816 40b6ed lstrcpyA 15798->15816 15819 40b731 lstrlenA 15798->15819 15820 40b71f lstrcmpA 15798->15820 15821 40b772 GetTickCount 15798->15821 15822 40bd49 InterlockedIncrement 15798->15822 15825 40bc5b InterlockedIncrement 15798->15825 15826 40b7ce InterlockedIncrement 15798->15826 15829 40b912 GetTickCount 15798->15829 15830 40b826 InterlockedIncrement 15798->15830 15831 40b932 GetTickCount 15798->15831 15832 40bcdc closesocket 15798->15832 15834 4038f0 6 API calls 15798->15834 15838 40bba6 InterlockedIncrement 15798->15838 15840 40bc4c closesocket 15798->15840 15841 40ab81 lstrcpynA InterlockedIncrement 15798->15841 15843 405ce1 22 API calls 15798->15843 15844 40ba71 wsprintfA 15798->15844 15846 40a7c1 22 API calls 15798->15846 15847 40ef1e lstrlenA 15798->15847 15848 405ded 12 API calls 15798->15848 15849 40a688 GetTickCount 15798->15849 15850 403e10 15798->15850 15853 403e4f 15798->15853 15856 40384f 15798->15856 15876 40a7a3 inet_ntoa 15798->15876 15883 40abee 15798->15883 15895 401feb GetTickCount 15798->15895 15916 403cfb 15798->15916 15919 40b3c5 15798->15919 15950 40ab81 15798->15950 15800 40bde2 15799->15800 15802 40ec2e codecvt 4 API calls 15800->15802 15803 40bdea 15802->15803 15804 40ec2e codecvt 4 API calls 15803->15804 15806 40bdf2 15804->15806 15805->15798 15807 40be05 15806->15807 15809 40ec2e codecvt 4 API calls 15806->15809 15808->15799 15809->15807 15810->15798 15813->15798 15814->15798 15815->15798 15868 405ce1 15816->15868 15819->15798 15820->15798 15820->15819 15821->15798 15962 40a628 15822->15962 15825->15798 15878 40acd7 15826->15878 15829->15798 15830->15821 15831->15798 15833 40bc6d InterlockedIncrement 15831->15833 15832->15798 15833->15798 15834->15798 15838->15798 15840->15798 15841->15798 15843->15798 15896 40a7c1 15844->15896 15846->15798 15847->15798 15848->15798 15849->15798 15851 4030fa 4 API calls 15850->15851 15852 403e1d 15851->15852 15852->15798 15854 4030fa 4 API calls 15853->15854 15855 403e5c 15854->15855 15855->15798 15857 4030fa 4 API calls 15856->15857 15858 403863 15857->15858 15859 4038b9 15858->15859 15860 403889 15858->15860 15867 4038b2 15858->15867 15971 4035f9 15859->15971 15965 403718 15860->15965 15865 4035f9 6 API calls 15865->15867 15866 403718 6 API calls 15866->15867 15867->15798 15869 405cf4 15868->15869 15870 405cec 15868->15870 15872 404bd1 4 API calls 15869->15872 15977 404bd1 GetTickCount 15870->15977 15873 405d02 15872->15873 15982 405472 15873->15982 15877 40a7b9 15876->15877 15877->15798 15879 40f315 14 API calls 15878->15879 15880 40aceb 15879->15880 15881 40f315 14 API calls 15880->15881 15882 40acff 15880->15882 15881->15882 15882->15798 15884 40abfb 15883->15884 15887 40ac65 15884->15887 16045 402f22 15884->16045 15886 40f315 14 API calls 15886->15887 15887->15886 15888 40ac8a 15887->15888 15889 40ac6f 15887->15889 15888->15798 15891 40ab81 2 API calls 15889->15891 15890 40ac23 15890->15887 15893 402684 2 API calls 15890->15893 15892 40ac81 15891->15892 16053 4038f0 15892->16053 15893->15890 15895->15798 15897 40a87d lstrlenA send 15896->15897 15898 40a7df 15896->15898 15899 40a899 15897->15899 15900 40a8bf 15897->15900 15898->15897 15905 40a7fa wsprintfA 15898->15905 15906 40a80a 15898->15906 15908 40a8f2 15898->15908 15903 40a8a5 wsprintfA 15899->15903 15915 40a89e 15899->15915 15901 40a8c4 send 15900->15901 15900->15908 15904 40a8d8 wsprintfA 15901->15904 15901->15908 15902 40a978 recv 15902->15908 15909 40a982 15902->15909 15903->15915 15904->15915 15905->15906 15906->15897 15907 40a9b0 wsprintfA 15907->15915 15908->15902 15908->15907 15908->15909 15910 4030b5 2 API calls 15909->15910 15909->15915 15911 40ab05 15910->15911 15912 40e819 11 API calls 15911->15912 15913 40ab17 15912->15913 15914 40a7a3 inet_ntoa 15913->15914 15914->15915 15915->15798 15917 4030fa 4 API calls 15916->15917 15918 403d0b 15917->15918 15918->15798 15920 405ce1 22 API calls 15919->15920 15921 40b3e6 15920->15921 15922 405ce1 22 API calls 15921->15922 15923 40b404 15922->15923 15924 40ef7c 3 API calls 15923->15924 15930 40b440 15923->15930 15926 40b42b 15924->15926 15925 40ef7c 3 API calls 15927 40b458 wsprintfA 15925->15927 15928 40ef7c 3 API calls 15926->15928 15929 40ef7c 3 API calls 15927->15929 15928->15930 15931 40b480 15929->15931 15930->15925 15932 40ef7c 3 API calls 15931->15932 15933 40b493 15932->15933 15934 40ef7c 3 API calls 15933->15934 15935 40b4bb 15934->15935 16067 40ad89 GetLocalTime SystemTimeToFileTime 15935->16067 15939 40b4cc 15940 40ef7c 3 API calls 15939->15940 15941 40b4dd 15940->15941 15942 40b211 7 API calls 15941->15942 15943 40b4ec 15942->15943 15944 40ef7c 3 API calls 15943->15944 15945 40b4fd 15944->15945 15946 40b211 7 API calls 15945->15946 15947 40b509 15946->15947 15948 40ef7c 3 API calls 15947->15948 15949 40b51a 15948->15949 15949->15798 15951 40abe9 GetTickCount 15950->15951 15953 40ab8c 15950->15953 15955 40a51d 15951->15955 15952 40aba8 lstrcpynA 15952->15953 15953->15951 15953->15952 15954 40abe1 InterlockedIncrement 15953->15954 15954->15953 15956 40a4c7 4 API calls 15955->15956 15957 40a52c 15956->15957 15958 40a542 GetTickCount 15957->15958 15959 40a539 GetTickCount 15957->15959 15958->15959 15961 40a56c 15959->15961 15961->15798 15963 40a4c7 4 API calls 15962->15963 15964 40a633 15963->15964 15964->15798 15966 40f04e 4 API calls 15965->15966 15968 40372a 15966->15968 15967 403847 15967->15866 15967->15867 15968->15967 15969 4037b3 GetCurrentThreadId 15968->15969 15969->15968 15970 4037c8 GetCurrentThreadId 15969->15970 15970->15968 15972 40f04e 4 API calls 15971->15972 15974 40360c 15972->15974 15973 4036f1 15973->15865 15973->15867 15974->15973 15975 4036da GetCurrentThreadId 15974->15975 15975->15973 15976 4036e5 GetCurrentThreadId 15975->15976 15976->15973 15978 404bff InterlockedExchange 15977->15978 15979 404c08 15978->15979 15980 404bec GetTickCount 15978->15980 15979->15869 15980->15979 15981 404bf7 Sleep 15980->15981 15981->15978 16001 404763 15982->16001 15984 405b58 16011 404699 15984->16011 15987 404763 lstrlenA 15988 405b6e 15987->15988 16032 404f9f 15988->16032 15990 405b79 15990->15798 15991 40548a 15991->15984 15995 40558d lstrcpynA 15991->15995 15996 405a9f lstrcpyA 15991->15996 15997 405472 13 API calls 15991->15997 15998 405935 lstrcpynA 15991->15998 15999 4058e7 lstrcpyA 15991->15999 16000 404ae6 8 API calls 15991->16000 16005 404ae6 15991->16005 16009 40ef7c lstrlenA lstrlenA lstrlenA 15991->16009 15993 405549 lstrlenA 15993->15991 15995->15991 15996->15991 15997->15991 15998->15991 15999->15991 16000->15991 16003 40477a 16001->16003 16002 404859 16002->15991 16003->16002 16004 40480d lstrlenA 16003->16004 16004->16003 16006 404af3 16005->16006 16008 404b03 16005->16008 16007 40ebed 8 API calls 16006->16007 16007->16008 16008->15993 16010 40efb4 16009->16010 16010->15991 16037 4045b3 16011->16037 16014 4045b3 7 API calls 16015 4046c6 16014->16015 16016 4045b3 7 API calls 16015->16016 16017 4046d8 16016->16017 16018 4045b3 7 API calls 16017->16018 16019 4046ea 16018->16019 16020 4045b3 7 API calls 16019->16020 16021 4046ff 16020->16021 16022 4045b3 7 API calls 16021->16022 16023 404711 16022->16023 16024 4045b3 7 API calls 16023->16024 16025 404723 16024->16025 16026 40ef7c 3 API calls 16025->16026 16027 404735 16026->16027 16028 40ef7c 3 API calls 16027->16028 16029 40474a 16028->16029 16030 40ef7c 3 API calls 16029->16030 16031 40475c 16030->16031 16031->15987 16033 404fac 16032->16033 16036 404fb0 16032->16036 16033->15990 16034 404ffd 16034->15990 16035 404fd5 IsBadCodePtr 16035->16036 16036->16034 16036->16035 16038 4045c1 16037->16038 16039 4045c8 16037->16039 16040 40ebcc 4 API calls 16038->16040 16041 40ebcc 4 API calls 16039->16041 16043 4045e1 16039->16043 16040->16039 16041->16043 16042 404691 16042->16014 16043->16042 16044 40ef7c 3 API calls 16043->16044 16044->16043 16060 402d21 GetModuleHandleA 16045->16060 16048 402f85 16049 402fcf GetProcessHeap HeapFree 16048->16049 16052 402f44 16049->16052 16050 402f4f 16051 402f6b GetProcessHeap HeapFree 16050->16051 16051->16052 16052->15890 16054 403900 16053->16054 16055 403980 16053->16055 16056 4030fa 4 API calls 16054->16056 16055->15888 16059 40390a 16056->16059 16057 40391b GetCurrentThreadId 16057->16059 16058 403939 GetCurrentThreadId 16058->16059 16059->16055 16059->16057 16059->16058 16061 402d46 LoadLibraryA 16060->16061 16062 402d5b GetProcAddress 16060->16062 16061->16062 16064 402d54 16061->16064 16062->16064 16066 402d6b 16062->16066 16063 402d97 GetProcessHeap HeapAlloc 16063->16064 16063->16066 16064->16048 16064->16050 16064->16052 16065 402db5 lstrcpynA 16065->16066 16066->16063 16066->16064 16066->16065 16068 40adbf 16067->16068 16092 40ad08 gethostname 16068->16092 16071 4030b5 2 API calls 16072 40add3 16071->16072 16073 40a7a3 inet_ntoa 16072->16073 16080 40ade4 16072->16080 16073->16080 16074 40ae85 wsprintfA 16075 40ef7c 3 API calls 16074->16075 16077 40aebb 16075->16077 16076 40ae36 wsprintfA wsprintfA 16078 40ef7c 3 API calls 16076->16078 16079 40ef7c 3 API calls 16077->16079 16078->16080 16081 40aed2 16079->16081 16080->16074 16080->16076 16082 40b211 16081->16082 16083 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16082->16083 16084 40b2af GetLocalTime 16082->16084 16085 40b2d2 16083->16085 16084->16085 16086 40b2d9 SystemTimeToFileTime 16085->16086 16087 40b31c GetTimeZoneInformation 16085->16087 16089 40b2ec 16086->16089 16088 40b33a wsprintfA 16087->16088 16088->15939 16090 40b312 FileTimeToSystemTime 16089->16090 16090->16087 16093 40ad71 16092->16093 16094 40ad26 lstrlenA 16092->16094 16096 40ad85 16093->16096 16097 40ad79 lstrcpyA 16093->16097 16094->16093 16098 40ad68 lstrlenA 16094->16098 16096->16071 16097->16096 16098->16093 16100 40f428 14 API calls 16099->16100 16101 40198a 16100->16101 16102 401990 closesocket 16101->16102 16103 401998 16101->16103 16102->16103 16103->15691 16105 402d21 6 API calls 16104->16105 16106 402f01 16105->16106 16109 402f0f 16106->16109 16120 402df2 GetModuleHandleA 16106->16120 16108 402684 2 API calls 16110 402f1d 16108->16110 16109->16108 16111 402f1f 16109->16111 16110->15693 16111->15693 16116 401c80 16112->16116 16113 401d1c 16113->16113 16117 401d47 wsprintfA 16113->16117 16114 401cc2 wsprintfA 16115 402684 2 API calls 16114->16115 16115->16116 16116->16113 16116->16114 16118 401d79 16116->16118 16119 402684 2 API calls 16117->16119 16118->15692 16119->16118 16121 402e10 LoadLibraryA 16120->16121 16122 402e0b 16120->16122 16123 402e17 16121->16123 16122->16121 16122->16123 16124 402ef1 16123->16124 16125 402e28 GetProcAddress 16123->16125 16124->16109 16125->16124 16126 402e3e GetProcessHeap HeapAlloc 16125->16126 16130 402e62 16126->16130 16127 402ede GetProcessHeap HeapFree 16127->16124 16128 402e7f htons inet_addr 16129 402ea5 gethostbyname 16128->16129 16128->16130 16129->16130 16130->16124 16130->16127 16130->16128 16130->16129 16132 402ceb 16130->16132 16133 402cf2 16132->16133 16135 402d1c 16133->16135 16136 402d0e Sleep 16133->16136 16137 402a62 GetProcessHeap HeapAlloc 16133->16137 16135->16130 16136->16133 16136->16135 16138 402a99 socket 16137->16138 16139 402a92 16137->16139 16140 402cd3 GetProcessHeap HeapFree 16138->16140 16141 402ab4 16138->16141 16139->16133 16140->16139 16141->16140 16155 402abd 16141->16155 16142 402adb htons 16157 4026ff 16142->16157 16144 402b04 select 16144->16155 16145 402ca4 16146 402cb3 GetProcessHeap HeapFree closesocket 16145->16146 16146->16139 16147 402b3f recv 16147->16155 16148 402b66 htons 16148->16145 16148->16155 16149 402b87 htons 16149->16145 16149->16155 16152 402bf3 GetProcessHeap HeapAlloc 16152->16155 16153 402c17 htons 16172 402871 16153->16172 16155->16142 16155->16144 16155->16145 16155->16146 16155->16147 16155->16148 16155->16149 16155->16152 16155->16153 16156 402c4d GetProcessHeap HeapFree 16155->16156 16164 402923 16155->16164 16176 402904 16155->16176 16156->16155 16158 40271d 16157->16158 16159 402717 16157->16159 16161 40272b GetTickCount htons 16158->16161 16160 40ebcc 4 API calls 16159->16160 16160->16158 16162 4027cc htons htons sendto 16161->16162 16163 40278a 16161->16163 16162->16155 16163->16162 16165 402944 16164->16165 16167 40293d 16164->16167 16180 402816 htons 16165->16180 16167->16155 16168 402950 16168->16167 16169 402871 htons 16168->16169 16170 4029bd htons htons htons 16168->16170 16169->16168 16170->16167 16171 4029f6 GetProcessHeap HeapAlloc 16170->16171 16171->16167 16171->16168 16173 4028e3 16172->16173 16174 402889 16172->16174 16173->16155 16174->16173 16175 4028c3 htons 16174->16175 16175->16173 16175->16174 16177 402908 16176->16177 16179 402921 16176->16179 16178 402909 GetProcessHeap HeapFree 16177->16178 16178->16178 16178->16179 16179->16155 16181 40286b 16180->16181 16182 402836 16180->16182 16181->16168 16182->16181 16183 40285c htons 16182->16183 16183->16181 16183->16182 16185 406bbc 16184->16185 16186 406bc0 16184->16186 16185->15722 16187 40ebcc 4 API calls 16186->16187 16197 406bd4 16186->16197 16188 406be4 16187->16188 16189 406c07 CreateFileA 16188->16189 16190 406bfc 16188->16190 16188->16197 16192 406c34 WriteFile 16189->16192 16193 406c2a 16189->16193 16191 40ec2e codecvt 4 API calls 16190->16191 16191->16197 16195 406c49 CloseHandle DeleteFileA 16192->16195 16196 406c5a CloseHandle 16192->16196 16194 40ec2e codecvt 4 API calls 16193->16194 16194->16197 16195->16193 16198 40ec2e codecvt 4 API calls 16196->16198 16197->15722 16198->16197 16199 29b0005 16204 29b092b GetPEB 16199->16204 16201 29b0030 16206 29b003c 16201->16206 16205 29b0972 16204->16205 16205->16201 16207 29b0049 16206->16207 16221 29b0e0f SetErrorMode SetErrorMode 16207->16221 16212 29b0265 16213 29b02ce VirtualProtect 16212->16213 16215 29b030b 16213->16215 16214 29b0439 VirtualFree 16219 29b05f4 LoadLibraryA 16214->16219 16220 29b04be 16214->16220 16215->16214 16216 29b04e3 LoadLibraryA 16216->16220 16218 29b08c7 16219->16218 16220->16216 16220->16219 16222 29b0223 16221->16222 16223 29b0d90 16222->16223 16224 29b0dad 16223->16224 16225 29b0dbb GetPEB 16224->16225 16226 29b0238 VirtualAlloc 16224->16226 16225->16226 16226->16212 14557 29f105a 14560 29f1064 14557->14560 14561 29f1073 14560->14561 14564 29f1804 14561->14564 14566 29f181f 14564->14566 14565 29f1828 CreateToolhelp32Snapshot 14565->14566 14567 29f1844 Module32First 14565->14567 14566->14565 14566->14567 14568 29f1853 14567->14568 14570 29f1063 14567->14570 14571 29f14c3 14568->14571 14572 29f14ee 14571->14572 14573 29f14ff VirtualAlloc 14572->14573 14574 29f1537 14572->14574 14573->14574 14574->14574
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                            • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                          • ExitProcess.KERNEL32 ref: 00409C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                          • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                          • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                          • wsprintfA.USER32 ref: 0040A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                            • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                          • DeleteFileA.KERNEL32(C:\Users\user\Desktop\vyrcclmm.exe), ref: 0040A407
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                          • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                          • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\vyrcclmm.exe$C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$D$P$\$bzycpcet
                                                                                          • API String ID: 2089075347-4077984937
                                                                                          • Opcode ID: 51b3fdeb16769e607b7420a4e79e81e5addf88b96e881b4fbfa3e3990a533921
                                                                                          • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                          • Opcode Fuzzy Hash: 51b3fdeb16769e607b7420a4e79e81e5addf88b96e881b4fbfa3e3990a533921
                                                                                          • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 579 40637c-406384 580 406386-406389 579->580 581 40638a-4063b4 GetModuleHandleA VirtualAlloc 579->581 582 4063f5-4063f7 581->582 583 4063b6-4063d4 call 40ee08 VirtualAllocEx 581->583 585 40640b-40640f 582->585 583->582 587 4063d6-4063f3 call 4062b7 WriteProcessMemory 583->587 587->582 590 4063f9-40640a 587->590 590->585
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                          • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                          • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                          • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                          • Opcode Fuzzy Hash: ee9ff6285cd0759b386b71dc2009f55f092fb3ff13d227db5bcc73c144141d81
                                                                                          • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 284 407703-40770e RegEnumKeyA 277->284 283 407801 278->283 285 407804-407808 283->285 286 4074a2-4074b1 call 406cad 284->286 287 407714-40771d RegCloseKey 284->287 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->283 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->284 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00407472
                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004074F0
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00407528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004076E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00407717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00407745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004077EF
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                          • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                          • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                          • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 386 40405e-40407b CreateEventA 387 404084-4040a8 call 403ecd call 404000 386->387 388 40407d-404081 386->388 393 404130-40413e call 40ee2a 387->393 394 4040ae-4040be call 40ee2a 387->394 399 40413f-404165 call 403ecd CreateNamedPipeA 393->399 394->393 400 4040c0-4040f1 call 40eca5 call 403f18 call 403f8c 394->400 405 404167-404174 Sleep 399->405 406 404188-404193 ConnectNamedPipe 399->406 417 4040f3-4040ff 400->417 418 404127-40412a CloseHandle 400->418 405->399 408 404176-404182 CloseHandle 405->408 410 404195-4041a5 GetLastError 406->410 411 4041ab-4041c0 call 403f8c 406->411 408->406 410->411 413 40425e-404265 DisconnectNamedPipe 410->413 411->406 419 4041c2-4041f2 call 403f18 call 403f8c 411->419 413->406 417->418 421 404101-404121 call 403f18 ExitProcess 417->421 418->393 419->413 427 4041f4-404200 419->427 427->413 428 404202-40420b call 403f8c 427->428 430 404210-404215 428->430 430->413 431 404217-40421b 430->431 431->413 432 40421d-404230 call 403f8c 431->432 432->413 435 404232-404236 432->435 435->406 436 40423c-404251 call 403f18 435->436 439 404253-404259 436->439 440 40426a-404276 CloseHandle * 2 call 40e318 436->440 439->406 442 40427b 440->442 442->442
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                          • ExitProcess.KERNEL32 ref: 00404121
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2404124870-0
                                                                                          • Opcode ID: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                          • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                          • Opcode Fuzzy Hash: fb32ede88c892ccab39cf83d003fcbea33a4e2e8563a4575a47fd59e5a1c2ade
                                                                                          • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 443 29b003c-29b0047 444 29b0049 443->444 445 29b004c-29b0263 call 29b0a3f call 29b0e0f call 29b0d90 VirtualAlloc 443->445 444->445 460 29b028b-29b0292 445->460 461 29b0265-29b0289 call 29b0a69 445->461 463 29b02a1-29b02b0 460->463 465 29b02ce-29b03c2 VirtualProtect call 29b0cce call 29b0ce7 461->465 463->465 466 29b02b2-29b02cc 463->466 472 29b03d1-29b03e0 465->472 466->463 473 29b0439-29b04b8 VirtualFree 472->473 474 29b03e2-29b0437 call 29b0ce7 472->474 476 29b04be-29b04cd 473->476 477 29b05f4-29b05fe 473->477 474->472 479 29b04d3-29b04dd 476->479 480 29b077f-29b0789 477->480 481 29b0604-29b060d 477->481 479->477 485 29b04e3-29b0505 LoadLibraryA 479->485 483 29b078b-29b07a3 480->483 484 29b07a6-29b07b0 480->484 481->480 486 29b0613-29b0637 481->486 483->484 487 29b086e-29b08be LoadLibraryA 484->487 488 29b07b6-29b07cb 484->488 489 29b0517-29b0520 485->489 490 29b0507-29b0515 485->490 491 29b063e-29b0648 486->491 495 29b08c7-29b08f9 487->495 492 29b07d2-29b07d5 488->492 493 29b0526-29b0547 489->493 490->493 491->480 494 29b064e-29b065a 491->494 496 29b07d7-29b07e0 492->496 497 29b0824-29b0833 492->497 498 29b054d-29b0550 493->498 494->480 499 29b0660-29b066a 494->499 500 29b08fb-29b0901 495->500 501 29b0902-29b091d 495->501 502 29b07e2 496->502 503 29b07e4-29b0822 496->503 507 29b0839-29b083c 497->507 504 29b05e0-29b05ef 498->504 505 29b0556-29b056b 498->505 506 29b067a-29b0689 499->506 500->501 502->497 503->492 504->479 511 29b056f-29b057a 505->511 512 29b056d 505->512 508 29b068f-29b06b2 506->508 509 29b0750-29b077a 506->509 507->487 510 29b083e-29b0847 507->510 515 29b06ef-29b06fc 508->515 516 29b06b4-29b06ed 508->516 509->491 517 29b084b-29b086c 510->517 518 29b0849 510->518 513 29b059b-29b05bb 511->513 514 29b057c-29b0599 511->514 512->504 526 29b05bd-29b05db 513->526 514->526 520 29b074b 515->520 521 29b06fe-29b0748 515->521 516->515 517->507 518->487 520->506 521->520 526->498
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 029B024D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID: cess$kernel32.dll
                                                                                          • API String ID: 4275171209-1230238691
                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction ID: 42523d658734be5adc1b1daf10dbf1cb7dd777a4bc5754a5a5006f2d178b3ac3
                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                          • Instruction Fuzzy Hash: 87527974A01229DFDB65CF68C984BADBBB5BF09304F1480D9E94DAB351DB30AA85CF14

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 527 40977c-4097b9 call 40ee2a CreateProcessA 530 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 527->530 531 4097bb-4097bd 527->531 535 409801-40981c call 40637c 530->535 536 4097f5 530->536 532 409864-409866 531->532 537 4097f6-4097ff TerminateProcess 535->537 540 40981e-409839 WriteProcessMemory 535->540 536->537 537->531 540->536 541 40983b-409856 Wow64SetThreadContext 540->541 541->536 542 409858-409863 ResumeThread 541->542 542->532
                                                                                          APIs
                                                                                          • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                          • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                          • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                          • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                          • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2098669666-2746444292
                                                                                          • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                          • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                          • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                          • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID:
                                                                                          • API String ID: 1371578007-0
                                                                                          • Opcode ID: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                          • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                          • Opcode Fuzzy Hash: ef12e745c0d8ac77b0bd51427e5f83480508b91c038ebc09813fba6640af01bf
                                                                                          • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 591 403f8c-403fc0 ReadFile 592 403ff0-403ff3 591->592 593 403fc2-403fcd GetLastError 591->593 594 403ffa 592->594 596 403ff5-403ff8 592->596 593->594 595 403fcf-403fee WaitForSingleObject GetOverlappedResult 593->595 597 403ffc-403fff 594->597 595->592 595->594 596->597
                                                                                          APIs
                                                                                          • ReadFile.KERNELBASE(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                          • GetLastError.KERNEL32 ref: 00403FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 598 404000-404008 599 40400b-40402a CreateFileA 598->599 600 404057 599->600 601 40402c-404035 GetLastError 599->601 602 404059-40405c 600->602 603 404052 601->603 604 404037-40403a 601->604 606 404054-404056 602->606 603->606 604->603 605 40403c-40403f 604->605 605->602 607 404041-404050 Sleep 605->607 607->599 607->603
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                          • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 408151869-0
                                                                                          • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                          • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                          • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D

                                                                                          Control-flow Graph

                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                          • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                          • Opcode Fuzzy Hash: 4febc6132cbb2eeae90f99f22907b6d3a51082cd0e0b87a57774915eab482f02
                                                                                          • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 609 406e36-406e5d GetUserNameW 610 406ebe-406ec2 609->610 611 406e5f-406e95 LookupAccountNameW 609->611 611->610 612 406e97-406e9b 611->612 613 406ebb-406ebd 612->613 614 406e9d-406ea3 612->614 613->610 614->613 615 406ea5-406eaa 614->615 616 406eb7-406eb9 615->616 617 406eac-406eb0 615->617 616->610 617->613 618 406eb2-406eb5 617->618 618->613 618->616
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID:
                                                                                          • API String ID: 2370142434-0
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 619 29f1804-29f181d 620 29f181f-29f1821 619->620 621 29f1828-29f1834 CreateToolhelp32Snapshot 620->621 622 29f1823 620->622 623 29f1836-29f183c 621->623 624 29f1844-29f1851 Module32First 621->624 622->621 623->624 631 29f183e-29f1842 623->631 625 29f185a-29f1862 624->625 626 29f1853-29f1854 call 29f14c3 624->626 629 29f1859 626->629 629->625 631->620 631->624
                                                                                          APIs
                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 029F182C
                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 029F184C
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29ed000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                          • String ID:
                                                                                          • API String ID: 3833638111-0
                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction ID: cba2cb0b45bd6d53a6d8831e4b0acdeebb2af896d453985cd3259d8ea534d757
                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                          • Instruction Fuzzy Hash: 2CF09632100711AFD7A03BF99D8DBAE76ECEF49625F100528E75A924C0DB70E8454BA1

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 632 29b0e0f-29b0e24 SetErrorMode * 2 633 29b0e2b-29b0e2c 632->633 634 29b0e26 632->634 634->633
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,029B0223,?,?), ref: 029B0E19
                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,029B0223,?,?), ref: 029B0E1E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorMode
                                                                                          • String ID:
                                                                                          • API String ID: 2340568224-0
                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction ID: 8c5091a75a8c552e1507ec5e9f2876851e53a5403109e6d851cc54e5729abfa9
                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                          • Instruction Fuzzy Hash: 16D01236245228B7DB012AD4DC09BCEBB1CDF09BA6F008021FB0DE9080CBB09A4046EA

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 635 406dc2-406dd5 636 406e33-406e35 635->636 637 406dd7-406df1 call 406cc9 call 40ef00 635->637 642 406df4-406df9 637->642 642->642 643 406dfb-406e00 642->643 644 406e02-406e22 GetVolumeInformationA 643->644 645 406e24 643->645 644->645 646 406e2e 644->646 645->646 646->636
                                                                                          APIs
                                                                                            • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                          • String ID:
                                                                                          • API String ID: 1823874839-0
                                                                                          • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                          • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                          • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 647 409892-4098c0 648 4098c2-4098c5 647->648 649 4098d9 647->649 648->649 650 4098c7-4098d7 648->650 651 4098e0-4098f1 SetServiceStatus 649->651 650->651
                                                                                          APIs
                                                                                          • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ServiceStatus
                                                                                          • String ID:
                                                                                          • API String ID: 3969395364-0
                                                                                          • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                          • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                          • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                          • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 652 29f14c3-29f14fd call 29f17d6 655 29f14ff-29f1532 VirtualAlloc call 29f1550 652->655 656 29f154b 652->656 658 29f1537-29f1549 655->658 656->656 658->656
                                                                                          APIs
                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 029F1514
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689220789.00000000029ED000.00000040.00000020.00020000.00000000.sdmp, Offset: 029ED000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29ed000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual
                                                                                          • String ID:
                                                                                          • API String ID: 4275171209-0
                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction ID: bcf653143fe7555b77d3e2938ebd3bb25af154afe3661a71047874b8bac371ea
                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                          • Instruction Fuzzy Hash: A2113C79A00208EFDB41DF98C985E99BFF5AF08350F158094FA489B361D371EA50DF80
                                                                                          APIs
                                                                                            • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                          • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3100162736-0
                                                                                          • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                          • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                          • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                          • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000), ref: 029B65F6
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 029B6610
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 029B6631
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 029B6652
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction ID: 2e641a22c38312b16daaee350788746e9877bd09c76a33a2abd2fb289dc01123
                                                                                          • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                          • Instruction Fuzzy Hash: 36113D71600218BFDB229F75DD49FDB3FACEF457A5F104024FA08A6250D7B1ED508AA4
                                                                                          APIs
                                                                                          • ExitProcess.KERNEL32 ref: 029B9E6D
                                                                                          • lstrcpy.KERNEL32(?,00000000), ref: 029B9FE1
                                                                                          • lstrcat.KERNEL32(?,?), ref: 029B9FF2
                                                                                          • lstrcat.KERNEL32(?,0041070C), ref: 029BA004
                                                                                          • GetFileAttributesExA.KERNEL32(?,?,?), ref: 029BA054
                                                                                          • DeleteFileA.KERNEL32(?), ref: 029BA09F
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 029BA0D6
                                                                                          • lstrcpy.KERNEL32 ref: 029BA12F
                                                                                          • lstrlen.KERNEL32(00000022), ref: 029BA13C
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 029B9F13
                                                                                            • Part of subcall function 029B7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 029B7081
                                                                                            • Part of subcall function 029B6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\fdcgtgix,029B7043), ref: 029B6F4E
                                                                                            • Part of subcall function 029B6F30: GetProcAddress.KERNEL32(00000000), ref: 029B6F55
                                                                                            • Part of subcall function 029B6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029B6F7B
                                                                                            • Part of subcall function 029B6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029B6F92
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 029BA1A2
                                                                                          • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029BA1C5
                                                                                          • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 029BA214
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 029BA21B
                                                                                          • GetDriveTypeA.KERNEL32(?), ref: 029BA265
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 029BA29F
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 029BA2C5
                                                                                          • lstrcat.KERNEL32(?,00000022), ref: 029BA2D9
                                                                                          • lstrcat.KERNEL32(?,00410A34), ref: 029BA2F4
                                                                                          • wsprintfA.USER32 ref: 029BA31D
                                                                                          • lstrcat.KERNEL32(?,00000000), ref: 029BA345
                                                                                          • lstrcat.KERNEL32(?,?), ref: 029BA364
                                                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 029BA387
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 029BA398
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 029BA1D1
                                                                                            • Part of subcall function 029B9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 029B999D
                                                                                            • Part of subcall function 029B9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 029B99BD
                                                                                            • Part of subcall function 029B9966: RegCloseKey.ADVAPI32(?), ref: 029B99C6
                                                                                          • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 029BA3DB
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 029BA3E2
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 029BA41D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                          • String ID: "$"$"$D$P$\
                                                                                          • API String ID: 1653845638-2605685093
                                                                                          • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction ID: 9d0296501e0905c2d4e9aa8298a28ff9b280062e846319ef1dd94a5fb444024c
                                                                                          • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                          • Instruction Fuzzy Hash: 26F141B1D4025DAFDF22DBA08E48FEE7BBDAF09304F0444A6E605E2151E7759A848F64
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                          • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                          • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                          • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                          • Opcode Fuzzy Hash: def56848a29238af3b3263ec016d123599b8ce3514d2c8bce6aae186bf62253e
                                                                                          • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                          • wsprintfA.USER32 ref: 0040B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                          • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                          • Opcode Fuzzy Hash: 9c254f7c2f4551e4858b08560ebcfb375181b6b247abdacfd65a4178375c92cf
                                                                                          • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                          • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$D
                                                                                          • API String ID: 2976863881-1834141438
                                                                                          • Opcode ID: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                          • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                          • Opcode Fuzzy Hash: eb1a08a2c71bfc4e71cb34ece599553e47f8ddafd4bc37f5bbc1e22e926e6740
                                                                                          • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 029B7D21
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 029B7D46
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7D7D
                                                                                          • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 029B7DA2
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029B7DC0
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029B7DD1
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7DE5
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7DF3
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029B7E03
                                                                                          • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 029B7E12
                                                                                          • LocalFree.KERNEL32(00000000), ref: 029B7E19
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029B7E35
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$D
                                                                                          • API String ID: 2976863881-1834141438
                                                                                          • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction ID: 7c7ba836c86b22620e20ab916512d3a3523af567d24313c1bda3c30b58163d96
                                                                                          • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                          • Instruction Fuzzy Hash: 06A14B72900219AFDB128FA0DE88FEEBBBDFF48744F04816AF505E6150D7758A85CB64
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                          • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                          • Opcode Fuzzy Hash: 61f8b68dd9f344f506cfc8e29852887e470a3443c6047e34725b67e0d060e89d
                                                                                          • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                          • wsprintfA.USER32 ref: 0040A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                          • wsprintfA.USER32 ref: 0040A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                          • wsprintfA.USER32 ref: 0040A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                          • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                          • Opcode Fuzzy Hash: ae3e940a4bde8c590484db18a6dae5c4a8b1995a6f5a2f6c6eb5761f3b661a67
                                                                                          • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                          • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                          • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                          • Opcode Fuzzy Hash: 93d2068cc19732fe8ad9ae0a9f51e86421eb0c8fa32be1230cd8688bd4bd79d5
                                                                                          • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 029B7A96
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7ACD
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 029B7ADF
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 029B7B01
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 029B7B1F
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029B7B39
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7B4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7B58
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 029B7B68
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 029B7B77
                                                                                          • LocalFree.KERNEL32(00000000), ref: 029B7B7E
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 029B7B9A
                                                                                          • GetAce.ADVAPI32(?,?,?), ref: 029B7BCA
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029B7BF1
                                                                                          • DeleteAce.ADVAPI32(?,?), ref: 029B7C0A
                                                                                          • EqualSid.ADVAPI32(?,?), ref: 029B7C2C
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 029B7CB1
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 029B7CBF
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 029B7CD0
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 029B7CE0
                                                                                          • LocalFree.KERNEL32(00000000), ref: 029B7CEE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction ID: f654d0ebd20af280c1c699e3fd905bd77509bb0b3fcbacd0931144b6a0a99d2b
                                                                                          • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                          • Instruction Fuzzy Hash: 20813D72900219AFDB12CFE4DE88FEEBBBCAF48305F04816AE505E6250D7759A45CF64
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                          • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                          • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                          • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$localcfg
                                                                                          • API String ID: 237177642-1129100248
                                                                                          • Opcode ID: 15b9b55687a82b41d6800692092713c8c708d1165b0f2aaaab3cbeed006d9429
                                                                                          • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                          • Opcode Fuzzy Hash: 15b9b55687a82b41d6800692092713c8c708d1165b0f2aaaab3cbeed006d9429
                                                                                          • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                          • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                          • Opcode Fuzzy Hash: 4a22ad167bc3991e7243980079933dba70382744969d1905516b1f864c22465e
                                                                                          • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                            • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                          • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                          • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 835516345-270533642
                                                                                          • Opcode ID: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                          • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                          • Opcode Fuzzy Hash: c2d043fcc5cbb47ed0bea78f2b79b5e209498882ff798d96aae41c0d31e4dbc2
                                                                                          • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 029B865A
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 029B867B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 029B86A8
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 029B86B1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: "$C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe
                                                                                          • API String ID: 237177642-2047947632
                                                                                          • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction ID: 128f38fcc887b322a511e1dd8b67b7c755268c2cc85ed0bd091818acd99c2f06
                                                                                          • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                          • Instruction Fuzzy Hash: 88C17F71900149BFEF12ABA4DE89EEE7BBDEF48304F144066F604A6050E7714A948B65
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00402A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00402A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                          • htons.WS2_32(00000000), ref: 00402ADB
                                                                                          • select.WS2_32 ref: 00402B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                          • htons.WS2_32(?), ref: 00402B71
                                                                                          • htons.WS2_32(?), ref: 00402B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                          • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                          • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 029B1601
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 029B17D8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $<$@$D
                                                                                          • API String ID: 1628651668-1974347203
                                                                                          • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction ID: df3caf3a0597b9f19cd2fbfeb3b8e886828a1896a4627902182df770bcccf36e
                                                                                          • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                          • Instruction Fuzzy Hash: D4F1ACB11083819FD721CF64C998BEBB7E9FF88304F10892DF59A972A0D7B49944CB56
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 029B76D9
                                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 029B7757
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 029B778F
                                                                                          • ___ascii_stricmp.LIBCMT ref: 029B78B4
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029B794E
                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 029B796D
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029B797E
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029B79AC
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029B7A56
                                                                                            • Part of subcall function 029BF40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,029B772A,?), ref: 029BF414
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 029B79F6
                                                                                          • RegCloseKey.ADVAPI32(?), ref: 029B7A4D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction ID: 6f5b54e8bedef0f98781eeb8a28d7cd6d8db4efced1db3dc229972a8566402c9
                                                                                          • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                          • Instruction Fuzzy Hash: 52C17372900209AFDB12DBE4DE44FEEBBBDEF89710F1441A5E544E6190EB71DA84CB60
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004070C2
                                                                                          • RegEnumValueA.ADVAPI32(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0040719E
                                                                                          • RegCloseKey.ADVAPI32(771B0F10,?,771B0F10,00000000), ref: 004071B2
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00407208
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00407291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 004072D0
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00407314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 004073D8
                                                                                            • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"
                                                                                          • API String ID: 4293430545-3817095088
                                                                                          • Opcode ID: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                          • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                          • Opcode Fuzzy Hash: 618cfb6f1b26c540220dcc2678a44076c62346fd56d5638b59146fa8fa35b1d5
                                                                                          • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                          • wsprintfA.USER32 ref: 004093CE
                                                                                          • wsprintfA.USER32 ref: 0040940C
                                                                                          • wsprintfA.USER32 ref: 0040948D
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: runas
                                                                                          • API String ID: 3696105349-4000483414
                                                                                          • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                          • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                          • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                          APIs
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 029B2CED
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 029B2D07
                                                                                          • htons.WS2_32(00000000), ref: 029B2D42
                                                                                          • select.WS2_32 ref: 029B2D8F
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 029B2DB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029B2E62
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 127016686-0
                                                                                          • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction ID: a844754e445bd0e1a5e81102e49a2f9bdfbb3dfbc358388cf5ba20d742e5a797
                                                                                          • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                          • Instruction Fuzzy Hash: 9A61EF71904305ABC322AF65DD08BEBBBECEF88745F004829FD8497160D7B4D880CBA6
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                            • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                            • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                          • wsprintfA.USER32 ref: 0040AEA5
                                                                                            • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                          • wsprintfA.USER32 ref: 0040AE4F
                                                                                          • wsprintfA.USER32 ref: 0040AE5E
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                          • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                          • Opcode Fuzzy Hash: 5cd659d1eb2281404cf1ff7fe35be06c0bda1c6b56bcdef19fd154bc71bc5665
                                                                                          • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                          • htons.WS2_32(00000035), ref: 00402E88
                                                                                          • inet_addr.WS2_32(?), ref: 00402E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                          • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                          • Opcode Fuzzy Hash: d8108df1af11397a5f9eb0cb94d23b6045a7de0830802216e32b8eab0121211e
                                                                                          • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                          • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                          • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                          • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,771B0F10,00000000), ref: 0040688B
                                                                                          • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00406906
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,771B0F10,00000000), ref: 0040691C
                                                                                          • CloseHandle.KERNEL32(000000FF,?,771B0F10,00000000), ref: 00406971
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 2622201749-0
                                                                                          • Opcode ID: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                          • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                          • Opcode Fuzzy Hash: e164254f3378dd396073a59d5f8bf438da5901e9f91fe2d8a4805c76184d12e6
                                                                                          • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0040B467
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                            • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                          • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                          • Opcode Fuzzy Hash: 07bf672bddbe06c2f420d96725ac0e1f54ef040b4224a6cef6ca6ba202742de3
                                                                                          • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 029B202D
                                                                                          • GetSystemInfo.KERNEL32(?), ref: 029B204F
                                                                                          • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 029B206A
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 029B2071
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 029B2082
                                                                                          • GetTickCount.KERNEL32 ref: 029B2230
                                                                                            • Part of subcall function 029B1E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 029B1E7C
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                          • API String ID: 4207808166-1391650218
                                                                                          • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction ID: ad89a558a526af43ddb215cb195e7ef56d43268a244c1e1827628b41dc779185
                                                                                          • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                          • Instruction Fuzzy Hash: 1E5137B0900348AFE332AF758D84FE7BAECEF85704F40491DF99692142D7B8A544CB65
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00402078
                                                                                          • GetTickCount.KERNEL32 ref: 004020D4
                                                                                          • GetTickCount.KERNEL32 ref: 004020DB
                                                                                          • GetTickCount.KERNEL32 ref: 0040212B
                                                                                          • GetTickCount.KERNEL32 ref: 00402132
                                                                                          • GetTickCount.KERNEL32 ref: 00402142
                                                                                            • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                            • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7686EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                            • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                            • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                            • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-1522128867
                                                                                          • Opcode ID: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                          • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                          • Opcode Fuzzy Hash: 66737db9b915561633ae3f492ee5f4d9e9eb10476a5fdfc482486e88eb260942
                                                                                          • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                          APIs
                                                                                          • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                          • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                          • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                          APIs
                                                                                            • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0040C363
                                                                                          • GetTickCount.KERNEL32 ref: 0040C378
                                                                                          • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                          • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                          • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                          • Opcode Fuzzy Hash: a4c47fe232f0f429a5e45ffdfbe97dd16a9fcdfbaa8a3ef520d6a4c94dc9225a
                                                                                          • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 029B3068
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 029B3078
                                                                                          • GetProcAddress.KERNEL32(00000000,00410408), ref: 029B3095
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 029B30B6
                                                                                          • htons.WS2_32(00000035), ref: 029B30EF
                                                                                          • inet_addr.WS2_32(?), ref: 029B30FA
                                                                                          • gethostbyname.WS2_32(?), ref: 029B310D
                                                                                          • HeapFree.KERNEL32(00000000), ref: 029B314D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: iphlpapi.dll
                                                                                          • API String ID: 2869546040-3565520932
                                                                                          • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction ID: a34baf1f08ff3a42c0dd7040d1b1c7549d64c0ca321ca18b9277bb9fac303ece
                                                                                          • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                          • Instruction Fuzzy Hash: BF31B631A00206BBDB12DBB89D48BEE77BCEF05764F1441A5E918E7290DB74D541CB5C
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?), ref: 029B95A7
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029B95D5
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 029B95DC
                                                                                          • wsprintfA.USER32 ref: 029B9635
                                                                                          • wsprintfA.USER32 ref: 029B9673
                                                                                          • wsprintfA.USER32 ref: 029B96F4
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 029B9758
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029B978D
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 029B97D8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID:
                                                                                          • API String ID: 3696105349-0
                                                                                          • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction ID: b001f930b03aa73000ae96becf5d14f5538d158dcdeb970be76d510faaee7d44
                                                                                          • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                          • Instruction Fuzzy Hash: 16A16AB295020CAFEB22DFA0CD85FDA3BADEF48740F104026FA15A6151E7B5D584CFA4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 3560063639-3847274415
                                                                                          • Opcode ID: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                          • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                          • Opcode Fuzzy Hash: eb7510e18f4f3ad5f9c27a48c5e533d648c270866267e0b44efdedb47f858b72
                                                                                          • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-1625972887
                                                                                          • Opcode ID: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                          • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                          • Opcode Fuzzy Hash: 5de4b720525195bfa21f7211d5f61df3d951c59e2526b8a2204b20cbe9ca94a4
                                                                                          • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                          • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3188212458-0
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                          APIs
                                                                                          • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 029B67C3
                                                                                          • htonl.WS2_32(?), ref: 029B67DF
                                                                                          • htonl.WS2_32(?), ref: 029B67EE
                                                                                          • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 029B68F1
                                                                                          • ExitProcess.KERNEL32 ref: 029B69BC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Processhtonl$CurrentExitHugeRead
                                                                                          • String ID: except_info$localcfg
                                                                                          • API String ID: 1150517154-3605449297
                                                                                          • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction ID: 252678702cf82b402801c59cd2f9c6b4ca81ac2595015a62932f1b0a42368217
                                                                                          • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                          • Instruction Fuzzy Hash: B3616E71940208AFDF619FA4DC45FEA77E9FF48300F148066FA6DD2161DB75A9908F14
                                                                                          APIs
                                                                                          • htons.WS2_32(029BCC84), ref: 029BF5B4
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 029BF5CE
                                                                                          • closesocket.WS2_32(00000000), ref: 029BF5DC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction ID: c36697e206fae3cdf7e980bad387d8d87737c7ecd7eaa711cf87e197ec3a304b
                                                                                          • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                          • Instruction Fuzzy Hash: 10318C7290011CABDB12DFB5DD88DEEBBBCEF88314F104566F905E3150E7708A818BA4
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                          • wsprintfA.USER32 ref: 00407036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                          • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                          • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(?), ref: 029B2FA1
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 029B2FB1
                                                                                          • GetProcAddress.KERNEL32(00000000,004103F0), ref: 029B2FC8
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 029B3000
                                                                                          • RtlAllocateHeap.NTDLL(00000000), ref: 029B3007
                                                                                          • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 029B3032
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                          • String ID: dnsapi.dll
                                                                                          • API String ID: 1242400761-3175542204
                                                                                          • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction ID: 70892c50e9f0fef74d2f2dd83acb9e5615e6e99a6c72556d0a2db01196819b8f
                                                                                          • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                          • Instruction Fuzzy Hash: 8F21A171D01229BBCB22DF54DD88AEEBBBCEF08B50F004461F901E7540D7B49A8187E4
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                          • API String ID: 1082366364-3395550214
                                                                                          • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                          • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                          • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 029B9A18
                                                                                          • GetThreadContext.KERNEL32(?,?), ref: 029B9A52
                                                                                          • TerminateProcess.KERNEL32(?,00000000), ref: 029B9A60
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 029B9A98
                                                                                          • SetThreadContext.KERNEL32(?,00010002), ref: 029B9AB5
                                                                                          • ResumeThread.KERNEL32(?), ref: 029B9AC2
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction ID: 449f0eba3b288d6ad1fe802a7e411e42e269c3f35a46c60dd6b4c4e49e3e0bf3
                                                                                          • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                          • Instruction Fuzzy Hash: 1B213BB1A01219BBEB129BA1DD09EEFBBBCEF05750F404061BA19E5050E7759A84CFA4
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(004102D8), ref: 029B1C18
                                                                                          • LoadLibraryA.KERNEL32(004102C8), ref: 029B1C26
                                                                                          • GetProcessHeap.KERNEL32 ref: 029B1C84
                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 029B1C9D
                                                                                          • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 029B1CC1
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000), ref: 029B1D02
                                                                                          • FreeLibrary.KERNEL32(?), ref: 029B1D0B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                          • String ID:
                                                                                          • API String ID: 2324436984-0
                                                                                          • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction ID: 93ec63b452a1e726b86677f70ec18d0d73d7beef71ff0b516573d3844ca42d18
                                                                                          • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                          • Instruction Fuzzy Hash: C7315E31E00209BFCB129FE4DE988EEBBB9EF85705F24447AE509E2110D7B54E80DB94
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 029B6CE4
                                                                                          • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 029B6D22
                                                                                          • GetLastError.KERNEL32 ref: 029B6DA7
                                                                                          • CloseHandle.KERNEL32(?), ref: 029B6DB5
                                                                                          • GetLastError.KERNEL32 ref: 029B6DD6
                                                                                          • DeleteFileA.KERNEL32(?), ref: 029B6DE7
                                                                                          • GetLastError.KERNEL32 ref: 029B6DFD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3873183294-0
                                                                                          • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction ID: 8b323eb0eddfb865d11c9424e8aac627905ba7559ee8614626d6975b43b5d16d
                                                                                          • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                          • Instruction Fuzzy Hash: 5131E176900249BFCB02DFA4DE48ADE7F7DEF88310F148476E251E3250D770AA958B65
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\fdcgtgix,029B7043), ref: 029B6F4E
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 029B6F55
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 029B6F7B
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 029B6F92
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$\\.\pipe\fdcgtgix
                                                                                          • API String ID: 1082366364-641816551
                                                                                          • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction ID: 5b80198d06729259e56e476fa3693be4d4e72ab31c98098d4ae44dd958e85e30
                                                                                          • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                          • Instruction Fuzzy Hash: 8D2102227413447AF72353359E8CFFB3E4D8F92B24F1880A6F944E6490DBD994D682AD
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen
                                                                                          • String ID: $localcfg
                                                                                          • API String ID: 1659193697-2018645984
                                                                                          • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction ID: cfd63c9f51d115d1a3a7bdd0ca8150eef1c3339cb8dc1f674b8cd26bf15dc2df
                                                                                          • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                          • Instruction Fuzzy Hash: FF713B71A00318BADF338B58DE85FEE376DAF81709F244467F904A6090DF7295C48B59
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                          • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                          • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                          APIs
                                                                                            • Part of subcall function 029BDF6C: GetCurrentThreadId.KERNEL32 ref: 029BDFBA
                                                                                          • lstrcmp.KERNEL32(00410178,00000000), ref: 029BE8FA
                                                                                          • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,029B6128), ref: 029BE950
                                                                                          • lstrcmp.KERNEL32(?,00000008), ref: 029BE989
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 2920362961-1846390581
                                                                                          • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction ID: de33c884d5404985c5aea482ab15409ab6ba6d6156173993e0edb9d6f5071644
                                                                                          • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                          • Instruction Fuzzy Hash: 5831B231A007059BDF738F24C9847E67BECEF09715F80892AE5D687551D374E888CB91
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                          • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                          • Opcode Fuzzy Hash: bb3a68048dca612602b0c8d6e49c283fb6b7b0927c26922aed4f6a4c5afedb24
                                                                                          • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction ID: 269d167a4fa46e2f1865d4837adcbfaaa042f403356f295e4d73e0c557cbf7ac
                                                                                          • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                          • Instruction Fuzzy Hash: 37212E7A104119BFDB129BB0FE48EDF7FADEF49665B108425F502D1090EB70EA509B74
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                          • wsprintfA.USER32 ref: 004090E9
                                                                                          • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                          • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                          • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?), ref: 029B92E2
                                                                                          • wsprintfA.USER32 ref: 029B9350
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029B9375
                                                                                          • lstrlen.KERNEL32(?,?,00000000), ref: 029B9389
                                                                                          • WriteFile.KERNEL32(00000000,?,00000000), ref: 029B9394
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 029B939B
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction ID: d971f06e0db10fb17e1b9cf8529f5022460c67be7a2fcb7cdf31ea2048674fb6
                                                                                          • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                          • Instruction Fuzzy Hash: E81172B16401147BE7216B31ED0DFEF3A6EDFC9B10F008065BB09A5091EAB54E418A64
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0040E538,?,771B0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                          • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                          • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                          • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 029BC6B4
                                                                                          • InterlockedIncrement.KERNEL32(029BC74B), ref: 029BC715
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,029BC747), ref: 029BC728
                                                                                          • CloseHandle.KERNEL32(00000000,?,029BC747,00413588,029B8A77), ref: 029BC733
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1026198776-1857712256
                                                                                          • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction ID: bec825192b39cae195558dc7e12f6a7e09e74ab2b81729216591cbf9874febf6
                                                                                          • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                          • Instruction Fuzzy Hash: FE514AB1A01B468FD7258F69C6D466ABBE9FF88304B50593FE18BC7A90D774E840CB10
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0040815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004081BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00408210
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0040677E
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0040679A
                                                                                            • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004067B0
                                                                                            • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004067BF
                                                                                            • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004067D3
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,771B0F10,00000000), ref: 00406807
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040681F
                                                                                            • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0040683E
                                                                                            • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0040685C
                                                                                            • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                            • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe
                                                                                          • API String ID: 124786226-577293463
                                                                                          • Opcode ID: af514698247d92645eaa8a26d12ecf441a4c22af2d789d8c6bf78666e30c58a7
                                                                                          • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                          • Opcode Fuzzy Hash: af514698247d92645eaa8a26d12ecf441a4c22af2d789d8c6bf78666e30c58a7
                                                                                          • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 029B71E1
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 029B7228
                                                                                          • LocalFree.KERNEL32(?,?,?), ref: 029B7286
                                                                                          • wsprintfA.USER32 ref: 029B729D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                          • String ID: |
                                                                                          • API String ID: 2539190677-2343686810
                                                                                          • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction ID: 464caa247c195e7534b5bb02cc54ca1f80958e5cce00a0371cebc8f276fa4088
                                                                                          • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                          • Instruction Fuzzy Hash: 9F312972A00208BFDB02DFA8DD45BDA7BACEF44314F14C166F959DB240EB75D6488BA4
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                          • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                          • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                          • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                          • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1586453840-0
                                                                                          • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                          • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                          • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 029BB51A
                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 029BB529
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 029BB548
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 029BB590
                                                                                          • wsprintfA.USER32 ref: 029BB61E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 4026320513-0
                                                                                          • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction ID: 724ddb351160e7a98ca85c30cafe30d6e01b5a0d55529ddfa370c3705feaab14
                                                                                          • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                          • Instruction Fuzzy Hash: 5C511EB1D0021CAACF15DFD5D9889EEBBB9BF48304F10856AE505A6150E7F84AC9CF98
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                          • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                          • Opcode Fuzzy Hash: 5dd434fdf3d1b2f7ac71eae5deaa1b81d7ffa9032da077e8e99a06cc7be058a2
                                                                                          • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                          APIs
                                                                                          • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 029B6303
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 029B632A
                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 029B63B1
                                                                                          • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 029B6405
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: HugeRead$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 3498078134-0
                                                                                          • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction ID: aad41257da8cabcb71046fe7f354872aea0c2073ae96a8a25e94b59b3bd7ad9d
                                                                                          • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                          • Instruction Fuzzy Hash: 3B417971A00609ABDB16CF58CA84BEDBBBDFF04318F188469E969D7290E731F940CB50
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                          • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                          • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                          APIs
                                                                                            • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                          • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00405EC1), ref: 0040E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                          • lstrcmpA.KERNEL32(?,00000008,?,771B0F10,00000000,?,00405EC1), ref: 0040E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: A$ A
                                                                                          • API String ID: 3343386518-686259309
                                                                                          • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                          • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                          • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040272E
                                                                                          • htons.WS2_32(00000001), ref: 00402752
                                                                                          • htons.WS2_32(0000000F), ref: 004027D5
                                                                                          • htons.WS2_32(00000001), ref: 004027E3
                                                                                          • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                            • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1802437671-0
                                                                                          • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                          • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                          • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                          • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                          • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                          • CharToOemA.USER32(?,?), ref: 00409174
                                                                                          • wsprintfA.USER32 ref: 004091A9
                                                                                            • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                            • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                          • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                          • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 029B93C6
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 029B93CD
                                                                                          • CharToOemA.USER32(?,?), ref: 029B93DB
                                                                                          • wsprintfA.USER32 ref: 029B9410
                                                                                            • Part of subcall function 029B92CB: GetTempPathA.KERNEL32(00000400,?), ref: 029B92E2
                                                                                            • Part of subcall function 029B92CB: wsprintfA.USER32 ref: 029B9350
                                                                                            • Part of subcall function 029B92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 029B9375
                                                                                            • Part of subcall function 029B92CB: lstrlen.KERNEL32(?,?,00000000), ref: 029B9389
                                                                                            • Part of subcall function 029B92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 029B9394
                                                                                            • Part of subcall function 029B92CB: CloseHandle.KERNEL32(00000000), ref: 029B939B
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 029B9448
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction ID: c6c1ec20cdbecd40651e6a05e1a5bec1c252ce1a6c8c2fe8c6c113f18cfb704d
                                                                                          • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                          • Instruction Fuzzy Hash: 33015EF69001187BEB21A7619E8DEDF3B7CDB95701F0040A2BB49E2080EAB497C58F75
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                          • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                          • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                          • Opcode Fuzzy Hash: 53a70ba93e4b2c34d413b9add9e26c4f8e9f0de61643a904c0250f6f0d42246e
                                                                                          • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 2574300362-1087626847
                                                                                          • Opcode ID: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                          • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                          • Opcode Fuzzy Hash: 5c3f6046797f5d804895e4c05c4277987be728c98b5bed37973dbb72bca93dd1
                                                                                          • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2777991786-2393279970
                                                                                          • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                          • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                          • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *p@
                                                                                          • API String ID: 3429775523-2474123842
                                                                                          • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                          • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                          • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg$u6A
                                                                                          • API String ID: 1594361348-1940331995
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: e12e3185b9d493d41d2444881e38ff6fe0016d23374082560665e496e5f71b62
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: DCE0C230A041119FCB018B2CF948AC537E8EF0A230F008580F844C31A0C734DCC09780
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 029B69E5
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 029B6A26
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000), ref: 029B6A3A
                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 029B6BD8
                                                                                            • Part of subcall function 029BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029B1DCF,?), ref: 029BEEA8
                                                                                            • Part of subcall function 029BEE95: HeapFree.KERNEL32(00000000), ref: 029BEEAF
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 3384756699-0
                                                                                          • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction ID: 37a56a69097bbaca44971f93b24aa9fc4b056b55e35b644095545d563b4f8c0d
                                                                                          • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                          • Instruction Fuzzy Hash: 1C71057190422DEFDF129FA4CD80AEEBBBDFF08354F10456AE515A6190D730AE92DB60
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                          • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                          • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                          • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                          • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                          • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                          • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,029BE50A,00000000,00000000,00000000,00020106,00000000,029BE50A,00000000,000000E4), ref: 029BE319
                                                                                          • RegSetValueExA.ADVAPI32(029BE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 029BE38E
                                                                                          • RegDeleteValueA.ADVAPI32(029BE50A,?,?,?,?,?,000000C8,004122F8), ref: 029BE3BF
                                                                                          • RegCloseKey.ADVAPI32(029BE50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,029BE50A), ref: 029BE3C8
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction ID: 9d76c320faad90ea19956aa9fab8038ea3668973ae80c17f05a3b634b1221a7c
                                                                                          • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                          • Instruction Fuzzy Hash: E3214A71A0021DBBDF229FA4ED89EEE7F7DEF08750F008021F944A6160E3718A54DBA0
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                          • GetLastError.KERNEL32 ref: 00403F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029B421F
                                                                                          • GetLastError.KERNEL32 ref: 029B4229
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 029B423A
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029B424D
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction ID: 1583882053477f464152fbe648e7064e94fafd86c941f07aa2be2d7e6cc1a3b1
                                                                                          • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                          • Instruction Fuzzy Hash: E801A572911109ABDF02DF90EE84BEE7BACEF08255F108461F901E6051D7709A54ABB6
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 029B41AB
                                                                                          • GetLastError.KERNEL32 ref: 029B41B5
                                                                                          • WaitForSingleObject.KERNEL32(?,?), ref: 029B41C6
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 029B41D9
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction ID: 0bf8d5b814dfd0e2f984cb7a65127b0e70dc19d50f841843927de349a85ea806
                                                                                          • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                          • Instruction Fuzzy Hash: A6010C7691110AAFDF02DF90EE84BEF7B6CEF18255F004061F905E2051D770DA549BB5
                                                                                          APIs
                                                                                          • lstrcmp.KERNEL32(?,80000009), ref: 029BE066
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp
                                                                                          • String ID: A$ A$ A
                                                                                          • API String ID: 1534048567-1846390581
                                                                                          • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction ID: 4c529f75edd2e8cfe3e5ce6fd2df7b88aaa4afb1ac67e450f00f64224b4967f4
                                                                                          • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                          • Instruction Fuzzy Hash: 5EF062312047069BCB22CF25D984AD2B7FDFF05325B84862AE595C3060D374A498CB55
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                          • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                          • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                          • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                          • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                          • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                          • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                          • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00403103
                                                                                          • GetTickCount.KERNEL32 ref: 0040310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                          • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                          • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 029B83C6
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 029B8477
                                                                                            • Part of subcall function 029B69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 029B69E5
                                                                                            • Part of subcall function 029B69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 029B6A26
                                                                                            • Part of subcall function 029B69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 029B6A3A
                                                                                            • Part of subcall function 029BEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,029B1DCF,?), ref: 029BEEA8
                                                                                            • Part of subcall function 029BEE95: HeapFree.KERNEL32(00000000), ref: 029BEEAF
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe
                                                                                          • API String ID: 359188348-577293463
                                                                                          • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction ID: 058d2e2d666173b218db3641edf9ac7209f9ca70d6ccf167a095350667d46fca
                                                                                          • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                          • Instruction Fuzzy Hash: 21417FB2901109BFEB12EBA09F84EFF776EFF48344F0444A6E508D6050E7B05A948B64
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 029BAFFF
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 029BB00D
                                                                                            • Part of subcall function 029BAF6F: gethostname.WS2_32(?,00000080), ref: 029BAF83
                                                                                            • Part of subcall function 029BAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 029BAFE6
                                                                                            • Part of subcall function 029B331C: gethostname.WS2_32(?,00000080), ref: 029B333F
                                                                                            • Part of subcall function 029B331C: gethostbyname.WS2_32(?), ref: 029B3349
                                                                                            • Part of subcall function 029BAA0A: inet_ntoa.WS2_32(00000000), ref: 029BAA10
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %OUTLOOK_BND_
                                                                                          • API String ID: 1981676241-3684217054
                                                                                          • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction ID: be7d2e97a8a8cedca03450c7ab4067071aee5f4092de5c340df3a6be6ba360d5
                                                                                          • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                          • Instruction Fuzzy Hash: C041317290020CABDB26EFA0DD45EEE3BADFF48304F144426F92992151EA75D654CF54
                                                                                          APIs
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 029B9536
                                                                                          • Sleep.KERNEL32(000001F4), ref: 029B955D
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShellSleep
                                                                                          • String ID:
                                                                                          • API String ID: 4194306370-3916222277
                                                                                          • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction ID: 1cef30d1c57343924a909a52278edcb6d428be0b9a691c09745483575441051d
                                                                                          • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                          • Instruction Fuzzy Hash: 3F4125718583986EFB378B64DA8C7E63BAD9F02314F1400A5DA86871A2D7F44980CF11
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                          • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,k@
                                                                                          • API String ID: 3934441357-1053005162
                                                                                          • Opcode ID: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                          • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                          • Opcode Fuzzy Hash: addf51b803be8b3fdc0b349711ac0ded489e61cd96ba8191abdedb398079e53a
                                                                                          • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 029BB9D9
                                                                                          • InterlockedIncrement.KERNEL32(00413648), ref: 029BBA3A
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 029BBA94
                                                                                          • GetTickCount.KERNEL32 ref: 029BBB79
                                                                                          • GetTickCount.KERNEL32 ref: 029BBB99
                                                                                          • InterlockedIncrement.KERNEL32(?), ref: 029BBE15
                                                                                          • closesocket.WS2_32(00000000), ref: 029BBEB4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountIncrementInterlockedTick$closesocket
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 1869671989-2903620461
                                                                                          • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction ID: 2d9468a872f1de813176799bfbeafec710fd1fcee8303e8f3e7621881576d352
                                                                                          • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                          • Instruction Fuzzy Hash: 07317C71500248DFDF26DFA4DE98BEDB7A9EF88704F20446AFA24821A0DB34D685CF50
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: f585014306f6c3250efaa4e73719a74caf3cdfa730fd8078cc8a6a0845b45eb1
                                                                                          • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                          • Opcode Fuzzy Hash: f585014306f6c3250efaa4e73719a74caf3cdfa730fd8078cc8a6a0845b45eb1
                                                                                          • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                          • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                          • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                            • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                          • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                          • Opcode Fuzzy Hash: 07e354698f15fd9fc768e13d315d3543d6c442699b8c7836c4f7c54cdd5a5fd6
                                                                                          • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                          APIs
                                                                                          • GetUserNameW.ADVAPI32(?,?), ref: 029B70BC
                                                                                          • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 029B70F4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountLookupUser
                                                                                          • String ID: |
                                                                                          • API String ID: 2370142434-2343686810
                                                                                          • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction ID: 9175a348efa739e0004460cb552a100cf30286f3c4aaeb23d62e2edb7989c23b
                                                                                          • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                          • Instruction Fuzzy Hash: E411FA73900118EBDB12CBD4DD84AEEB7BDAF44719F1442A6E501E6194D7709B88CBA0
                                                                                          APIs
                                                                                            • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2777991786-1857712256
                                                                                          • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                          • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                          • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                          • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                          • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                          • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                          • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                          • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                          • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                          • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7686EA50,80000001,00000000), ref: 0040EAF2
                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                          • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                          • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                          APIs
                                                                                            • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1686797624.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_400000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                          • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                          • Opcode Fuzzy Hash: 44b2ceadd519ca45f912a616d592807794313ca1f1de80b4bcf7ee55ccb8d493
                                                                                          • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                                          APIs
                                                                                            • Part of subcall function 029B2F88: GetModuleHandleA.KERNEL32(?), ref: 029B2FA1
                                                                                            • Part of subcall function 029B2F88: LoadLibraryA.KERNEL32(?), ref: 029B2FB1
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 029B31DA
                                                                                          • HeapFree.KERNEL32(00000000), ref: 029B31E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000014.00000002.1689159979.00000000029B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_20_2_29b0000_pspizbvl.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction ID: 458f2a3c6801884b0a0f90d64a1ec5e32411f1e96aa837dc75be210740d6b19e
                                                                                          • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                          • Instruction Fuzzy Hash: B7518A7190024AEFCB02DF64DD88AFAB779FF05304B1445A9EC9687220E7329A19CB94

                                                                                          Execution Graph

                                                                                          Execution Coverage:14.7%
                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                          Signature Coverage:0.7%
                                                                                          Total number of Nodes:1806
                                                                                          Total number of Limit Nodes:18
                                                                                          execution_graph 8057 455c05 IsBadWritePtr 8058 455c24 IsBadWritePtr 8057->8058 8065 455ca6 8057->8065 8059 455c32 8058->8059 8058->8065 8060 455c82 8059->8060 8061 454bd1 4 API calls 8059->8061 8062 454bd1 4 API calls 8060->8062 8061->8060 8063 455c90 8062->8063 8064 455472 18 API calls 8063->8064 8064->8065 8066 45f304 8069 45f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8066->8069 8068 45f312 8069->8068 8070 455b84 IsBadWritePtr 8071 455b99 8070->8071 8072 455b9d 8070->8072 8073 454bd1 4 API calls 8072->8073 8074 455bcc 8073->8074 8075 455472 18 API calls 8074->8075 8076 455be5 8075->8076 8077 45f483 WSAStartup 7910 455e4d 7915 455048 7910->7915 7916 454bd1 4 API calls 7915->7916 7917 455056 7916->7917 7918 45508b 7917->7918 7919 45ec2e codecvt 4 API calls 7917->7919 7919->7918 8078 455e0d 8081 4550dc 8078->8081 8080 455e20 8082 454bd1 4 API calls 8081->8082 8083 4550f2 8082->8083 8084 454ae6 8 API calls 8083->8084 8090 4550ff 8084->8090 8085 455130 8087 454ae6 8 API calls 8085->8087 8086 454ae6 8 API calls 8088 455110 lstrcmpA 8086->8088 8089 455138 8087->8089 8088->8085 8088->8090 8091 45516e 8089->8091 8093 45513e 8089->8093 8094 454ae6 8 API calls 8089->8094 8090->8085 8090->8086 8092 454ae6 8 API calls 8090->8092 8091->8093 8096 454ae6 8 API calls 8091->8096 8092->8090 8093->8080 8095 45515e 8094->8095 8095->8091 8098 454ae6 8 API calls 8095->8098 8097 4551b6 8096->8097 8124 454a3d 8097->8124 8098->8091 8101 454ae6 8 API calls 8102 4551c7 8101->8102 8103 454ae6 8 API calls 8102->8103 8104 4551d7 8103->8104 8105 454ae6 8 API calls 8104->8105 8106 4551e7 8105->8106 8106->8093 8107 454ae6 8 API calls 8106->8107 8108 455219 8107->8108 8109 454ae6 8 API calls 8108->8109 8110 455227 8109->8110 8111 454ae6 8 API calls 8110->8111 8112 45524f lstrcpyA 8111->8112 8113 454ae6 8 API calls 8112->8113 8114 455263 8113->8114 8115 454ae6 8 API calls 8114->8115 8116 455315 8115->8116 8117 454ae6 8 API calls 8116->8117 8118 455323 8117->8118 8119 454ae6 8 API calls 8118->8119 8121 455331 8119->8121 8120 454ae6 8 API calls 8120->8121 8121->8093 8121->8120 8122 454ae6 8 API calls 8121->8122 8123 455351 lstrcmpA 8122->8123 8123->8093 8123->8121 8125 454a4a 8124->8125 8127 454a53 8124->8127 8128 45ebed 8 API calls 8125->8128 8126 454a78 8130 454aa3 8126->8130 8131 454a8e 8126->8131 8127->8126 8129 45ebed 8 API calls 8127->8129 8128->8127 8129->8126 8132 454a9b 8130->8132 8134 45ebed 8 API calls 8130->8134 8131->8132 8133 45ec2e codecvt 4 API calls 8131->8133 8132->8101 8133->8132 8134->8132 8135 454c0d 8136 454ae6 8 API calls 8135->8136 8137 454c17 8136->8137 7920 45e749 7921 45dd05 6 API calls 7920->7921 7922 45e751 7921->7922 7923 45e781 lstrcmpA 7922->7923 7924 45e799 7922->7924 7923->7922 7925 45444a 7926 454458 7925->7926 7927 45446a 7926->7927 7929 451940 7926->7929 7930 45ec2e codecvt 4 API calls 7929->7930 7931 451949 7930->7931 7931->7927 8151 458314 8152 45675c 21 API calls 8151->8152 8153 458324 8152->8153 7932 458c51 7933 458c86 7932->7933 7934 458c5d 7932->7934 7935 458c8b lstrcmpA 7933->7935 7945 458c7b 7933->7945 7938 458c7d 7934->7938 7939 458c6e 7934->7939 7936 458c9e 7935->7936 7935->7945 7937 458cad 7936->7937 7941 45ec2e codecvt 4 API calls 7936->7941 7944 45ebcc 4 API calls 7937->7944 7937->7945 7954 458bb3 7938->7954 7946 458be7 7939->7946 7941->7937 7944->7945 7947 458bf2 7946->7947 7953 458c2a 7946->7953 7948 458bb3 6 API calls 7947->7948 7949 458bf8 7948->7949 7958 456410 7949->7958 7952 458c01 7952->7953 7973 456246 7952->7973 7953->7945 7955 458be4 7954->7955 7956 458bbc 7954->7956 7956->7955 7957 456246 6 API calls 7956->7957 7957->7955 7959 456421 7958->7959 7960 45641e 7958->7960 7961 45643a 7959->7961 7962 45643e VirtualAlloc 7959->7962 7960->7952 7961->7952 7963 456472 7962->7963 7964 45645b VirtualAlloc 7962->7964 7965 45ebcc 4 API calls 7963->7965 7964->7963 7972 4564fb 7964->7972 7966 456479 7965->7966 7966->7972 7983 456069 7966->7983 7969 4564da 7970 456246 6 API calls 7969->7970 7969->7972 7970->7972 7972->7952 7974 4562b3 7973->7974 7976 456252 7973->7976 7974->7953 7975 456297 7978 4562a0 VirtualFree 7975->7978 7979 4562ad 7975->7979 7976->7975 7977 45628f 7976->7977 7980 456281 FreeLibrary 7976->7980 7981 45ec2e codecvt 4 API calls 7977->7981 7978->7979 7982 45ec2e codecvt 4 API calls 7979->7982 7980->7976 7981->7975 7982->7974 7984 456090 IsBadReadPtr 7983->7984 7985 456089 7983->7985 7984->7985 7989 4560aa 7984->7989 7985->7969 7993 455f3f 7985->7993 7986 4560c0 LoadLibraryA 7986->7985 7986->7989 7987 45ebcc 4 API calls 7987->7989 7988 45ebed 8 API calls 7988->7989 7989->7985 7989->7986 7989->7987 7989->7988 7990 456191 IsBadReadPtr 7989->7990 7991 456155 GetProcAddress 7989->7991 7992 456141 GetProcAddress 7989->7992 7990->7985 7990->7989 7991->7989 7992->7989 7994 455fe6 7993->7994 7996 455f61 7993->7996 7994->7969 7995 455fbf VirtualProtect 7995->7994 7995->7996 7996->7994 7996->7995 8154 456511 wsprintfA IsBadReadPtr 8155 45674e 8154->8155 8156 45656a htonl htonl wsprintfA wsprintfA 8154->8156 8157 45e318 23 API calls 8155->8157 8161 4565f3 8156->8161 8158 456753 ExitProcess 8157->8158 8159 45668a GetCurrentProcess StackWalk64 8160 4566a0 wsprintfA 8159->8160 8159->8161 8162 4566ba 8160->8162 8161->8159 8161->8160 8163 456652 wsprintfA 8161->8163 8164 456712 wsprintfA 8162->8164 8165 4566ed wsprintfA 8162->8165 8166 4566da wsprintfA 8162->8166 8163->8161 8167 45e8a1 30 API calls 8164->8167 8165->8162 8166->8165 8168 456739 8167->8168 8169 45e318 23 API calls 8168->8169 8170 456741 8169->8170 7997 455453 8002 45543a 7997->8002 8003 455048 8 API calls 8002->8003 8004 45544b 8003->8004 8005 454ed3 8010 454c9a 8005->8010 8011 454ca9 8010->8011 8013 454cd8 8010->8013 8012 45ec2e codecvt 4 API calls 8011->8012 8012->8013 8171 455d93 IsBadWritePtr 8172 455ddc 8171->8172 8173 455da8 8171->8173 8173->8172 8175 455389 8173->8175 8176 454bd1 4 API calls 8175->8176 8177 4553a5 8176->8177 8178 454ae6 8 API calls 8177->8178 8181 4553ad 8178->8181 8179 455407 8179->8172 8180 454ae6 8 API calls 8180->8181 8181->8179 8181->8180 8014 4543d2 8015 4543e0 8014->8015 8016 4543ef 8015->8016 8017 451940 4 API calls 8015->8017 8017->8016 8182 454e92 GetTickCount 8183 454ec0 InterlockedExchange 8182->8183 8184 454ead GetTickCount 8183->8184 8185 454ec9 8183->8185 8184->8185 8186 454eb8 Sleep 8184->8186 8186->8183 8187 455099 8188 454bd1 4 API calls 8187->8188 8189 4550a2 8188->8189 8018 45195b 8019 451971 8018->8019 8020 45196b 8018->8020 8021 45ec2e codecvt 4 API calls 8020->8021 8021->8019 8190 4535a5 8191 4530fa 4 API calls 8190->8191 8192 4535b3 8191->8192 8196 4535ea 8192->8196 8197 45355d 8192->8197 8194 4535da 8195 45355d 4 API calls 8194->8195 8194->8196 8195->8196 8198 45f04e 4 API calls 8197->8198 8199 45356a 8198->8199 8199->8194 8022 454861 IsBadWritePtr 8023 454876 8022->8023 8024 459961 RegisterServiceCtrlHandlerA 8025 45997d 8024->8025 8026 4599cb 8024->8026 8034 459892 8025->8034 8028 45999a 8029 4599ba 8028->8029 8030 459892 SetServiceStatus 8028->8030 8029->8026 8031 459892 SetServiceStatus 8029->8031 8032 4599aa 8030->8032 8031->8026 8032->8029 8033 4598f2 41 API calls 8032->8033 8033->8029 8035 4598c2 SetServiceStatus 8034->8035 8035->8028 8200 455e21 8201 455e36 8200->8201 8202 455e29 8200->8202 8203 4550dc 17 API calls 8202->8203 8203->8201 8037 454960 8038 45496d 8037->8038 8040 45497d 8037->8040 8039 45ebed 8 API calls 8038->8039 8039->8040 8204 455029 8209 454a02 8204->8209 8210 454a12 8209->8210 8211 454a18 8209->8211 8212 45ec2e codecvt 4 API calls 8210->8212 8213 454a26 8211->8213 8214 45ec2e codecvt 4 API calls 8211->8214 8212->8211 8215 45ec2e codecvt 4 API calls 8213->8215 8216 454a34 8213->8216 8214->8213 8215->8216 6137 459a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6253 45ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6137->6253 6139 459a95 6140 459aa3 GetModuleHandleA GetModuleFileNameA 6139->6140 6147 45a3cc 6139->6147 6154 459ac4 6140->6154 6141 45a41c CreateThread WSAStartup 6254 45e52e 6141->6254 7329 45405e CreateEventA 6141->7329 6143 459afd GetCommandLineA 6152 459b22 6143->6152 6144 45a406 DeleteFileA 6146 45a40d 6144->6146 6144->6147 6145 45a445 6273 45eaaf 6145->6273 6146->6141 6147->6141 6147->6144 6147->6146 6149 45a3ed GetLastError 6147->6149 6149->6146 6151 45a3f8 Sleep 6149->6151 6150 45a44d 6277 451d96 6150->6277 6151->6144 6157 459c0c 6152->6157 6166 459b47 6152->6166 6154->6143 6155 45a457 6325 4580c9 6155->6325 6517 4596aa 6157->6517 6163 45a1d2 6173 45a1e3 GetCommandLineA 6163->6173 6164 459c39 6167 45a167 GetModuleHandleA GetModuleFileNameA 6164->6167 6523 454280 CreateEventA 6164->6523 6169 459b96 lstrlenA 6166->6169 6172 459b58 6166->6172 6170 459c05 ExitProcess 6167->6170 6171 45a189 6167->6171 6169->6172 6171->6170 6181 45a1b2 GetDriveTypeA 6171->6181 6172->6170 6476 45675c 6172->6476 6197 45a205 6173->6197 6181->6170 6183 45a1c5 6181->6183 6624 459145 GetModuleHandleA GetModuleFileNameA CharToOemA 6183->6624 6184 45675c 21 API calls 6186 459c79 6184->6186 6186->6167 6193 459ca0 GetTempPathA 6186->6193 6194 459e3e 6186->6194 6187 459bff 6187->6170 6189 45a49f GetTickCount 6190 45a491 6189->6190 6191 45a4be Sleep 6189->6191 6190->6189 6190->6191 6196 45a4b7 GetTickCount 6190->6196 6372 45c913 6190->6372 6191->6190 6193->6194 6195 459cba 6193->6195 6200 459e6b GetEnvironmentVariableA 6194->6200 6205 459e04 6194->6205 6549 4599d2 lstrcpyA 6195->6549 6196->6191 6201 45a285 lstrlenA 6197->6201 6211 45a239 6197->6211 6204 459e7d 6200->6204 6200->6205 6201->6211 6206 4599d2 16 API calls 6204->6206 6619 45ec2e 6205->6619 6207 459e9d 6206->6207 6207->6205 6213 459eb0 lstrcpyA lstrlenA 6207->6213 6209 459d5f 6563 456cc9 6209->6563 6632 456ec3 6211->6632 6212 45a3c2 6636 4598f2 6212->6636 6216 459ef4 6213->6216 6217 456dc2 6 API calls 6216->6217 6221 459f03 6216->6221 6217->6221 6218 45a39d StartServiceCtrlDispatcherA 6218->6212 6219 459d72 lstrcpyA lstrcatA lstrcatA 6222 459cf6 6219->6222 6220 45a3c7 6220->6147 6223 459f32 RegOpenKeyExA 6221->6223 6572 459326 6222->6572 6225 459f48 RegSetValueExA RegCloseKey 6223->6225 6228 459f70 6223->6228 6224 45a35f 6224->6212 6224->6218 6225->6228 6233 459f9d GetModuleHandleA GetModuleFileNameA 6228->6233 6229 459e0c DeleteFileA 6229->6194 6230 459dde GetFileAttributesExA 6230->6229 6232 459df7 6230->6232 6232->6205 6609 4596ff 6232->6609 6235 459fc2 6233->6235 6236 45a093 6233->6236 6235->6236 6242 459ff1 GetDriveTypeA 6235->6242 6237 45a103 CreateProcessA 6236->6237 6240 45a0a4 wsprintfA 6236->6240 6238 45a13a 6237->6238 6239 45a12a DeleteFileA 6237->6239 6238->6205 6246 4596ff 3 API calls 6238->6246 6239->6238 6615 452544 6240->6615 6242->6236 6244 45a00d 6242->6244 6248 45a02d lstrcatA 6244->6248 6246->6205 6249 45a046 6248->6249 6250 45a064 lstrcatA 6249->6250 6251 45a052 lstrcatA 6249->6251 6250->6236 6252 45a081 lstrcatA 6250->6252 6251->6250 6252->6236 6253->6139 6643 45dd05 GetTickCount 6254->6643 6256 45e538 6651 45dbcf 6256->6651 6258 45e544 6259 45e555 GetFileSize 6258->6259 6263 45e5b8 6258->6263 6260 45e566 6259->6260 6261 45e5b1 CloseHandle 6259->6261 6675 45db2e 6260->6675 6261->6263 6661 45e3ca RegOpenKeyExA 6263->6661 6265 45e576 ReadFile 6265->6261 6267 45e58d 6265->6267 6679 45e332 6267->6679 6269 45e5f2 6271 45e3ca 19 API calls 6269->6271 6272 45e629 6269->6272 6271->6272 6272->6145 6274 45eabe 6273->6274 6276 45eaba 6273->6276 6275 45dd05 6 API calls 6274->6275 6274->6276 6275->6276 6276->6150 6278 45ee2a 6277->6278 6279 451db4 GetVersionExA 6278->6279 6280 451dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6279->6280 6282 451e24 6280->6282 6283 451e16 GetCurrentProcess 6280->6283 6737 45e819 6282->6737 6283->6282 6285 451e3d 6286 45e819 11 API calls 6285->6286 6287 451e4e 6286->6287 6288 451e77 6287->6288 6778 45df70 6287->6778 6744 45ea84 6288->6744 6292 451e6c 6294 45df70 12 API calls 6292->6294 6293 45e819 11 API calls 6295 451e93 6293->6295 6294->6288 6748 45199c inet_addr LoadLibraryA 6295->6748 6298 45e819 11 API calls 6299 451eb9 6298->6299 6300 451ed8 6299->6300 6302 45f04e 4 API calls 6299->6302 6301 45e819 11 API calls 6300->6301 6303 451eee 6301->6303 6304 451ec9 6302->6304 6305 451f0a 6303->6305 6762 451b71 6303->6762 6306 45ea84 30 API calls 6304->6306 6308 45e819 11 API calls 6305->6308 6306->6300 6310 451f23 6308->6310 6309 451efd 6311 45ea84 30 API calls 6309->6311 6312 451f3f 6310->6312 6766 451bdf 6310->6766 6311->6305 6313 45e819 11 API calls 6312->6313 6315 451f5e 6313->6315 6318 45ea84 30 API calls 6315->6318 6320 451f77 6315->6320 6317 45ea84 30 API calls 6317->6312 6318->6320 6774 4530b5 6320->6774 6323 456ec3 2 API calls 6324 451f8e GetTickCount 6323->6324 6324->6155 6326 456ec3 2 API calls 6325->6326 6327 4580eb 6326->6327 6328 4580ef 6327->6328 6329 4580f9 6327->6329 6832 457ee6 6328->6832 6845 45704c 6329->6845 6332 4580f4 6334 45675c 21 API calls 6332->6334 6345 458269 CreateThread 6332->6345 6333 458110 6333->6332 6335 458156 RegOpenKeyExA 6333->6335 6340 458244 6334->6340 6336 458216 6335->6336 6337 45816d RegQueryValueExA 6335->6337 6336->6332 6338 4581f7 6337->6338 6339 45818d 6337->6339 6341 45820d RegCloseKey 6338->6341 6343 45ec2e codecvt 4 API calls 6338->6343 6339->6338 6344 45ebcc 4 API calls 6339->6344 6342 45ec2e codecvt 4 API calls 6340->6342 6340->6345 6341->6336 6342->6345 6350 4581dd 6343->6350 6346 4581a0 6344->6346 6351 455e6c 6345->6351 7307 45877e 6345->7307 6346->6341 6347 4581aa RegQueryValueExA 6346->6347 6347->6338 6348 4581c4 6347->6348 6349 45ebcc 4 API calls 6348->6349 6349->6350 6350->6341 6947 45ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6351->6947 6353 455e71 6948 45e654 6353->6948 6355 455ec1 6356 453132 6355->6356 6357 45df70 12 API calls 6356->6357 6358 45313b 6357->6358 6359 45c125 6358->6359 6959 45ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6359->6959 6361 45c12d 6362 45e654 13 API calls 6361->6362 6363 45c2bd 6362->6363 6364 45e654 13 API calls 6363->6364 6365 45c2c9 6364->6365 6366 45e654 13 API calls 6365->6366 6367 45a47a 6366->6367 6368 458db1 6367->6368 6369 458dbc 6368->6369 6370 45e654 13 API calls 6369->6370 6371 458dec Sleep 6370->6371 6371->6190 6373 45c92f 6372->6373 6374 45c93c 6373->6374 6971 45c517 6373->6971 6376 45ca2b 6374->6376 6377 45e819 11 API calls 6374->6377 6376->6190 6378 45c96a 6377->6378 6379 45e819 11 API calls 6378->6379 6380 45c97d 6379->6380 6381 45e819 11 API calls 6380->6381 6382 45c990 6381->6382 6383 45c9aa 6382->6383 6384 45ebcc 4 API calls 6382->6384 6383->6376 6960 452684 6383->6960 6384->6383 6389 45ca26 6988 45c8aa 6389->6988 6392 45ca44 6393 45ca4b closesocket 6392->6393 6394 45ca83 6392->6394 6393->6389 6395 45ea84 30 API calls 6394->6395 6396 45caac 6395->6396 6397 45f04e 4 API calls 6396->6397 6398 45cab2 6397->6398 6399 45ea84 30 API calls 6398->6399 6400 45caca 6399->6400 6401 45ea84 30 API calls 6400->6401 6402 45cad9 6401->6402 6992 45c65c 6402->6992 6405 45cb60 closesocket 6405->6376 6407 45dad2 closesocket 6408 45e318 23 API calls 6407->6408 6409 45dae0 6408->6409 6409->6376 6410 45df4c 20 API calls 6446 45cb70 6410->6446 6415 45e654 13 API calls 6415->6446 6421 45ea84 30 API calls 6421->6446 6422 45d569 closesocket Sleep 7039 45e318 6422->7039 6423 45d815 wsprintfA 6423->6446 6424 45cc1c GetTempPathA 6424->6446 6426 45f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6426->6446 6427 45c517 23 API calls 6427->6446 6428 45d582 ExitProcess 6429 45e8a1 30 API calls 6429->6446 6430 45cfe3 GetSystemDirectoryA 6430->6446 6431 45675c 21 API calls 6431->6446 6432 45d027 GetSystemDirectoryA 6432->6446 6433 45c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6433->6446 6434 45cfad GetEnvironmentVariableA 6434->6446 6435 45d105 lstrcatA 6435->6446 6436 45ef1e lstrlenA 6436->6446 6437 45ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6437->6446 6438 45cc9f CreateFileA 6439 45ccc6 WriteFile 6438->6439 6438->6446 6441 45cced CloseHandle 6439->6441 6442 45cdcc CloseHandle 6439->6442 6440 45d15b CreateFileA 6443 45d182 WriteFile CloseHandle 6440->6443 6440->6446 6450 45cd2f 6441->6450 6442->6446 6443->6446 6444 45cd16 wsprintfA 6444->6450 6445 45d149 SetFileAttributesA 6445->6440 6446->6407 6446->6410 6446->6415 6446->6421 6446->6422 6446->6423 6446->6424 6446->6426 6446->6427 6446->6429 6446->6430 6446->6431 6446->6432 6446->6433 6446->6434 6446->6435 6446->6436 6446->6437 6446->6438 6446->6440 6446->6445 6447 45d36e GetEnvironmentVariableA 6446->6447 6448 45d1bf SetFileAttributesA 6446->6448 6449 458e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6446->6449 6451 457ead 6 API calls 6446->6451 6452 45d22d GetEnvironmentVariableA 6446->6452 6454 45d3af lstrcatA 6446->6454 6456 457fcf 64 API calls 6446->6456 6457 45d3f2 CreateFileA 6446->6457 6463 45d3e0 SetFileAttributesA 6446->6463 6464 45d26e lstrcatA 6446->6464 6466 45d4b1 CreateProcessA 6446->6466 6467 45d2b1 CreateFileA 6446->6467 6469 45d452 SetFileAttributesA 6446->6469 6471 457ee6 64 API calls 6446->6471 6472 45d29f SetFileAttributesA 6446->6472 6475 45d31d SetFileAttributesA 6446->6475 7000 45c75d 6446->7000 7012 457e2f 6446->7012 7034 457ead 6446->7034 7044 4531d0 6446->7044 7061 453c09 6446->7061 7071 453a00 6446->7071 7075 45e7b4 6446->7075 7078 45c06c 6446->7078 7084 456f5f GetUserNameA 6446->7084 7095 45e854 6446->7095 7105 457dd6 6446->7105 6447->6446 6448->6446 6449->6446 6450->6444 7021 457fcf 6450->7021 6451->6446 6452->6446 6454->6446 6454->6457 6456->6446 6457->6446 6458 45d415 WriteFile CloseHandle 6457->6458 6458->6446 6459 45cd81 WaitForSingleObject CloseHandle CloseHandle 6461 45f04e 4 API calls 6459->6461 6460 45cda5 6462 457ee6 64 API calls 6460->6462 6461->6460 6465 45cdbd DeleteFileA 6462->6465 6463->6457 6464->6446 6464->6467 6465->6446 6466->6446 6468 45d4e8 CloseHandle CloseHandle 6466->6468 6467->6446 6470 45d2d8 WriteFile CloseHandle 6467->6470 6468->6446 6469->6446 6470->6446 6471->6446 6472->6467 6475->6446 6477 456784 CreateFileA 6476->6477 6478 45677a SetFileAttributesA 6476->6478 6479 4567b5 6477->6479 6480 4567a4 CreateFileA 6477->6480 6478->6477 6481 4567c5 6479->6481 6482 4567ba SetFileAttributesA 6479->6482 6480->6479 6483 456977 6481->6483 6484 4567cf GetFileSize 6481->6484 6482->6481 6483->6170 6504 456a60 CreateFileA 6483->6504 6485 4567e5 6484->6485 6503 456965 6484->6503 6486 4567ed ReadFile 6485->6486 6485->6503 6488 456811 SetFilePointer 6486->6488 6486->6503 6487 45696e FindCloseChangeNotification 6487->6483 6489 45682a ReadFile 6488->6489 6488->6503 6490 456848 SetFilePointer 6489->6490 6489->6503 6491 456867 6490->6491 6490->6503 6492 456878 ReadFile 6491->6492 6494 4568d5 6491->6494 6493 4568d0 6492->6493 6497 456891 6492->6497 6493->6494 6494->6487 6495 45ebcc 4 API calls 6494->6495 6496 4568f8 6495->6496 6498 456900 SetFilePointer 6496->6498 6496->6503 6497->6492 6497->6493 6499 45690d ReadFile 6498->6499 6500 45695a 6498->6500 6499->6500 6501 456922 6499->6501 6502 45ec2e codecvt 4 API calls 6500->6502 6501->6487 6502->6503 6503->6487 6505 456b8c GetLastError 6504->6505 6506 456a8f GetDiskFreeSpaceA 6504->6506 6508 456b86 6505->6508 6507 456ac5 6506->6507 6516 456ad7 6506->6516 7190 45eb0e 6507->7190 6508->6187 6512 456b56 CloseHandle 6512->6508 6515 456b65 GetLastError CloseHandle 6512->6515 6513 456b36 GetLastError CloseHandle 6514 456b7f DeleteFileA 6513->6514 6514->6508 6515->6514 7194 456987 6516->7194 6518 4596b9 6517->6518 6519 4573ff 17 API calls 6518->6519 6520 4596e2 6519->6520 6521 4596f7 6520->6521 6522 45704c 16 API calls 6520->6522 6521->6163 6521->6164 6522->6521 6524 4542a5 6523->6524 6529 45429d 6523->6529 7200 453ecd 6524->7200 6526 4542b0 7204 454000 6526->7204 6528 4543c1 CloseHandle 6528->6529 6529->6167 6529->6184 6530 4542b6 6530->6528 6530->6529 7210 453f18 WriteFile 6530->7210 6535 4543ba CloseHandle 6535->6528 6536 454318 6537 453f18 4 API calls 6536->6537 6538 454331 6537->6538 6539 453f18 4 API calls 6538->6539 6540 45434a 6539->6540 6541 45ebcc 4 API calls 6540->6541 6542 454350 6541->6542 6543 453f18 4 API calls 6542->6543 6544 454389 6543->6544 6545 45ec2e codecvt 4 API calls 6544->6545 6546 45438f 6545->6546 6547 453f8c 4 API calls 6546->6547 6548 45439f CloseHandle CloseHandle 6547->6548 6548->6529 6550 4599eb 6549->6550 6551 459a2f lstrcatA 6550->6551 6552 45ee2a 6551->6552 6553 459a4b lstrcatA 6552->6553 6554 456a60 13 API calls 6553->6554 6555 459a60 6554->6555 6555->6194 6555->6222 6556 456dc2 6555->6556 6557 456dd7 6556->6557 6558 456e33 6556->6558 6559 456cc9 5 API calls 6557->6559 6558->6209 6560 456ddc 6559->6560 6560->6560 6561 456e24 6560->6561 6562 456e02 GetVolumeInformationA 6560->6562 6561->6558 6562->6561 6564 456cdc GetModuleHandleA GetProcAddress 6563->6564 6570 456d8b 6563->6570 6565 456d12 GetSystemDirectoryA 6564->6565 6566 456cfd 6564->6566 6567 456d27 GetWindowsDirectoryA 6565->6567 6568 456d1e 6565->6568 6566->6565 6566->6570 6569 456d42 6567->6569 6568->6567 6568->6570 6571 45ef1e lstrlenA 6569->6571 6570->6219 6571->6570 7218 451910 6572->7218 6575 45934a GetModuleHandleA GetModuleFileNameA 6577 45937f 6575->6577 6578 4593a4 6577->6578 6579 4593d9 6577->6579 6580 4593c3 wsprintfA 6578->6580 6581 459401 wsprintfA 6579->6581 6583 459415 6580->6583 6581->6583 6582 4594a0 6584 456edd 5 API calls 6582->6584 6583->6582 6586 456cc9 5 API calls 6583->6586 6585 4594ac 6584->6585 6587 45962f 6585->6587 6588 4594e8 RegOpenKeyExA 6585->6588 6592 459439 6586->6592 6594 459646 6587->6594 7233 451820 6587->7233 6590 459502 6588->6590 6591 4594fb 6588->6591 6595 45951f RegQueryValueExA 6590->6595 6591->6587 6597 45958a 6591->6597 6596 45ef1e lstrlenA 6592->6596 6603 4595d6 6594->6603 7239 4591eb 6594->7239 6598 459530 6595->6598 6599 459539 6595->6599 6600 459462 6596->6600 6597->6594 6601 459593 6597->6601 6602 45956e RegCloseKey 6598->6602 6604 459556 RegQueryValueExA 6599->6604 6605 45947e wsprintfA 6600->6605 6601->6603 7220 45f0e4 6601->7220 6602->6591 6603->6229 6603->6230 6604->6598 6604->6602 6605->6582 6607 4595bb 6607->6603 7227 4518e0 6607->7227 6610 452544 6609->6610 6611 45972d RegOpenKeyExA 6610->6611 6612 459765 6611->6612 6613 459740 6611->6613 6612->6205 6614 45974f RegDeleteValueA RegCloseKey 6613->6614 6614->6612 6616 452554 lstrcatA 6615->6616 6617 45ee2a 6616->6617 6618 45a0ec lstrcatA 6617->6618 6618->6237 6620 45ec37 6619->6620 6621 45a15d 6619->6621 6622 45eba0 codecvt 2 API calls 6620->6622 6621->6167 6621->6170 6623 45ec3d GetProcessHeap RtlFreeHeap 6622->6623 6623->6621 6625 452544 6624->6625 6626 45919e wsprintfA 6625->6626 6627 4591bb 6626->6627 7278 459064 GetTempPathA 6627->7278 6630 4591d5 ShellExecuteA 6631 4591e7 6630->6631 6631->6187 6633 456ed5 6632->6633 6634 456ecc 6632->6634 6633->6224 6635 456e36 2 API calls 6634->6635 6635->6633 6637 4598f6 6636->6637 6638 454280 30 API calls 6637->6638 6639 459904 Sleep 6637->6639 6640 459915 6637->6640 6638->6637 6639->6637 6639->6640 6642 459947 6640->6642 7285 45977c 6640->7285 6642->6220 6644 45dd41 InterlockedExchange 6643->6644 6645 45dd20 GetCurrentThreadId 6644->6645 6646 45dd4a 6644->6646 6647 45dd53 GetCurrentThreadId 6645->6647 6648 45dd2e GetTickCount 6645->6648 6646->6647 6647->6256 6649 45dd4c 6648->6649 6650 45dd39 Sleep 6648->6650 6649->6647 6650->6644 6652 45dbf0 6651->6652 6684 45db67 GetEnvironmentVariableA 6652->6684 6654 45dc19 6655 45dcda 6654->6655 6656 45db67 3 API calls 6654->6656 6655->6258 6657 45dc5c 6656->6657 6657->6655 6658 45db67 3 API calls 6657->6658 6659 45dc9b 6658->6659 6659->6655 6660 45db67 3 API calls 6659->6660 6660->6655 6662 45e528 6661->6662 6663 45e3f4 6661->6663 6662->6269 6664 45e434 RegQueryValueExA 6663->6664 6665 45e51d RegCloseKey 6664->6665 6666 45e458 6664->6666 6665->6662 6667 45e46e RegQueryValueExA 6666->6667 6667->6666 6668 45e488 6667->6668 6668->6665 6669 45db2e 8 API calls 6668->6669 6671 45e499 6669->6671 6670 45e4b9 RegQueryValueExA 6670->6671 6672 45e4e8 6670->6672 6671->6665 6671->6670 6671->6672 6672->6665 6673 45e332 14 API calls 6672->6673 6674 45e513 6673->6674 6674->6665 6676 45db55 6675->6676 6677 45db3a 6675->6677 6676->6261 6676->6265 6688 45ebed 6677->6688 6706 45f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6679->6706 6681 45e3be 6681->6261 6682 45e342 6682->6681 6709 45de24 6682->6709 6685 45db89 lstrcpyA CreateFileA 6684->6685 6686 45dbca 6684->6686 6685->6654 6686->6654 6689 45ebf6 6688->6689 6690 45ec01 6688->6690 6697 45ebcc GetProcessHeap RtlAllocateHeap 6689->6697 6700 45eba0 6690->6700 6698 45eb74 2 API calls 6697->6698 6699 45ebe8 6698->6699 6699->6676 6701 45eba7 GetProcessHeap HeapSize 6700->6701 6702 45ebbf GetProcessHeap HeapReAlloc 6700->6702 6701->6702 6703 45eb74 6702->6703 6704 45eb93 6703->6704 6705 45eb7b GetProcessHeap HeapSize 6703->6705 6704->6676 6705->6704 6720 45eb41 6706->6720 6708 45f0b7 6708->6682 6711 45de3a 6709->6711 6716 45de4e 6711->6716 6729 45dd84 6711->6729 6713 45ebed 8 API calls 6718 45def6 6713->6718 6714 45de9e 6714->6713 6714->6716 6715 45de76 6733 45ddcf 6715->6733 6716->6682 6718->6716 6719 45ddcf lstrcmpA 6718->6719 6719->6716 6721 45eb4a 6720->6721 6723 45eb61 6720->6723 6725 45eae4 6721->6725 6723->6708 6724 45eb54 6724->6708 6724->6723 6726 45eb02 GetProcAddress 6725->6726 6727 45eaed LoadLibraryA 6725->6727 6726->6724 6727->6726 6728 45eb01 6727->6728 6728->6724 6731 45ddc5 6729->6731 6732 45dd96 6729->6732 6730 45ddad lstrcmpiA 6730->6731 6730->6732 6731->6714 6731->6715 6732->6730 6732->6731 6734 45de20 6733->6734 6735 45dddd 6733->6735 6734->6716 6735->6734 6736 45ddfa lstrcmpA 6735->6736 6736->6735 6738 45dd05 6 API calls 6737->6738 6739 45e821 6738->6739 6740 45dd84 lstrcmpiA 6739->6740 6741 45e82c 6740->6741 6742 45e844 6741->6742 6787 452480 6741->6787 6742->6285 6745 45ea98 6744->6745 6796 45e8a1 6745->6796 6747 451e84 6747->6293 6749 4519d5 GetProcAddress GetProcAddress GetProcAddress 6748->6749 6750 4519ce 6748->6750 6751 451a04 6749->6751 6752 451ab3 FreeLibrary 6749->6752 6750->6298 6751->6752 6753 451a14 GetBestInterface GetProcessHeap 6751->6753 6752->6750 6753->6750 6754 451a2e HeapAlloc 6753->6754 6754->6750 6755 451a42 GetAdaptersInfo 6754->6755 6756 451a62 6755->6756 6757 451a52 HeapReAlloc 6755->6757 6758 451aa1 FreeLibrary 6756->6758 6759 451a69 GetAdaptersInfo 6756->6759 6757->6756 6758->6750 6759->6758 6760 451a75 HeapFree 6759->6760 6760->6758 6824 451ac3 LoadLibraryA 6762->6824 6765 451bcf 6765->6309 6767 451ac3 13 API calls 6766->6767 6768 451c09 6767->6768 6769 451c0d GetComputerNameA 6768->6769 6770 451c5a 6768->6770 6771 451c45 GetVolumeInformationA 6769->6771 6772 451c1f 6769->6772 6770->6317 6771->6770 6772->6771 6773 451c41 6772->6773 6773->6770 6775 45ee2a 6774->6775 6776 4530d0 gethostname gethostbyname 6775->6776 6777 451f82 6776->6777 6777->6323 6777->6324 6779 45dd05 6 API calls 6778->6779 6780 45df7c 6779->6780 6781 45dd84 lstrcmpiA 6780->6781 6785 45df89 6781->6785 6782 45dfc4 6782->6292 6783 45ddcf lstrcmpA 6783->6785 6784 45ec2e codecvt 4 API calls 6784->6785 6785->6782 6785->6783 6785->6784 6786 45dd84 lstrcmpiA 6785->6786 6786->6785 6790 452419 lstrlenA 6787->6790 6789 452491 6789->6742 6791 452474 6790->6791 6792 45243d lstrlenA 6790->6792 6791->6789 6793 452464 lstrlenA 6792->6793 6794 45244e lstrcmpiA 6792->6794 6793->6791 6793->6792 6794->6793 6795 45245c 6794->6795 6795->6791 6795->6793 6797 45dd05 6 API calls 6796->6797 6798 45e8b4 6797->6798 6799 45dd84 lstrcmpiA 6798->6799 6800 45e8c0 6799->6800 6801 45e90a 6800->6801 6802 45e8c8 lstrcpynA 6800->6802 6804 452419 4 API calls 6801->6804 6812 45ea27 6801->6812 6803 45e8f5 6802->6803 6817 45df4c 6803->6817 6805 45e926 lstrlenA lstrlenA 6804->6805 6807 45e94c lstrlenA 6805->6807 6808 45e96a 6805->6808 6807->6808 6811 45ebcc 4 API calls 6808->6811 6808->6812 6809 45e901 6810 45dd84 lstrcmpiA 6809->6810 6810->6801 6813 45e98f 6811->6813 6812->6747 6813->6812 6814 45df4c 20 API calls 6813->6814 6815 45ea1e 6814->6815 6816 45ec2e codecvt 4 API calls 6815->6816 6816->6812 6818 45dd05 6 API calls 6817->6818 6819 45df51 6818->6819 6820 45f04e 4 API calls 6819->6820 6821 45df58 6820->6821 6822 45de24 10 API calls 6821->6822 6823 45df63 6822->6823 6823->6809 6825 451ae2 GetProcAddress 6824->6825 6830 451b68 GetComputerNameA GetVolumeInformationA 6824->6830 6826 451af5 6825->6826 6825->6830 6827 451b1c GetAdaptersAddresses 6826->6827 6828 451b29 6826->6828 6829 45ebed 8 API calls 6826->6829 6827->6826 6827->6828 6828->6830 6831 45ec2e codecvt 4 API calls 6828->6831 6829->6826 6830->6765 6831->6830 6833 456ec3 2 API calls 6832->6833 6834 457ef4 6833->6834 6844 457fc9 6834->6844 6868 4573ff 6834->6868 6836 457f16 6836->6844 6888 457809 GetUserNameA 6836->6888 6838 457f63 6838->6844 6912 45ef1e lstrlenA 6838->6912 6841 45ef1e lstrlenA 6842 457fb7 6841->6842 6914 457a95 RegOpenKeyExA 6842->6914 6844->6332 6846 457073 6845->6846 6847 4570b9 RegOpenKeyExA 6846->6847 6848 4570d0 6847->6848 6862 4571b8 6847->6862 6849 456dc2 6 API calls 6848->6849 6852 4570d5 6849->6852 6850 45719b RegEnumValueA 6851 4571af RegCloseKey 6850->6851 6850->6852 6851->6862 6852->6850 6854 4571d0 6852->6854 6945 45f1a5 lstrlenA 6852->6945 6855 457205 RegCloseKey 6854->6855 6856 457227 6854->6856 6855->6862 6857 45728e RegCloseKey 6856->6857 6858 4572b8 ___ascii_stricmp 6856->6858 6857->6862 6859 4572cd RegCloseKey 6858->6859 6860 4572dd 6858->6860 6859->6862 6861 457311 RegCloseKey 6860->6861 6864 457335 6860->6864 6861->6862 6862->6333 6863 4573d5 RegCloseKey 6865 4573e4 6863->6865 6864->6863 6866 45737e GetFileAttributesExA 6864->6866 6867 457397 6864->6867 6866->6867 6867->6863 6869 45741b 6868->6869 6870 456dc2 6 API calls 6869->6870 6871 45743f 6870->6871 6872 457469 RegOpenKeyExA 6871->6872 6873 4577f9 6872->6873 6883 457487 ___ascii_stricmp 6872->6883 6873->6836 6874 457703 RegEnumKeyA 6875 457714 RegCloseKey 6874->6875 6874->6883 6875->6873 6876 4574d2 RegOpenKeyExA 6876->6883 6877 45772c 6879 457742 RegCloseKey 6877->6879 6880 45774b 6877->6880 6878 457521 RegQueryValueExA 6878->6883 6879->6880 6882 4577ec RegCloseKey 6880->6882 6881 4576e4 RegCloseKey 6881->6883 6882->6873 6883->6874 6883->6876 6883->6877 6883->6878 6883->6881 6884 457769 6883->6884 6886 45f1a5 lstrlenA 6883->6886 6887 45777e GetFileAttributesExA 6883->6887 6885 4577e3 RegCloseKey 6884->6885 6885->6882 6886->6883 6887->6884 6889 45783d LookupAccountNameA 6888->6889 6890 457a8d 6888->6890 6889->6890 6891 457874 GetLengthSid GetFileSecurityA 6889->6891 6890->6838 6891->6890 6892 4578a8 GetSecurityDescriptorOwner 6891->6892 6893 4578c5 EqualSid 6892->6893 6894 45791d GetSecurityDescriptorDacl 6892->6894 6893->6894 6895 4578dc LocalAlloc 6893->6895 6894->6890 6902 457941 6894->6902 6895->6894 6896 4578ef InitializeSecurityDescriptor 6895->6896 6897 457916 LocalFree 6896->6897 6898 4578fb SetSecurityDescriptorOwner 6896->6898 6897->6894 6898->6897 6900 45790b SetFileSecurityA 6898->6900 6899 45795b GetAce 6899->6902 6900->6897 6901 457980 EqualSid 6901->6902 6902->6890 6902->6899 6902->6901 6903 457a3d 6902->6903 6904 4579be EqualSid 6902->6904 6905 45799d DeleteAce 6902->6905 6903->6890 6906 457a43 LocalAlloc 6903->6906 6904->6902 6905->6902 6906->6890 6907 457a56 InitializeSecurityDescriptor 6906->6907 6908 457a86 LocalFree 6907->6908 6909 457a62 SetSecurityDescriptorDacl 6907->6909 6908->6890 6909->6908 6910 457a73 SetFileSecurityA 6909->6910 6910->6908 6911 457a83 6910->6911 6911->6908 6913 457fa6 6912->6913 6913->6841 6915 457ac4 6914->6915 6916 457acb GetUserNameA 6914->6916 6915->6844 6917 457da7 RegCloseKey 6916->6917 6918 457aed LookupAccountNameA 6916->6918 6917->6915 6918->6917 6919 457b24 RegGetKeySecurity 6918->6919 6919->6917 6920 457b49 GetSecurityDescriptorOwner 6919->6920 6921 457b63 EqualSid 6920->6921 6922 457bb8 GetSecurityDescriptorDacl 6920->6922 6921->6922 6923 457b74 LocalAlloc 6921->6923 6924 457da6 6922->6924 6933 457bdc 6922->6933 6923->6922 6925 457b8a InitializeSecurityDescriptor 6923->6925 6924->6917 6926 457b96 SetSecurityDescriptorOwner 6925->6926 6927 457bb1 LocalFree 6925->6927 6926->6927 6929 457ba6 RegSetKeySecurity 6926->6929 6927->6922 6928 457bf8 GetAce 6928->6933 6929->6927 6930 457c1d EqualSid 6930->6933 6931 457cd9 6931->6924 6935 457d5a LocalAlloc 6931->6935 6937 457cf2 RegOpenKeyExA 6931->6937 6932 457c5f EqualSid 6932->6933 6933->6924 6933->6928 6933->6930 6933->6931 6933->6932 6934 457c3a DeleteAce 6933->6934 6934->6933 6935->6924 6936 457d70 InitializeSecurityDescriptor 6935->6936 6938 457d7c SetSecurityDescriptorDacl 6936->6938 6939 457d9f LocalFree 6936->6939 6937->6935 6942 457d0f 6937->6942 6938->6939 6940 457d8c RegSetKeySecurity 6938->6940 6939->6924 6940->6939 6941 457d9c 6940->6941 6941->6939 6943 457d43 RegSetValueExA 6942->6943 6943->6935 6944 457d54 6943->6944 6944->6935 6946 45f1c3 6945->6946 6946->6852 6947->6353 6949 45dd05 6 API calls 6948->6949 6952 45e65f 6949->6952 6950 45e6a5 6951 45ebcc 4 API calls 6950->6951 6957 45e6f5 6950->6957 6954 45e6b0 6951->6954 6952->6950 6953 45e68c lstrcmpA 6952->6953 6953->6952 6955 45e6e0 lstrcpynA 6954->6955 6954->6957 6958 45e6b7 6954->6958 6955->6957 6956 45e71d lstrcmpA 6956->6957 6957->6956 6957->6958 6958->6355 6959->6361 6961 452692 inet_addr 6960->6961 6962 45268e 6960->6962 6961->6962 6963 45269e gethostbyname 6961->6963 6964 45f428 6962->6964 6963->6962 7112 45f315 6964->7112 6967 45f43e 6968 45f473 recv 6967->6968 6969 45f47c 6968->6969 6970 45f458 6968->6970 6969->6392 6970->6968 6970->6969 6972 45c525 6971->6972 6973 45c532 6971->6973 6972->6973 6976 45ec2e codecvt 4 API calls 6972->6976 6974 45c548 6973->6974 7125 45e7ff 6973->7125 6977 45e7ff lstrcmpiA 6974->6977 6985 45c54f 6974->6985 6976->6973 6978 45c615 6977->6978 6979 45ebcc 4 API calls 6978->6979 6978->6985 6979->6985 6981 45c5d1 6983 45ebcc 4 API calls 6981->6983 6982 45e819 11 API calls 6984 45c5b7 6982->6984 6983->6985 6986 45f04e 4 API calls 6984->6986 6985->6374 6987 45c5bf 6986->6987 6987->6974 6987->6981 6990 45c8d2 6988->6990 6989 45c907 6989->6376 6990->6989 6991 45c517 23 API calls 6990->6991 6991->6989 6993 45c670 6992->6993 6994 45c67d 6992->6994 6995 45ebcc 4 API calls 6993->6995 6996 45ebcc 4 API calls 6994->6996 6997 45c699 6994->6997 6995->6994 6996->6997 6998 45c6f3 6997->6998 6999 45c73c send 6997->6999 6998->6405 6998->6446 6999->6998 7001 45c770 7000->7001 7002 45c77d 7000->7002 7003 45ebcc 4 API calls 7001->7003 7004 45c799 7002->7004 7005 45ebcc 4 API calls 7002->7005 7003->7002 7006 45c7b5 7004->7006 7008 45ebcc 4 API calls 7004->7008 7005->7004 7007 45f43e recv 7006->7007 7009 45c7cb 7007->7009 7008->7006 7010 45f43e recv 7009->7010 7011 45c7d3 7009->7011 7010->7011 7011->6446 7128 457db7 7012->7128 7015 457e70 7017 457e96 7015->7017 7019 45f04e 4 API calls 7015->7019 7016 45f04e 4 API calls 7018 457e4c 7016->7018 7017->6446 7018->7015 7020 45f04e 4 API calls 7018->7020 7019->7017 7020->7015 7022 456ec3 2 API calls 7021->7022 7023 457fdd 7022->7023 7024 4573ff 17 API calls 7023->7024 7033 4580c2 CreateProcessA 7023->7033 7025 457fff 7024->7025 7026 457809 21 API calls 7025->7026 7025->7033 7027 45804d 7026->7027 7028 45ef1e lstrlenA 7027->7028 7027->7033 7029 45809e 7028->7029 7030 45ef1e lstrlenA 7029->7030 7031 4580af 7030->7031 7032 457a95 24 API calls 7031->7032 7032->7033 7033->6459 7033->6460 7035 457db7 2 API calls 7034->7035 7036 457eb8 7035->7036 7037 45f04e 4 API calls 7036->7037 7038 457ece DeleteFileA 7037->7038 7038->6446 7040 45dd05 6 API calls 7039->7040 7041 45e31d 7040->7041 7132 45e177 7041->7132 7043 45e326 7043->6428 7045 4531f3 7044->7045 7048 4531ec 7044->7048 7046 45ebcc 4 API calls 7045->7046 7047 4531fc 7046->7047 7047->7048 7055 45ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7047->7055 7056 45344d 7047->7056 7058 45344b 7047->7058 7060 453141 lstrcmpiA 7047->7060 7158 4530fa GetTickCount 7047->7158 7048->6446 7049 45349d 7052 45ec2e codecvt 4 API calls 7049->7052 7050 453459 7051 45f04e 4 API calls 7050->7051 7053 45345f 7051->7053 7052->7048 7054 4530fa 4 API calls 7053->7054 7054->7048 7055->7047 7057 45ec2e codecvt 4 API calls 7056->7057 7057->7058 7058->7049 7058->7050 7060->7047 7062 4530fa 4 API calls 7061->7062 7063 453c1a 7062->7063 7067 453ce6 7063->7067 7163 453a72 7063->7163 7066 453a72 9 API calls 7069 453c5e 7066->7069 7067->6446 7068 453a72 9 API calls 7068->7069 7069->7067 7069->7068 7070 45ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7069->7070 7070->7069 7072 453a10 7071->7072 7073 4530fa 4 API calls 7072->7073 7074 453a1a 7073->7074 7074->6446 7076 45dd05 6 API calls 7075->7076 7077 45e7be 7076->7077 7077->6446 7079 45c07e wsprintfA 7078->7079 7083 45c105 7078->7083 7172 45bfce GetTickCount wsprintfA 7079->7172 7081 45c0ef 7173 45bfce GetTickCount wsprintfA 7081->7173 7083->6446 7085 457047 7084->7085 7086 456f88 LookupAccountNameA 7084->7086 7085->6446 7088 457025 7086->7088 7089 456fcb 7086->7089 7174 456edd 7088->7174 7091 456fdb ConvertSidToStringSidA 7089->7091 7091->7088 7093 456ff1 7091->7093 7093->7093 7094 457013 LocalFree 7093->7094 7094->7088 7096 45dd05 6 API calls 7095->7096 7097 45e85c 7096->7097 7098 45dd84 lstrcmpiA 7097->7098 7099 45e867 7098->7099 7100 45e885 lstrcpyA 7099->7100 7185 4524a5 7099->7185 7188 45dd69 7100->7188 7106 457db7 2 API calls 7105->7106 7107 457de1 7106->7107 7108 45f04e 4 API calls 7107->7108 7111 457e16 7107->7111 7109 457df2 7108->7109 7110 45f04e 4 API calls 7109->7110 7109->7111 7110->7111 7111->6446 7113 45f33b 7112->7113 7121 45ca1d 7112->7121 7114 45f347 htons socket 7113->7114 7115 45f374 closesocket 7114->7115 7116 45f382 ioctlsocket 7114->7116 7115->7121 7117 45f39d 7116->7117 7118 45f3aa connect select 7116->7118 7119 45f39f closesocket 7117->7119 7120 45f3f2 __WSAFDIsSet 7118->7120 7118->7121 7119->7121 7120->7119 7122 45f403 ioctlsocket 7120->7122 7121->6389 7121->6967 7124 45f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7122->7124 7124->7121 7126 45dd84 lstrcmpiA 7125->7126 7127 45c58e 7126->7127 7127->6974 7127->6981 7127->6982 7129 457dc8 InterlockedExchange 7128->7129 7130 457dd4 7129->7130 7131 457dc0 Sleep 7129->7131 7130->7015 7130->7016 7131->7129 7135 45e184 7132->7135 7133 45e2e4 7133->7043 7134 45e223 7134->7133 7138 45dfe2 8 API calls 7134->7138 7135->7133 7135->7134 7148 45dfe2 7135->7148 7137 45e1be 7137->7134 7139 45dbcf 3 API calls 7137->7139 7141 45e23c 7138->7141 7142 45e1d6 7139->7142 7140 45e21a CloseHandle 7140->7134 7141->7133 7152 45e095 RegCreateKeyExA 7141->7152 7142->7134 7142->7140 7143 45e1f9 WriteFile 7142->7143 7143->7140 7145 45e213 7143->7145 7145->7140 7146 45e2a3 7146->7133 7147 45e095 4 API calls 7146->7147 7147->7133 7149 45dffc 7148->7149 7151 45e024 7148->7151 7150 45db2e 8 API calls 7149->7150 7149->7151 7150->7151 7151->7137 7153 45e172 7152->7153 7154 45e0c0 7152->7154 7153->7146 7155 45e13d 7154->7155 7157 45e115 RegSetValueExA 7154->7157 7156 45e14e RegDeleteValueA RegCloseKey 7155->7156 7156->7153 7157->7154 7157->7155 7159 453122 InterlockedExchange 7158->7159 7160 45310f GetTickCount 7159->7160 7161 45312e 7159->7161 7160->7161 7162 45311a Sleep 7160->7162 7161->7047 7162->7159 7164 45f04e 4 API calls 7163->7164 7171 453a83 7164->7171 7165 453ac1 7165->7066 7165->7067 7166 453be6 7168 45ec2e codecvt 4 API calls 7166->7168 7167 453bc0 7167->7166 7169 45ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7167->7169 7168->7165 7169->7167 7170 453b66 lstrlenA 7170->7165 7170->7171 7171->7165 7171->7167 7171->7170 7172->7081 7173->7083 7175 456eef AllocateAndInitializeSid 7174->7175 7181 456f55 wsprintfA 7174->7181 7176 456f44 7175->7176 7177 456f1c CheckTokenMembership 7175->7177 7176->7181 7182 456e36 GetUserNameW 7176->7182 7178 456f2e 7177->7178 7179 456f3b FreeSid 7177->7179 7178->7179 7179->7176 7181->7085 7183 456e5f LookupAccountNameW 7182->7183 7184 456e97 7182->7184 7183->7184 7184->7181 7186 452419 4 API calls 7185->7186 7187 4524b6 7186->7187 7187->7100 7189 45dd79 lstrlenA 7188->7189 7189->6446 7191 45eb17 7190->7191 7192 45eb21 7190->7192 7193 45eae4 2 API calls 7191->7193 7192->6516 7193->7192 7196 4569b9 WriteFile 7194->7196 7197 456a3c 7196->7197 7198 4569ff 7196->7198 7197->6512 7197->6513 7198->7197 7199 456a10 WriteFile 7198->7199 7199->7197 7199->7198 7201 453ee2 7200->7201 7202 453edc 7200->7202 7201->6526 7203 456dc2 6 API calls 7202->7203 7203->7201 7205 45400b CreateFileA 7204->7205 7206 454052 7205->7206 7207 45402c GetLastError 7205->7207 7206->6530 7207->7206 7208 454037 7207->7208 7208->7206 7209 454041 Sleep 7208->7209 7209->7205 7209->7206 7211 453f4e GetLastError 7210->7211 7212 453f7c 7210->7212 7211->7212 7213 453f5b WaitForSingleObject GetOverlappedResult 7211->7213 7214 453f8c ReadFile 7212->7214 7213->7212 7215 453ff0 7214->7215 7216 453fc2 GetLastError 7214->7216 7215->6535 7215->6536 7216->7215 7217 453fcf WaitForSingleObject GetOverlappedResult 7216->7217 7217->7215 7219 451924 GetVersionExA 7218->7219 7219->6575 7221 45f0f1 7220->7221 7222 45f0ed 7220->7222 7223 45f119 7221->7223 7224 45f0fa lstrlenA SysAllocStringByteLen 7221->7224 7222->6607 7226 45f11c MultiByteToWideChar 7223->7226 7225 45f117 7224->7225 7224->7226 7225->6607 7226->7225 7228 451820 17 API calls 7227->7228 7229 4518f2 7228->7229 7230 4518f9 7229->7230 7244 451280 7229->7244 7230->6603 7232 451908 7232->6603 7257 451000 7233->7257 7235 451839 7236 451851 GetCurrentProcess 7235->7236 7237 45183d 7235->7237 7238 451864 7236->7238 7237->6594 7238->6594 7241 45920e 7239->7241 7243 459308 7239->7243 7240 4592f1 Sleep 7240->7241 7241->7240 7241->7241 7242 4592bf ShellExecuteA 7241->7242 7241->7243 7242->7241 7242->7243 7243->6603 7247 4512e1 ShellExecuteExW 7244->7247 7246 4516f9 GetLastError 7248 451699 7246->7248 7247->7246 7254 4513a8 7247->7254 7248->7232 7249 451570 lstrlenW 7249->7254 7250 4515be GetStartupInfoW 7250->7254 7251 4515ff CreateProcessWithLogonW 7252 4516bf GetLastError 7251->7252 7253 45163f WaitForSingleObject 7251->7253 7252->7248 7253->7254 7255 451659 CloseHandle 7253->7255 7254->7248 7254->7249 7254->7250 7254->7251 7256 451668 CloseHandle 7254->7256 7255->7254 7256->7254 7258 45100d LoadLibraryA 7257->7258 7266 451023 7257->7266 7259 451021 7258->7259 7258->7266 7259->7235 7260 4510b5 GetProcAddress 7261 4510d1 GetProcAddress 7260->7261 7262 45127b 7260->7262 7261->7262 7263 4510f0 GetProcAddress 7261->7263 7262->7235 7263->7262 7264 451110 GetProcAddress 7263->7264 7264->7262 7265 451130 GetProcAddress 7264->7265 7265->7262 7267 45114f GetProcAddress 7265->7267 7266->7260 7277 4510ae 7266->7277 7267->7262 7268 45116f GetProcAddress 7267->7268 7268->7262 7269 45118f GetProcAddress 7268->7269 7269->7262 7270 4511ae GetProcAddress 7269->7270 7270->7262 7271 4511ce GetProcAddress 7270->7271 7271->7262 7272 4511ee GetProcAddress 7271->7272 7272->7262 7273 451209 GetProcAddress 7272->7273 7273->7262 7274 451225 GetProcAddress 7273->7274 7274->7262 7275 451241 GetProcAddress 7274->7275 7275->7262 7276 45125c GetProcAddress 7275->7276 7276->7262 7277->7235 7279 45908d 7278->7279 7280 4590e2 wsprintfA 7279->7280 7281 45ee2a 7280->7281 7282 4590fd CreateFileA 7281->7282 7283 45913f 7282->7283 7284 45911a lstrlenA WriteFile CloseHandle 7282->7284 7283->6630 7283->6631 7284->7283 7286 45ee2a 7285->7286 7287 459794 CreateProcessA 7286->7287 7288 4597c2 7287->7288 7289 4597bb 7287->7289 7290 4597d4 GetThreadContext 7288->7290 7289->6642 7291 4597f5 7290->7291 7292 459801 7290->7292 7293 4597f6 TerminateProcess 7291->7293 7299 45637c 7292->7299 7293->7289 7295 459816 7295->7293 7296 45981e WriteProcessMemory 7295->7296 7296->7291 7297 45983b SetThreadContext 7296->7297 7297->7291 7298 459858 ResumeThread 7297->7298 7298->7289 7300 456386 7299->7300 7301 45638a GetModuleHandleA VirtualAlloc 7299->7301 7300->7295 7302 4563b6 7301->7302 7306 4563f5 7301->7306 7303 4563be VirtualAllocEx 7302->7303 7304 4563d6 7303->7304 7303->7306 7305 4563df WriteProcessMemory 7304->7305 7305->7306 7306->7295 7308 45879f 7307->7308 7309 458791 7307->7309 7311 4587bc 7308->7311 7312 45f04e 4 API calls 7308->7312 7310 45f04e 4 API calls 7309->7310 7310->7308 7313 45e819 11 API calls 7311->7313 7312->7311 7314 4587d7 7313->7314 7327 458803 7314->7327 7462 4526b2 gethostbyaddr 7314->7462 7317 4587eb 7319 45e8a1 30 API calls 7317->7319 7317->7327 7319->7327 7322 45e819 11 API calls 7322->7327 7323 4588a0 Sleep 7323->7327 7324 4526b2 2 API calls 7324->7327 7326 45f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7326->7327 7327->7322 7327->7323 7327->7324 7327->7326 7328 45e8a1 30 API calls 7327->7328 7359 458cee 7327->7359 7367 45c4d6 7327->7367 7370 45c4e2 7327->7370 7373 452011 7327->7373 7408 458328 7327->7408 7328->7327 7330 454084 7329->7330 7331 45407d 7329->7331 7332 453ecd 6 API calls 7330->7332 7333 45408f 7332->7333 7334 454000 3 API calls 7333->7334 7335 454095 7334->7335 7336 454130 7335->7336 7337 4540c0 7335->7337 7338 453ecd 6 API calls 7336->7338 7342 453f18 4 API calls 7337->7342 7339 454159 CreateNamedPipeA 7338->7339 7340 454167 Sleep 7339->7340 7341 454188 ConnectNamedPipe 7339->7341 7340->7336 7343 454176 CloseHandle 7340->7343 7345 454195 GetLastError 7341->7345 7354 4541ab 7341->7354 7344 4540da 7342->7344 7343->7341 7346 453f8c 4 API calls 7344->7346 7347 45425e DisconnectNamedPipe 7345->7347 7345->7354 7348 4540ec 7346->7348 7347->7341 7349 454127 CloseHandle 7348->7349 7350 454101 7348->7350 7349->7336 7352 453f18 4 API calls 7350->7352 7351 453f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7351->7354 7353 45411c ExitProcess 7352->7353 7354->7341 7354->7347 7354->7351 7355 453f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7354->7355 7356 45426a CloseHandle CloseHandle 7354->7356 7355->7354 7357 45e318 23 API calls 7356->7357 7358 45427b 7357->7358 7358->7358 7360 458d02 GetTickCount 7359->7360 7361 458dae 7359->7361 7360->7361 7364 458d19 7360->7364 7361->7327 7362 458da1 GetTickCount 7362->7361 7364->7362 7366 458d89 7364->7366 7467 45a677 7364->7467 7470 45a688 7364->7470 7366->7362 7478 45c2dc 7367->7478 7371 45c2dc 142 API calls 7370->7371 7372 45c4ec 7371->7372 7372->7327 7374 45202e 7373->7374 7375 452020 7373->7375 7377 45204b 7374->7377 7378 45f04e 4 API calls 7374->7378 7376 45f04e 4 API calls 7375->7376 7376->7374 7379 45206e GetTickCount 7377->7379 7382 45f04e 4 API calls 7377->7382 7378->7377 7380 452090 7379->7380 7381 4520db GetTickCount 7379->7381 7383 4520d4 GetTickCount 7380->7383 7388 452684 2 API calls 7380->7388 7397 4520ce 7380->7397 7818 451978 7380->7818 7384 452132 GetTickCount GetTickCount 7381->7384 7394 4520e7 7381->7394 7385 452068 7382->7385 7383->7381 7386 45f04e 4 API calls 7384->7386 7385->7379 7389 452159 7386->7389 7387 45212b GetTickCount 7387->7384 7388->7380 7391 4521b4 7389->7391 7393 45e854 13 API calls 7389->7393 7392 45f04e 4 API calls 7391->7392 7396 4521d1 7392->7396 7398 45218e 7393->7398 7394->7387 7399 451978 15 API calls 7394->7399 7400 452125 7394->7400 7808 452ef8 7394->7808 7401 4521f2 7396->7401 7404 45ea84 30 API calls 7396->7404 7397->7383 7402 45e819 11 API calls 7398->7402 7399->7394 7400->7387 7401->7327 7403 45219c 7402->7403 7403->7391 7823 451c5f 7403->7823 7405 4521ec 7404->7405 7406 45f04e 4 API calls 7405->7406 7406->7401 7409 457dd6 6 API calls 7408->7409 7410 45833c 7409->7410 7411 456ec3 2 API calls 7410->7411 7438 458340 7410->7438 7412 45834f 7411->7412 7413 45835c 7412->7413 7418 45846b 7412->7418 7414 4573ff 17 API calls 7413->7414 7439 458373 7414->7439 7415 4585df 7416 458626 GetTempPathA 7415->7416 7428 458768 7415->7428 7443 458671 7415->7443 7429 458638 7416->7429 7417 45675c 21 API calls 7417->7415 7420 4584a7 RegOpenKeyExA 7418->7420 7435 458450 7418->7435 7422 4584c0 RegQueryValueExA 7420->7422 7423 45852f 7420->7423 7421 4586ad 7424 458762 7421->7424 7427 457e2f 6 API calls 7421->7427 7425 458521 RegCloseKey 7422->7425 7426 4584dd 7422->7426 7430 458564 RegOpenKeyExA 7423->7430 7441 4585a5 7423->7441 7424->7428 7425->7423 7426->7425 7432 45ebcc 4 API calls 7426->7432 7442 4586bb 7427->7442 7434 45ec2e codecvt 4 API calls 7428->7434 7428->7438 7429->7443 7431 458573 RegSetValueExA RegCloseKey 7430->7431 7430->7441 7431->7441 7437 4584f0 7432->7437 7433 45875b DeleteFileA 7433->7424 7434->7438 7435->7415 7435->7417 7437->7425 7440 4584f8 RegQueryValueExA 7437->7440 7438->7327 7439->7435 7439->7438 7444 4583ea RegOpenKeyExA 7439->7444 7440->7425 7445 458515 7440->7445 7441->7435 7446 45ec2e codecvt 4 API calls 7441->7446 7442->7433 7449 4586e0 lstrcpyA lstrlenA 7442->7449 7895 456ba7 IsBadCodePtr 7443->7895 7444->7435 7447 4583fd RegQueryValueExA 7444->7447 7448 45ec2e codecvt 4 API calls 7445->7448 7446->7435 7450 45842d RegSetValueExA 7447->7450 7451 45841e 7447->7451 7453 45851d 7448->7453 7454 457fcf 64 API calls 7449->7454 7452 458447 RegCloseKey 7450->7452 7451->7450 7451->7452 7452->7435 7453->7425 7455 458719 CreateProcessA 7454->7455 7456 45873d CloseHandle CloseHandle 7455->7456 7457 45874f 7455->7457 7456->7428 7458 457ee6 64 API calls 7457->7458 7459 458754 7458->7459 7460 457ead 6 API calls 7459->7460 7461 45875a 7460->7461 7461->7433 7463 4526cd 7462->7463 7464 4526fb 7462->7464 7465 4526e1 inet_ntoa 7463->7465 7466 4526de 7463->7466 7464->7317 7465->7466 7466->7317 7473 45a63d 7467->7473 7469 45a685 7469->7364 7471 45a63d GetTickCount 7470->7471 7472 45a696 7471->7472 7472->7364 7474 45a645 7473->7474 7475 45a64d 7473->7475 7474->7469 7476 45a66e 7475->7476 7477 45a65e GetTickCount 7475->7477 7476->7469 7477->7476 7495 45a4c7 GetTickCount 7478->7495 7481 45c47a 7486 45c4d2 7481->7486 7487 45c4ab InterlockedIncrement CreateThread 7481->7487 7482 45c326 7484 45c337 7482->7484 7485 45c32b GetTickCount 7482->7485 7483 45c300 GetTickCount 7483->7484 7484->7481 7489 45c363 GetTickCount 7484->7489 7485->7484 7486->7327 7487->7486 7488 45c4cb CloseHandle 7487->7488 7500 45b535 7487->7500 7488->7486 7489->7481 7490 45c373 7489->7490 7491 45c378 GetTickCount 7490->7491 7492 45c37f 7490->7492 7491->7492 7493 45c43b GetTickCount 7492->7493 7494 45c45e 7493->7494 7494->7481 7496 45a4f7 InterlockedExchange 7495->7496 7497 45a4e4 GetTickCount 7496->7497 7498 45a500 7496->7498 7497->7498 7499 45a4ef Sleep 7497->7499 7498->7481 7498->7482 7498->7483 7499->7496 7501 45b566 7500->7501 7502 45ebcc 4 API calls 7501->7502 7503 45b587 7502->7503 7504 45ebcc 4 API calls 7503->7504 7555 45b590 7504->7555 7505 45bdcd InterlockedDecrement 7506 45bde2 7505->7506 7508 45ec2e codecvt 4 API calls 7506->7508 7509 45bdea 7508->7509 7511 45ec2e codecvt 4 API calls 7509->7511 7510 45bdb7 Sleep 7510->7555 7512 45bdf2 7511->7512 7514 45be05 7512->7514 7515 45ec2e codecvt 4 API calls 7512->7515 7513 45bdcc 7513->7505 7515->7514 7516 45ebed 8 API calls 7516->7555 7519 45b6b6 lstrlenA 7519->7555 7520 4530b5 2 API calls 7520->7555 7521 45e819 11 API calls 7521->7555 7522 45b6ed lstrcpyA 7575 455ce1 7522->7575 7525 45b731 lstrlenA 7525->7555 7526 45b71f lstrcmpA 7526->7525 7526->7555 7527 45b772 GetTickCount 7527->7555 7528 45bd49 InterlockedIncrement 7669 45a628 7528->7669 7531 45b7ce InterlockedIncrement 7585 45acd7 7531->7585 7532 4538f0 6 API calls 7532->7555 7533 45bc5b InterlockedIncrement 7533->7555 7536 45b912 GetTickCount 7536->7555 7537 45b826 InterlockedIncrement 7537->7527 7538 45b932 GetTickCount 7541 45bc6d InterlockedIncrement 7538->7541 7538->7555 7539 45bcdc closesocket 7539->7555 7540 455ce1 22 API calls 7540->7555 7541->7555 7544 45bba6 InterlockedIncrement 7544->7555 7546 45bc4c closesocket 7546->7555 7549 45ba71 wsprintfA 7603 45a7c1 7549->7603 7550 455ded 12 API calls 7550->7555 7552 45a7c1 22 API calls 7552->7555 7553 45ab81 lstrcpynA InterlockedIncrement 7553->7555 7554 45ef1e lstrlenA 7554->7555 7555->7505 7555->7510 7555->7513 7555->7516 7555->7519 7555->7520 7555->7521 7555->7522 7555->7525 7555->7526 7555->7527 7555->7528 7555->7531 7555->7532 7555->7533 7555->7536 7555->7537 7555->7538 7555->7539 7555->7540 7555->7544 7555->7546 7555->7549 7555->7550 7555->7552 7555->7553 7555->7554 7556 45a688 GetTickCount 7555->7556 7557 453e10 7555->7557 7560 453e4f 7555->7560 7563 45384f 7555->7563 7583 45a7a3 inet_ntoa 7555->7583 7590 45abee 7555->7590 7602 451feb GetTickCount 7555->7602 7623 453cfb 7555->7623 7626 45b3c5 7555->7626 7657 45ab81 7555->7657 7556->7555 7558 4530fa 4 API calls 7557->7558 7559 453e1d 7558->7559 7559->7555 7561 4530fa 4 API calls 7560->7561 7562 453e5c 7561->7562 7562->7555 7564 4530fa 4 API calls 7563->7564 7566 453863 7564->7566 7565 4538b2 7565->7555 7566->7565 7567 4538b9 7566->7567 7568 453889 7566->7568 7678 4535f9 7567->7678 7672 453718 7568->7672 7573 4535f9 6 API calls 7573->7565 7574 453718 6 API calls 7574->7565 7576 455cf4 7575->7576 7577 455cec 7575->7577 7579 454bd1 4 API calls 7576->7579 7684 454bd1 GetTickCount 7577->7684 7580 455d02 7579->7580 7689 455472 7580->7689 7584 45a7b9 7583->7584 7584->7555 7586 45f315 14 API calls 7585->7586 7587 45aceb 7586->7587 7588 45acff 7587->7588 7589 45f315 14 API calls 7587->7589 7588->7555 7589->7588 7591 45abfb 7590->7591 7594 45ac65 7591->7594 7752 452f22 7591->7752 7593 45f315 14 API calls 7593->7594 7594->7593 7595 45ac8a 7594->7595 7596 45ac6f 7594->7596 7595->7555 7598 45ab81 2 API calls 7596->7598 7597 45ac23 7597->7594 7600 452684 2 API calls 7597->7600 7599 45ac81 7598->7599 7760 4538f0 7599->7760 7600->7597 7602->7555 7604 45a87d lstrlenA send 7603->7604 7607 45a7df 7603->7607 7605 45a8bf 7604->7605 7606 45a899 7604->7606 7610 45a8c4 send 7605->7610 7615 45a8f2 7605->7615 7609 45a8a5 wsprintfA 7606->7609 7622 45a89e 7606->7622 7607->7604 7608 45a80a 7607->7608 7613 45a7fa wsprintfA 7607->7613 7607->7615 7608->7604 7609->7622 7612 45a8d8 wsprintfA 7610->7612 7610->7615 7611 45a978 recv 7611->7615 7616 45a982 7611->7616 7612->7622 7613->7608 7614 45a9b0 wsprintfA 7614->7622 7615->7611 7615->7614 7615->7616 7617 4530b5 2 API calls 7616->7617 7616->7622 7618 45ab05 7617->7618 7619 45e819 11 API calls 7618->7619 7620 45ab17 7619->7620 7621 45a7a3 inet_ntoa 7620->7621 7621->7622 7622->7555 7624 4530fa 4 API calls 7623->7624 7625 453d0b 7624->7625 7625->7555 7627 455ce1 22 API calls 7626->7627 7628 45b3e6 7627->7628 7629 455ce1 22 API calls 7628->7629 7631 45b404 7629->7631 7630 45b440 7633 45ef7c 3 API calls 7630->7633 7631->7630 7632 45ef7c 3 API calls 7631->7632 7634 45b42b 7632->7634 7635 45b458 wsprintfA 7633->7635 7636 45ef7c 3 API calls 7634->7636 7637 45ef7c 3 API calls 7635->7637 7636->7630 7638 45b480 7637->7638 7639 45ef7c 3 API calls 7638->7639 7640 45b493 7639->7640 7641 45ef7c 3 API calls 7640->7641 7642 45b4bb 7641->7642 7776 45ad89 GetLocalTime SystemTimeToFileTime 7642->7776 7646 45b4cc 7647 45ef7c 3 API calls 7646->7647 7648 45b4dd 7647->7648 7649 45b211 7 API calls 7648->7649 7650 45b4ec 7649->7650 7651 45ef7c 3 API calls 7650->7651 7652 45b4fd 7651->7652 7653 45b211 7 API calls 7652->7653 7654 45b509 7653->7654 7655 45ef7c 3 API calls 7654->7655 7656 45b51a 7655->7656 7656->7555 7658 45ab8c 7657->7658 7660 45abe9 GetTickCount 7657->7660 7659 45aba8 lstrcpynA 7658->7659 7658->7660 7661 45abe1 InterlockedIncrement 7658->7661 7659->7658 7662 45a51d 7660->7662 7661->7658 7663 45a4c7 4 API calls 7662->7663 7664 45a52c 7663->7664 7665 45a542 GetTickCount 7664->7665 7667 45a539 GetTickCount 7664->7667 7665->7667 7668 45a56c 7667->7668 7668->7555 7670 45a4c7 4 API calls 7669->7670 7671 45a633 7670->7671 7671->7555 7673 45f04e 4 API calls 7672->7673 7676 45372a 7673->7676 7674 453847 7674->7565 7674->7574 7675 4537b3 GetCurrentThreadId 7675->7676 7677 4537c8 GetCurrentThreadId 7675->7677 7676->7674 7676->7675 7677->7676 7679 45f04e 4 API calls 7678->7679 7683 45360c 7679->7683 7680 4536f1 7680->7565 7680->7573 7681 4536da GetCurrentThreadId 7681->7680 7682 4536e5 GetCurrentThreadId 7681->7682 7682->7680 7683->7680 7683->7681 7685 454bff InterlockedExchange 7684->7685 7686 454bec GetTickCount 7685->7686 7687 454c08 7685->7687 7686->7687 7688 454bf7 Sleep 7686->7688 7687->7576 7688->7685 7708 454763 7689->7708 7691 455b58 7718 454699 7691->7718 7694 454763 lstrlenA 7695 455b6e 7694->7695 7739 454f9f 7695->7739 7697 455b79 7697->7555 7699 455549 lstrlenA 7700 45548a 7699->7700 7700->7691 7702 45558d lstrcpynA 7700->7702 7703 454ae6 8 API calls 7700->7703 7704 455a9f lstrcpyA 7700->7704 7705 455935 lstrcpynA 7700->7705 7706 455472 13 API calls 7700->7706 7707 4558e7 lstrcpyA 7700->7707 7712 454ae6 7700->7712 7716 45ef7c lstrlenA lstrlenA lstrlenA 7700->7716 7702->7700 7703->7700 7704->7700 7705->7700 7706->7700 7707->7700 7709 45477a 7708->7709 7710 454859 7709->7710 7711 45480d lstrlenA 7709->7711 7710->7700 7711->7709 7713 454af3 7712->7713 7715 454b03 7712->7715 7714 45ebed 8 API calls 7713->7714 7714->7715 7715->7699 7717 45efb4 7716->7717 7717->7700 7744 4545b3 7718->7744 7721 4545b3 7 API calls 7722 4546c6 7721->7722 7723 4545b3 7 API calls 7722->7723 7724 4546d8 7723->7724 7725 4545b3 7 API calls 7724->7725 7726 4546ea 7725->7726 7727 4545b3 7 API calls 7726->7727 7728 4546ff 7727->7728 7729 4545b3 7 API calls 7728->7729 7730 454711 7729->7730 7731 4545b3 7 API calls 7730->7731 7732 454723 7731->7732 7733 45ef7c 3 API calls 7732->7733 7734 454735 7733->7734 7735 45ef7c 3 API calls 7734->7735 7736 45474a 7735->7736 7737 45ef7c 3 API calls 7736->7737 7738 45475c 7737->7738 7738->7694 7740 454fac 7739->7740 7742 454fb0 7739->7742 7740->7697 7741 454ffd 7741->7697 7742->7741 7743 454fd5 IsBadCodePtr 7742->7743 7743->7742 7745 4545c1 7744->7745 7746 4545c8 7744->7746 7747 45ebcc 4 API calls 7745->7747 7748 45ebcc 4 API calls 7746->7748 7750 4545e1 7746->7750 7747->7746 7748->7750 7749 454691 7749->7721 7750->7749 7751 45ef7c 3 API calls 7750->7751 7751->7750 7767 452d21 GetModuleHandleA 7752->7767 7755 452f4f 7757 452f6b GetProcessHeap HeapFree 7755->7757 7756 452fcf GetProcessHeap HeapFree 7759 452f44 7756->7759 7757->7759 7758 452f85 7758->7756 7759->7597 7761 453900 7760->7761 7762 453980 7760->7762 7763 4530fa 4 API calls 7761->7763 7762->7595 7766 45390a 7763->7766 7764 45391b GetCurrentThreadId 7764->7766 7765 453939 GetCurrentThreadId 7765->7766 7766->7762 7766->7764 7766->7765 7768 452d46 LoadLibraryA 7767->7768 7769 452d5b GetProcAddress 7767->7769 7768->7769 7770 452d54 7768->7770 7769->7770 7771 452d6b DnsQuery_A 7769->7771 7770->7755 7770->7758 7770->7759 7771->7770 7772 452d7d 7771->7772 7772->7770 7773 452d97 GetProcessHeap HeapAlloc 7772->7773 7773->7770 7774 452dac 7773->7774 7774->7772 7775 452db5 lstrcpynA 7774->7775 7775->7774 7777 45adbf 7776->7777 7801 45ad08 gethostname 7777->7801 7780 4530b5 2 API calls 7781 45add3 7780->7781 7782 45a7a3 inet_ntoa 7781->7782 7790 45ade4 7781->7790 7782->7790 7783 45ae85 wsprintfA 7784 45ef7c 3 API calls 7783->7784 7785 45aebb 7784->7785 7787 45ef7c 3 API calls 7785->7787 7786 45ae36 wsprintfA wsprintfA 7788 45ef7c 3 API calls 7786->7788 7789 45aed2 7787->7789 7788->7790 7791 45b211 7789->7791 7790->7783 7790->7786 7792 45b2af GetLocalTime 7791->7792 7793 45b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7791->7793 7794 45b2d2 7792->7794 7793->7794 7795 45b31c GetTimeZoneInformation 7794->7795 7796 45b2d9 SystemTimeToFileTime 7794->7796 7798 45b33a wsprintfA 7795->7798 7797 45b2ec 7796->7797 7799 45b312 FileTimeToSystemTime 7797->7799 7798->7646 7799->7795 7802 45ad71 7801->7802 7806 45ad26 lstrlenA 7801->7806 7803 45ad85 7802->7803 7804 45ad79 lstrcpyA 7802->7804 7803->7780 7804->7803 7806->7802 7807 45ad68 lstrlenA 7806->7807 7807->7802 7809 452d21 7 API calls 7808->7809 7810 452f01 7809->7810 7811 452f14 7810->7811 7812 452f06 7810->7812 7814 452684 2 API calls 7811->7814 7831 452df2 GetModuleHandleA 7812->7831 7816 452f1d 7814->7816 7816->7394 7817 452f1f 7817->7394 7819 45f428 14 API calls 7818->7819 7820 45198a 7819->7820 7821 451990 closesocket 7820->7821 7822 451998 7820->7822 7821->7822 7822->7380 7824 451c80 7823->7824 7825 451d1c 7824->7825 7826 451cc2 wsprintfA 7824->7826 7830 451d79 7824->7830 7825->7825 7828 451d47 wsprintfA 7825->7828 7827 452684 2 API calls 7826->7827 7827->7824 7829 452684 2 API calls 7828->7829 7829->7830 7830->7391 7832 452e10 LoadLibraryA 7831->7832 7833 452e0b 7831->7833 7834 452e17 7832->7834 7833->7832 7833->7834 7835 452ef1 7834->7835 7836 452e28 GetProcAddress 7834->7836 7835->7811 7835->7817 7836->7835 7837 452e3e GetProcessHeap HeapAlloc 7836->7837 7841 452e62 7837->7841 7838 452ede GetProcessHeap HeapFree 7838->7835 7839 452e7f htons inet_addr 7840 452ea5 gethostbyname 7839->7840 7839->7841 7840->7841 7841->7835 7841->7838 7841->7839 7841->7840 7843 452ceb 7841->7843 7844 452cf2 7843->7844 7846 452d1c 7844->7846 7847 452d0e Sleep 7844->7847 7848 452a62 GetProcessHeap HeapAlloc 7844->7848 7846->7841 7847->7844 7847->7846 7849 452a92 7848->7849 7850 452a99 socket 7848->7850 7849->7844 7851 452ab4 7850->7851 7852 452cd3 GetProcessHeap HeapFree 7850->7852 7851->7852 7864 452abd 7851->7864 7852->7849 7853 452adb htons 7868 4526ff 7853->7868 7855 452b04 select 7855->7864 7856 452ca4 7857 452cb3 GetProcessHeap HeapFree closesocket 7856->7857 7857->7849 7858 452b3f recv 7858->7864 7859 452b66 htons 7859->7856 7859->7864 7860 452b87 htons 7860->7856 7860->7864 7863 452bf3 GetProcessHeap HeapAlloc 7863->7864 7864->7853 7864->7855 7864->7856 7864->7857 7864->7858 7864->7859 7864->7860 7864->7863 7865 452c17 htons 7864->7865 7867 452c4d GetProcessHeap HeapFree 7864->7867 7875 452923 7864->7875 7887 452904 7864->7887 7883 452871 7865->7883 7867->7864 7869 452717 7868->7869 7870 45271d 7868->7870 7871 45ebcc 4 API calls 7869->7871 7872 45272b GetTickCount htons 7870->7872 7871->7870 7873 4527cc htons htons sendto 7872->7873 7874 45278a 7872->7874 7873->7864 7874->7873 7876 452944 7875->7876 7877 45293d 7875->7877 7891 452816 htons 7876->7891 7877->7864 7879 452871 htons 7882 452950 7879->7882 7880 4529bd htons htons htons 7880->7877 7881 4529f6 GetProcessHeap HeapAlloc 7880->7881 7881->7877 7881->7882 7882->7877 7882->7879 7882->7880 7884 4528e3 7883->7884 7885 452889 7883->7885 7884->7864 7885->7884 7886 4528c3 htons 7885->7886 7886->7884 7886->7885 7888 452921 7887->7888 7889 452908 7887->7889 7888->7864 7890 452909 GetProcessHeap HeapFree 7889->7890 7890->7888 7890->7890 7892 45286b 7891->7892 7893 452836 7891->7893 7892->7882 7893->7892 7894 45285c htons 7893->7894 7894->7892 7894->7893 7896 456bc0 7895->7896 7897 456bbc 7895->7897 7898 45ebcc 4 API calls 7896->7898 7900 456bd4 7896->7900 7897->7421 7899 456be4 7898->7899 7899->7900 7901 456c07 CreateFileA 7899->7901 7902 456bfc 7899->7902 7900->7421 7903 456c34 WriteFile 7901->7903 7904 456c2a 7901->7904 7905 45ec2e codecvt 4 API calls 7902->7905 7907 456c49 CloseHandle DeleteFileA 7903->7907 7908 456c5a CloseHandle 7903->7908 7906 45ec2e codecvt 4 API calls 7904->7906 7905->7900 7906->7900 7907->7904 7909 45ec2e codecvt 4 API calls 7908->7909 7909->7900 8217 455d34 IsBadWritePtr 8218 455d47 8217->8218 8219 455d4a 8217->8219 8220 455389 12 API calls 8219->8220 8221 455d80 8220->8221 8222 45be31 lstrcmpiA 8223 45be55 lstrcmpiA 8222->8223 8229 45be71 8222->8229 8224 45be61 lstrcmpiA 8223->8224 8223->8229 8227 45bfc8 8224->8227 8224->8229 8225 45bf62 lstrcmpiA 8226 45bf77 lstrcmpiA 8225->8226 8230 45bf70 8225->8230 8228 45bf8c lstrcmpiA 8226->8228 8226->8230 8228->8230 8229->8225 8233 45ebcc 4 API calls 8229->8233 8230->8227 8231 45bfc2 8230->8231 8232 45ec2e codecvt 4 API calls 8230->8232 8234 45ec2e codecvt 4 API calls 8231->8234 8232->8230 8237 45beb6 8233->8237 8234->8227 8235 45bf5a 8235->8225 8236 45ebcc 4 API calls 8236->8237 8237->8225 8237->8227 8237->8235 8237->8236
                                                                                          APIs
                                                                                          • closesocket.WS2_32(?), ref: 0045CA4E
                                                                                          • closesocket.WS2_32(?), ref: 0045CB63
                                                                                          • GetTempPathA.KERNEL32(00000120,?), ref: 0045CC28
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0045CCB4
                                                                                          • WriteFile.KERNEL32(0045A4B3,?,-000000E8,?,00000000), ref: 0045CCDC
                                                                                          • CloseHandle.KERNEL32(0045A4B3), ref: 0045CCED
                                                                                          • wsprintfA.USER32 ref: 0045CD21
                                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0045CD77
                                                                                          • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0045CD89
                                                                                          • CloseHandle.KERNEL32(?), ref: 0045CD98
                                                                                          • CloseHandle.KERNEL32(?), ref: 0045CD9D
                                                                                          • DeleteFileA.KERNEL32(?), ref: 0045CDC4
                                                                                          • CloseHandle.KERNEL32(0045A4B3), ref: 0045CDCC
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0045CFB1
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0045CFEF
                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0045D033
                                                                                          • lstrcatA.KERNEL32(?,03900108), ref: 0045D10C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080), ref: 0045D155
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0045D171
                                                                                          • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000), ref: 0045D195
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0045D19C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002), ref: 0045D1C8
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0045D231
                                                                                          • lstrcatA.KERNEL32(?,03900108,?,?,?,?,?,?,?,00000100), ref: 0045D27C
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0045D2AB
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0045D2C7
                                                                                          • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0045D2EB
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0045D2F2
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0045D326
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0045D372
                                                                                          • lstrcatA.KERNEL32(?,03900108,?,?,?,?,?,?,?,00000100), ref: 0045D3BD
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0045D3EC
                                                                                          • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0045D408
                                                                                          • WriteFile.KERNEL32(00000000,0390012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0045D428
                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0045D42F
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0045D45B
                                                                                          • CreateProcessA.KERNEL32(?,00460264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0045D4DE
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0045D4F4
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0045D4FC
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0045D513
                                                                                          • closesocket.WS2_32(?), ref: 0045D56C
                                                                                          • Sleep.KERNEL32(000003E8), ref: 0045D577
                                                                                          • ExitProcess.KERNEL32 ref: 0045D583
                                                                                          • wsprintfA.USER32 ref: 0045D81F
                                                                                            • Part of subcall function 0045C65C: send.WS2_32(00000000,?,00000000), ref: 0045C74B
                                                                                          • closesocket.WS2_32(?), ref: 0045DAD5
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                          • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$X F$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                          • API String ID: 562065436-1142629981
                                                                                          • Opcode ID: ece61f69d1e51087402c0409c6020753906dfa92f92575cc06a7e4fb5c499431
                                                                                          • Instruction ID: aaf224fff9ed8347996d404b0e437d7f9d0baeb3776143faa7984a1dc19ffc45
                                                                                          • Opcode Fuzzy Hash: ece61f69d1e51087402c0409c6020753906dfa92f92575cc06a7e4fb5c499431
                                                                                          • Instruction Fuzzy Hash: B0B2B771D00208BFEB249F65DD85FEF77B8AF05306F14006BF905A2292E7B85A49CB59
                                                                                          APIs
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00459A7F
                                                                                          • SetErrorMode.KERNELBASE(00000003), ref: 00459A83
                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00456511), ref: 00459A8A
                                                                                            • Part of subcall function 0045EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0045EC5E
                                                                                            • Part of subcall function 0045EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0045EC72
                                                                                            • Part of subcall function 0045EC54: GetTickCount.KERNEL32 ref: 0045EC78
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00459AB3
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00459ABA
                                                                                          • GetCommandLineA.KERNEL32 ref: 00459AFD
                                                                                          • lstrlenA.KERNEL32(?), ref: 00459B99
                                                                                          • ExitProcess.KERNEL32 ref: 00459C06
                                                                                          • GetTempPathA.KERNEL32(000001F4,?), ref: 00459CAC
                                                                                          • lstrcpyA.KERNEL32(?,00000000), ref: 00459D7A
                                                                                          • lstrcatA.KERNEL32(?,?), ref: 00459D8B
                                                                                          • lstrcatA.KERNEL32(?,0046070C), ref: 00459D9D
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00459DED
                                                                                          • DeleteFileA.KERNEL32(00000022), ref: 00459E38
                                                                                          • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00459E6F
                                                                                          • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00459EC8
                                                                                          • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00459ED5
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00459F3B
                                                                                          • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00459F5E
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00459F6A
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00459FAD
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00459FB4
                                                                                          • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00459FFE
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0045A038
                                                                                          • lstrcatA.KERNEL32(00000022,00460A34), ref: 0045A05E
                                                                                          • lstrcatA.KERNEL32(00000022,00000022), ref: 0045A072
                                                                                          • lstrcatA.KERNEL32(00000022,00460A34), ref: 0045A08D
                                                                                          • wsprintfA.USER32 ref: 0045A0B6
                                                                                          • lstrcatA.KERNEL32(00000022,00000000), ref: 0045A0DE
                                                                                          • lstrcatA.KERNEL32(00000022,?), ref: 0045A0FD
                                                                                          • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0045A120
                                                                                          • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0045A131
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0045A174
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 0045A17B
                                                                                          • GetDriveTypeA.KERNEL32(00000022), ref: 0045A1B6
                                                                                          • GetCommandLineA.KERNEL32 ref: 0045A1E5
                                                                                            • Part of subcall function 004599D2: lstrcpyA.KERNEL32(?,?,00000100,004622F8,00000000,?,00459E9D,?,00000022,?,?,?,?,?,?,?), ref: 004599DF
                                                                                            • Part of subcall function 004599D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00459E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00459A3C
                                                                                            • Part of subcall function 004599D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00459E9D,?,00000022,?,?,?), ref: 00459A52
                                                                                          • lstrlenA.KERNEL32(?), ref: 0045A288
                                                                                          • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0045A3B7
                                                                                          • GetLastError.KERNEL32 ref: 0045A3ED
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0045A400
                                                                                          • DeleteFileA.KERNELBASE(004633D8), ref: 0045A407
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,0045405E,00000000,00000000,00000000), ref: 0045A42C
                                                                                          • WSAStartup.WS2_32(00001010,?), ref: 0045A43A
                                                                                          • CreateThread.KERNELBASE(00000000,00000000,0045877E,00000000,00000000,00000000), ref: 0045A469
                                                                                          • Sleep.KERNELBASE(00000BB8), ref: 0045A48A
                                                                                          • GetTickCount.KERNEL32 ref: 0045A49F
                                                                                          • GetTickCount.KERNEL32 ref: 0045A4B7
                                                                                          • Sleep.KERNELBASE(00001A90), ref: 0045A4C3
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                          • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$D$P$\$bzycpcet
                                                                                          • API String ID: 2089075347-3664033155
                                                                                          • Opcode ID: 324d113e9e485487f1c928da26380612efba05300bf0c4dea372e089f1bd25b2
                                                                                          • Instruction ID: 3f03944f31492c3d237d727120d70d8cbc3d9ccef1f93f1584638739de4cb108
                                                                                          • Opcode Fuzzy Hash: 324d113e9e485487f1c928da26380612efba05300bf0c4dea372e089f1bd25b2
                                                                                          • Instruction Fuzzy Hash: B052A3B1C00259EFDB11DFA19C49EEF77BCAB05305F1445ABF905E2142E6788E4C8B6A

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 905 45199c-4519cc inet_addr LoadLibraryA 906 4519d5-4519fe GetProcAddress * 3 905->906 907 4519ce-4519d0 905->907 909 451a04-451a06 906->909 910 451ab3-451ab6 FreeLibrary 906->910 908 451abf-451ac2 907->908 909->910 911 451a0c-451a0e 909->911 912 451abc 910->912 911->910 913 451a14-451a28 GetBestInterface GetProcessHeap 911->913 914 451abe 912->914 913->912 915 451a2e-451a40 HeapAlloc 913->915 914->908 915->912 916 451a42-451a50 GetAdaptersInfo 915->916 917 451a62-451a67 916->917 918 451a52-451a60 HeapReAlloc 916->918 919 451aa1-451aad FreeLibrary 917->919 920 451a69-451a73 GetAdaptersInfo 917->920 918->917 919->912 922 451aaf-451ab1 919->922 920->919 921 451a75 920->921 923 451a77-451a80 921->923 922->914 924 451a82-451a86 923->924 925 451a8a-451a91 923->925 924->923 926 451a88 924->926 927 451a96-451a9b HeapFree 925->927 928 451a93 925->928 926->927 927->919 928->927
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(123.45.67.89), ref: 004519B1
                                                                                          • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,00451E9E), ref: 004519BF
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004519E2
                                                                                          • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004519ED
                                                                                          • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004519F9
                                                                                          • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,00451E9E), ref: 00451A1B
                                                                                          • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00451E9E), ref: 00451A1D
                                                                                          • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00451E9E), ref: 00451A36
                                                                                          • GetAdaptersInfo.IPHLPAPI(00000000,00451E9E,?,?,?,?,00000001,00451E9E), ref: 00451A4A
                                                                                          • HeapReAlloc.KERNEL32(?,00000000,00000000,00451E9E,?,?,?,?,00000001,00451E9E), ref: 00451A5A
                                                                                          • GetAdaptersInfo.IPHLPAPI(00000000,00451E9E,?,?,?,?,00000001,00451E9E), ref: 00451A6E
                                                                                          • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00451E9E), ref: 00451A9B
                                                                                          • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00451E9E), ref: 00451AA4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                          • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                          • API String ID: 293628436-270533642
                                                                                          • Opcode ID: 31a502b617c0b22c36d1d947436e4a742c099566c27848aba66931257154c5c4
                                                                                          • Instruction ID: 7ad9c6c5bb1f25826ce091520f4ad266b0c671c38fed23738475c2fb107434c6
                                                                                          • Opcode Fuzzy Hash: 31a502b617c0b22c36d1d947436e4a742c099566c27848aba66931257154c5c4
                                                                                          • Instruction Fuzzy Hash: 1F317272D01209AFCB129FE4CC88DBFBBB5EF45302B24057BE901A2221E7794E44CB59

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 696 457a95-457ac2 RegOpenKeyExA 697 457ac4-457ac6 696->697 698 457acb-457ae7 GetUserNameA 696->698 699 457db4-457db6 697->699 700 457da7-457db3 RegCloseKey 698->700 701 457aed-457b1e LookupAccountNameA 698->701 700->699 701->700 702 457b24-457b43 RegGetKeySecurity 701->702 702->700 703 457b49-457b61 GetSecurityDescriptorOwner 702->703 704 457b63-457b72 EqualSid 703->704 705 457bb8-457bd6 GetSecurityDescriptorDacl 703->705 704->705 706 457b74-457b88 LocalAlloc 704->706 707 457da6 705->707 708 457bdc-457be1 705->708 706->705 709 457b8a-457b94 InitializeSecurityDescriptor 706->709 707->700 708->707 710 457be7-457bf2 708->710 711 457b96-457ba4 SetSecurityDescriptorOwner 709->711 712 457bb1-457bb2 LocalFree 709->712 710->707 713 457bf8-457c08 GetAce 710->713 711->712 714 457ba6-457bab RegSetKeySecurity 711->714 712->705 715 457cc6 713->715 716 457c0e-457c1b 713->716 714->712 717 457cc9-457cd3 715->717 718 457c1d-457c2f EqualSid 716->718 719 457c4f-457c52 716->719 717->713 720 457cd9-457cdc 717->720 721 457c36-457c38 718->721 722 457c31-457c34 718->722 723 457c54-457c5e 719->723 724 457c5f-457c71 EqualSid 719->724 720->707 727 457ce2-457ce8 720->727 721->719 728 457c3a-457c4d DeleteAce 721->728 722->718 722->721 723->724 725 457c86 724->725 726 457c73-457c84 724->726 729 457c8b-457c8e 725->729 726->729 730 457d5a-457d6e LocalAlloc 727->730 731 457cea-457cf0 727->731 728->717 732 457c90-457c96 729->732 733 457c9d-457c9f 729->733 730->707 734 457d70-457d7a InitializeSecurityDescriptor 730->734 731->730 735 457cf2-457d0d RegOpenKeyExA 731->735 732->733 736 457ca7-457cc3 733->736 737 457ca1-457ca5 733->737 738 457d7c-457d8a SetSecurityDescriptorDacl 734->738 739 457d9f-457da0 LocalFree 734->739 735->730 740 457d0f-457d16 735->740 736->715 737->715 737->736 738->739 741 457d8c-457d9a RegSetKeySecurity 738->741 739->707 742 457d19-457d1e 740->742 741->739 744 457d9c 741->744 742->742 743 457d20-457d52 call 452544 RegSetValueExA 742->743 743->730 747 457d54 743->747 744->739 747->730
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00457ABA
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 00457ADF
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,0046070C,?,?,?), ref: 00457B16
                                                                                          • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00457B3B
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00457B59
                                                                                          • EqualSid.ADVAPI32(?,00000022), ref: 00457B6A
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00457B7E
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00457B8C
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00457B9C
                                                                                          • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 00457BAB
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00457BB2
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,00457FC9,?,00000000), ref: 00457BCE
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$D
                                                                                          • API String ID: 2976863881-1834141438
                                                                                          • Opcode ID: 7baa3c7a452d88eb32cf6d5a0be0a57ad3eed941c46f93c9db7dcbb3b5899ad1
                                                                                          • Instruction ID: bb41ce7bb50e4843f4a79c70bfc20c1be9238aba881545f8816de156c7c37e75
                                                                                          • Opcode Fuzzy Hash: 7baa3c7a452d88eb32cf6d5a0be0a57ad3eed941c46f93c9db7dcbb3b5899ad1
                                                                                          • Instruction Fuzzy Hash: 5BA13D71904219AFDB118FA0EC84EEFBBB9FB44305F04407AE905E2251E7799A49CB69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 748 457809-457837 GetUserNameA 749 45783d-45786e LookupAccountNameA 748->749 750 457a8e-457a94 748->750 749->750 751 457874-4578a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 4578a8-4578c3 GetSecurityDescriptorOwner 751->752 753 4578c5-4578da EqualSid 752->753 754 45791d-45793b GetSecurityDescriptorDacl 752->754 753->754 755 4578dc-4578ed LocalAlloc 753->755 756 457941-457946 754->756 757 457a8d 754->757 755->754 758 4578ef-4578f9 InitializeSecurityDescriptor 755->758 756->757 759 45794c-457955 756->759 757->750 760 457916-457917 LocalFree 758->760 761 4578fb-457909 SetSecurityDescriptorOwner 758->761 759->757 762 45795b-45796b GetAce 759->762 760->754 761->760 765 45790b-457910 SetFileSecurityA 761->765 763 457971-45797e 762->763 764 457a2a 762->764 766 457980-457992 EqualSid 763->766 767 4579ae-4579b1 763->767 768 457a2d-457a37 764->768 765->760 769 457994-457997 766->769 770 457999-45799b 766->770 772 4579b3-4579bd 767->772 773 4579be-4579d0 EqualSid 767->773 768->762 771 457a3d-457a41 768->771 769->766 769->770 770->767 774 45799d-4579ac DeleteAce 770->774 771->757 775 457a43-457a54 LocalAlloc 771->775 772->773 776 4579e5 773->776 777 4579d2-4579e3 773->777 774->768 775->757 778 457a56-457a60 InitializeSecurityDescriptor 775->778 779 4579ea-4579ed 776->779 777->779 780 457a86-457a87 LocalFree 778->780 781 457a62-457a71 SetSecurityDescriptorDacl 778->781 782 4579ef-4579f5 779->782 783 4579f8-4579fb 779->783 780->757 781->780 784 457a73-457a81 SetFileSecurityA 781->784 782->783 785 457a03-457a0e 783->785 786 4579fd-457a01 783->786 784->780 787 457a83 784->787 788 457a10-457a17 785->788 789 457a19-457a24 785->789 786->764 786->785 787->780 790 457a27 788->790 789->790 790->764
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,?), ref: 0045782F
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00457866
                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00457878
                                                                                          • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0045789A
                                                                                          • GetSecurityDescriptorOwner.ADVAPI32(?,00457F63,?), ref: 004578B8
                                                                                          • EqualSid.ADVAPI32(?,00457F63), ref: 004578D2
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 004578E3
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004578F1
                                                                                          • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00457901
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00457910
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00457917
                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00457933
                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00457963
                                                                                          • EqualSid.ADVAPI32(?,00457F63), ref: 0045798A
                                                                                          • DeleteAce.ADVAPI32(?,00000000), ref: 004579A3
                                                                                          • EqualSid.ADVAPI32(?,00457F63), ref: 004579C5
                                                                                          • LocalAlloc.KERNEL32(00000040,00000014), ref: 00457A4A
                                                                                          • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00457A58
                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00457A69
                                                                                          • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00457A79
                                                                                          • LocalFree.KERNEL32(00000000), ref: 00457A87
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                          • String ID: D
                                                                                          • API String ID: 3722657555-2746444292
                                                                                          • Opcode ID: 166537ff0becd92d7a3d3a4762ba4b155556d8306179a8aa77b3ed6029228073
                                                                                          • Instruction ID: 43f6e77fe1fdb81ab94abe44280928d409599d3ee0ba066d17e2352fe6c7d50e
                                                                                          • Opcode Fuzzy Hash: 166537ff0becd92d7a3d3a4762ba4b155556d8306179a8aa77b3ed6029228073
                                                                                          • Instruction Fuzzy Hash: 2C815E71D0421AEBDB11CFA4ED44FEFBBB8AF08341F14407AE905E2251E7798A45CB69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 791 458328-45833e call 457dd6 794 458340-458343 791->794 795 458348-458356 call 456ec3 791->795 796 45877b-45877d 794->796 799 45835c-458378 call 4573ff 795->799 800 45846b-458474 795->800 810 458464-458466 799->810 811 45837e-458384 799->811 802 4585c2-4585ce 800->802 803 45847a-458480 800->803 805 458615-458620 802->805 806 4585d0-4585da call 45675c 802->806 803->802 807 458486-4584ba call 452544 RegOpenKeyExA 803->807 808 4586a7-4586b0 call 456ba7 805->808 809 458626-45864c GetTempPathA call 458274 call 45eca5 805->809 818 4585df-4585eb 806->818 824 4584c0-4584db RegQueryValueExA 807->824 825 458543-458571 call 452544 RegOpenKeyExA 807->825 826 4586b6-4586bd call 457e2f 808->826 827 458762 808->827 846 458671-4586a4 call 452544 call 45ef00 call 45ee2a 809->846 847 45864e-45866f call 45eca5 809->847 817 458779-45877a 810->817 811->810 816 45838a-45838d 811->816 816->810 822 458393-458399 816->822 817->796 818->805 823 4585ed-4585ef 818->823 829 45839c-4583a1 822->829 823->805 830 4585f1-4585fa 823->830 832 458521-45852d RegCloseKey 824->832 833 4584dd-4584e1 824->833 852 4585a5-4585b7 call 45ee2a 825->852 853 458573-45857b 825->853 856 4586c3-45873b call 45ee2a * 2 lstrcpyA lstrlenA call 457fcf CreateProcessA 826->856 857 45875b-45875c DeleteFileA 826->857 835 458768-45876b 827->835 829->829 837 4583a3-4583af 829->837 830->805 839 4585fc-45860f call 4524c2 830->839 832->825 838 45852f-458541 call 45eed1 832->838 833->832 841 4584e3-4584e6 833->841 844 458776-458778 835->844 845 45876d-458775 call 45ec2e 835->845 848 4583b1 837->848 849 4583b3-4583ba 837->849 838->825 838->852 839->805 839->835 841->832 842 4584e8-4584f6 call 45ebcc 841->842 842->832 875 4584f8-458513 RegQueryValueExA 842->875 844->817 845->844 846->808 847->846 848->849 862 458450-45845f call 45ee2a 849->862 863 4583c0-4583fb call 452544 RegOpenKeyExA 849->863 852->802 876 4585b9-4585c1 call 45ec2e 852->876 865 45857e-458583 853->865 899 45873d-45874d CloseHandle * 2 856->899 900 45874f-45875a call 457ee6 call 457ead 856->900 857->827 862->802 863->862 885 4583fd-45841c RegQueryValueExA 863->885 865->865 866 458585-45859f RegSetValueExA RegCloseKey 865->866 866->852 875->832 881 458515-45851e call 45ec2e 875->881 876->802 881->832 890 45842d-458441 RegSetValueExA 885->890 891 45841e-458421 885->891 893 458447-45844a RegCloseKey 890->893 891->890 892 458423-458426 891->892 892->890 897 458428-45842b 892->897 893->862 897->890 897->893 899->835 900->857
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004583F3
                                                                                          • RegQueryValueExA.KERNELBASE(00460750,?,00000000,?,00458893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00458414
                                                                                          • RegSetValueExA.KERNELBASE(00460750,?,00000000,00000004,00458893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00458441
                                                                                          • RegCloseKey.ADVAPI32(00460750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0045844A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseOpenQuery
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe$localcfg
                                                                                          • API String ID: 237177642-1129100248
                                                                                          • Opcode ID: 96f26f018324a5b5ea42f16b31b4a6840a0577856e8897da1b3fc29f034c20c9
                                                                                          • Instruction ID: 4f806e34c107089ce0cd57260e5ca00d488a5c3b5ab2189333fe4da9a6023fe8
                                                                                          • Opcode Fuzzy Hash: 96f26f018324a5b5ea42f16b31b4a6840a0577856e8897da1b3fc29f034c20c9
                                                                                          • Instruction Fuzzy Hash: E1C193B1940109BFEB11AB959D85EEF7B7CEB05306F14446BF901B2152FEB84E48CB29

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 929 451d96-451dce call 45ee2a GetVersionExA 932 451de0 929->932 933 451dd0-451dde 929->933 934 451de3-451e14 GetSystemInfo GetModuleHandleA GetProcAddress 932->934 933->934 935 451e24-451e59 call 45e819 * 2 934->935 936 451e16-451e21 GetCurrentProcess 934->936 941 451e5b-451e77 call 45df70 * 2 935->941 942 451e7a-451ea0 call 45ea84 call 45e819 call 45199c 935->942 936->935 941->942 953 451ea2-451ea6 942->953 954 451ea8 942->954 955 451eac-451ec1 call 45e819 953->955 954->955 958 451ee0-451ef6 call 45e819 955->958 959 451ec3-451ede call 45f04e call 45ea84 955->959 964 451f14-451f2b call 45e819 958->964 965 451ef8 call 451b71 958->965 959->958 973 451f2d call 451bdf 964->973 974 451f49-451f65 call 45e819 964->974 970 451efd-451f11 call 45ea84 965->970 970->964 979 451f32-451f46 call 45ea84 973->979 980 451f67-451f77 call 45ea84 974->980 981 451f7a-451f8c call 4530b5 974->981 979->974 980->981 988 451f93-451f9a 981->988 989 451f8e-451f91 981->989 991 451fb7 988->991 992 451f9c-451fa3 call 456ec3 988->992 990 451fbb-451fc0 989->990 993 451fc2 990->993 994 451fc9-451fea GetTickCount 990->994 991->990 997 451fa5-451fac 992->997 998 451fae-451fb5 992->998 993->994 997->990 998->990
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32 ref: 00451DC6
                                                                                          • GetSystemInfo.KERNELBASE(?), ref: 00451DE8
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00451E03
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00451E0A
                                                                                          • GetCurrentProcess.KERNEL32(?), ref: 00451E1B
                                                                                          • GetTickCount.KERNEL32 ref: 00451FC9
                                                                                            • Part of subcall function 00451BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00451C15
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                          • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                          • API String ID: 4207808166-1381319158
                                                                                          • Opcode ID: 7d2faf28587f9f30c070b4c793a82ca0cbb343a1463f4b73ded6cf2bdedea479
                                                                                          • Instruction ID: 7b424437ad2124be7f534a89c351bf6f22285636e179e1bfef13197bc60870c9
                                                                                          • Opcode Fuzzy Hash: 7d2faf28587f9f30c070b4c793a82ca0cbb343a1463f4b73ded6cf2bdedea479
                                                                                          • Instruction Fuzzy Hash: F151B7B19043446FE324AF768C86F277AECEB4470AF04091FFD5542253E7BDA948876A

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 999 4573ff-457419 1000 45741d-457422 999->1000 1001 45741b 999->1001 1002 457424 1000->1002 1003 457426-45742b 1000->1003 1001->1000 1002->1003 1004 457430-457435 1003->1004 1005 45742d 1003->1005 1006 457437 1004->1006 1007 45743a-457481 call 456dc2 call 452544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 457487-45749d call 45ee2a 1007->1012 1013 4577f9-4577fe call 45ee2a 1007->1013 1019 457703-45770e RegEnumKeyA 1012->1019 1018 457801 1013->1018 1022 457804-457808 1018->1022 1020 457714-45771d RegCloseKey 1019->1020 1021 4574a2-4574b1 call 456cad 1019->1021 1020->1018 1025 4574b7-4574cc call 45f1a5 1021->1025 1026 4576ed-457700 1021->1026 1025->1026 1029 4574d2-4574f8 RegOpenKeyExA 1025->1029 1026->1019 1030 457727-45772a 1029->1030 1031 4574fe-457530 call 452544 RegQueryValueExA 1029->1031 1032 457755-457764 call 45ee2a 1030->1032 1033 45772c-457740 call 45ef00 1030->1033 1031->1030 1039 457536-45753c 1031->1039 1041 4576df-4576e2 1032->1041 1042 457742-457745 RegCloseKey 1033->1042 1043 45774b-45774e 1033->1043 1044 45753f-457544 1039->1044 1041->1026 1045 4576e4-4576e7 RegCloseKey 1041->1045 1042->1043 1047 4577ec-4577f7 RegCloseKey 1043->1047 1044->1044 1046 457546-45754b 1044->1046 1045->1026 1046->1032 1048 457551-45756b call 45ee95 1046->1048 1047->1022 1048->1032 1051 457571-457593 call 452544 call 45ee95 1048->1051 1056 457753 1051->1056 1057 457599-4575a0 1051->1057 1056->1032 1058 4575a2-4575c6 call 45ef00 call 45ed03 1057->1058 1059 4575c8-4575d7 call 45ed03 1057->1059 1065 4575d8-4575da 1058->1065 1059->1065 1067 4575dc 1065->1067 1068 4575df-457623 call 45ee95 call 452544 call 45ee95 call 45ee2a 1065->1068 1067->1068 1077 457626-45762b 1068->1077 1077->1077 1078 45762d-457634 1077->1078 1079 457637-45763c 1078->1079 1079->1079 1080 45763e-457642 1079->1080 1081 457644-457656 call 45ed77 1080->1081 1082 45765c-457673 call 45ed23 1080->1082 1081->1082 1089 457769-45777c call 45ef00 1081->1089 1087 457675-45767e 1082->1087 1088 457680 1082->1088 1091 457683-45768e call 456cad 1087->1091 1088->1091 1094 4577e3-4577e6 RegCloseKey 1089->1094 1096 457694-4576bf call 45f1a5 call 456c96 1091->1096 1097 457722-457725 1091->1097 1094->1047 1103 4576c1-4576c7 1096->1103 1104 4576d8 1096->1104 1098 4576dd 1097->1098 1098->1041 1103->1104 1105 4576c9-4576d2 1103->1105 1104->1098 1105->1104 1106 45777e-457797 GetFileAttributesExA 1105->1106 1107 457799 1106->1107 1108 45779a-45779f 1106->1108 1107->1108 1109 4577a1 1108->1109 1110 4577a3-4577a8 1108->1110 1109->1110 1111 4577c4-4577c8 1110->1111 1112 4577aa-4577c0 call 45ee08 1110->1112 1114 4577d7-4577dc 1111->1114 1115 4577ca-4577d6 call 45ef00 1111->1115 1112->1111 1116 4577e0-4577e2 1114->1116 1117 4577de 1114->1117 1115->1114 1116->1094 1117->1116
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,771B0F10,00000000), ref: 00457472
                                                                                          • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004574F0
                                                                                          • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,771B0F10,00000000), ref: 00457528
                                                                                          • ___ascii_stricmp.LIBCMT ref: 0045764D
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,771B0F10,00000000), ref: 004576E7
                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00457706
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 00457717
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,771B0F10,00000000), ref: 00457745
                                                                                          • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,771B0F10,00000000), ref: 004577EF
                                                                                            • Part of subcall function 0045F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004622F8,000000C8,00457150,?), ref: 0045F1AD
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0045778F
                                                                                          • RegCloseKey.KERNELBASE(?), ref: 004577E6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                          • String ID: "
                                                                                          • API String ID: 3433985886-123907689
                                                                                          • Opcode ID: 21a2e00f68949eac384430ff74d3c61ab4b5b7ae087798d23ca7ae1d905a3c13
                                                                                          • Instruction ID: 048ae9816a50cbcc691e63b8c97cfab5470b61eb4e0c6d2c5594b7bdd4ef8997
                                                                                          • Opcode Fuzzy Hash: 21a2e00f68949eac384430ff74d3c61ab4b5b7ae087798d23ca7ae1d905a3c13
                                                                                          • Instruction Fuzzy Hash: 0CC1E471904209BFDB119FA5EC45BEF7BB9EF05311F1000A7F904E6192EB789E488B69

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1121 45675c-456778 1122 456784-4567a2 CreateFileA 1121->1122 1123 45677a-45677e SetFileAttributesA 1121->1123 1124 4567b5-4567b8 1122->1124 1125 4567a4-4567b2 CreateFileA 1122->1125 1123->1122 1126 4567c5-4567c9 1124->1126 1127 4567ba-4567bf SetFileAttributesA 1124->1127 1125->1124 1128 456977-456986 1126->1128 1129 4567cf-4567df GetFileSize 1126->1129 1127->1126 1130 4567e5-4567e7 1129->1130 1131 45696b 1129->1131 1130->1131 1132 4567ed-45680b ReadFile 1130->1132 1133 45696e-456971 FindCloseChangeNotification 1131->1133 1132->1131 1134 456811-456824 SetFilePointer 1132->1134 1133->1128 1134->1131 1135 45682a-456842 ReadFile 1134->1135 1135->1131 1136 456848-456861 SetFilePointer 1135->1136 1136->1131 1137 456867-456876 1136->1137 1138 4568d5-4568df 1137->1138 1139 456878-45688f ReadFile 1137->1139 1138->1133 1142 4568e5-4568eb 1138->1142 1140 456891-45689e 1139->1140 1141 4568d2 1139->1141 1145 4568b7-4568ba 1140->1145 1146 4568a0-4568b5 1140->1146 1141->1138 1143 4568f0-4568fe call 45ebcc 1142->1143 1144 4568ed 1142->1144 1143->1131 1152 456900-45690b SetFilePointer 1143->1152 1144->1143 1148 4568bd-4568c3 1145->1148 1146->1148 1150 4568c5 1148->1150 1151 4568c8-4568ce 1148->1151 1150->1151 1151->1139 1153 4568d0 1151->1153 1154 45690d-456920 ReadFile 1152->1154 1155 45695a-456969 call 45ec2e 1152->1155 1153->1138 1154->1155 1156 456922-456958 1154->1156 1155->1133 1156->1133
                                                                                          APIs
                                                                                          • SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0045677E
                                                                                          • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0045679A
                                                                                          • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004567B0
                                                                                          • SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004567BF
                                                                                          • GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004567D3
                                                                                          • ReadFile.KERNELBASE(000000FF,?,00000040,00458244,00000000,?,771B0F10,00000000), ref: 00456807
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0045681F
                                                                                          • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0045683E
                                                                                          • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0045685C
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000028,00458244,00000000,?,771B0F10,00000000), ref: 0045688B
                                                                                          • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,771B0F10,00000000), ref: 00456906
                                                                                          • ReadFile.KERNEL32(000000FF,?,00000000,00458244,00000000,?,771B0F10,00000000), ref: 0045691C
                                                                                          • FindCloseChangeNotification.KERNELBASE(000000FF,?,771B0F10,00000000), ref: 00456971
                                                                                            • Part of subcall function 0045EC2E: GetProcessHeap.KERNEL32(00000000,'E,00000000,0045EA27,00000000), ref: 0045EC41
                                                                                            • Part of subcall function 0045EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0045EC48
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                          • String ID:
                                                                                          • API String ID: 1400801100-0
                                                                                          • Opcode ID: 2a8f8ff34d8257e275a79e55dc6faf835d653a02d5e1cddbfdf6604154b8d261
                                                                                          • Instruction ID: ad0ca9f917dca6fe07a972417754b52569678cfa5a7fa9dab74174b9939a9d51
                                                                                          • Opcode Fuzzy Hash: 2a8f8ff34d8257e275a79e55dc6faf835d653a02d5e1cddbfdf6604154b8d261
                                                                                          • Instruction Fuzzy Hash: 627158B1C0021DEFDF109FA5CC80AEEBBB8FB04315F50456AE915A7291E7349E96CB64

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1159 45f315-45f332 1160 45f334-45f336 1159->1160 1161 45f33b-45f372 call 45ee2a htons socket 1159->1161 1162 45f424-45f427 1160->1162 1165 45f374-45f37d closesocket 1161->1165 1166 45f382-45f39b ioctlsocket 1161->1166 1165->1162 1167 45f39d 1166->1167 1168 45f3aa-45f3f0 connect select 1166->1168 1169 45f39f-45f3a8 closesocket 1167->1169 1170 45f421 1168->1170 1171 45f3f2-45f401 __WSAFDIsSet 1168->1171 1172 45f423 1169->1172 1170->1172 1171->1169 1173 45f403-45f416 ioctlsocket call 45f26d 1171->1173 1172->1162 1175 45f41b-45f41f 1173->1175 1175->1172
                                                                                          APIs
                                                                                          • htons.WS2_32(0045CA1D), ref: 0045F34D
                                                                                          • socket.WS2_32(00000002,00000001,00000000), ref: 0045F367
                                                                                          • closesocket.WS2_32(00000000), ref: 0045F375
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesockethtonssocket
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 311057483-2401304539
                                                                                          • Opcode ID: 7433493a791b49217c385413c35b13fe56450017d95a82668ce8c97f473f2bf6
                                                                                          • Instruction ID: bcec3266f758c084b813b6643224157acdb8f810a66357d5893e3722c6a52e73
                                                                                          • Opcode Fuzzy Hash: 7433493a791b49217c385413c35b13fe56450017d95a82668ce8c97f473f2bf6
                                                                                          • Instruction Fuzzy Hash: 9131AE72900118ABDB10DFA5DC89DEF7BBCEF89314F104176F905D3152E7748A498BAA

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1176 45405e-45407b CreateEventA 1177 454084-4540a8 call 453ecd call 454000 1176->1177 1178 45407d-454081 1176->1178 1183 454130-45413e call 45ee2a 1177->1183 1184 4540ae-4540be call 45ee2a 1177->1184 1189 45413f-454165 call 453ecd CreateNamedPipeA 1183->1189 1184->1183 1190 4540c0-4540f1 call 45eca5 call 453f18 call 453f8c 1184->1190 1195 454167-454174 Sleep 1189->1195 1196 454188-454193 ConnectNamedPipe 1189->1196 1207 454127-45412a CloseHandle 1190->1207 1208 4540f3-4540ff 1190->1208 1195->1189 1198 454176-454182 CloseHandle 1195->1198 1200 454195-4541a5 GetLastError 1196->1200 1201 4541ab-4541c0 call 453f8c 1196->1201 1198->1196 1200->1201 1203 45425e-454265 DisconnectNamedPipe 1200->1203 1201->1196 1209 4541c2-4541f2 call 453f18 call 453f8c 1201->1209 1203->1196 1207->1183 1208->1207 1210 454101-454121 call 453f18 ExitProcess 1208->1210 1209->1203 1217 4541f4-454200 1209->1217 1217->1203 1218 454202-454215 call 453f8c 1217->1218 1218->1203 1221 454217-45421b 1218->1221 1221->1203 1222 45421d-454230 call 453f8c 1221->1222 1222->1203 1225 454232-454236 1222->1225 1225->1196 1226 45423c-454251 call 453f18 1225->1226 1229 454253-454259 1226->1229 1230 45426a-454276 CloseHandle * 2 call 45e318 1226->1230 1229->1196 1232 45427b 1230->1232 1232->1232
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00454070
                                                                                          • ExitProcess.KERNEL32 ref: 00454121
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEventExitProcess
                                                                                          • String ID:
                                                                                          • API String ID: 2404124870-0
                                                                                          • Opcode ID: dbd18c835606a211c7955312329d0f6eb7310fbb2f48f11ca70ffbed683f57f8
                                                                                          • Instruction ID: d139cab7883ff7cbd679ab44a6cef566367a057fa66fe8c17d36745db16644a2
                                                                                          • Opcode Fuzzy Hash: dbd18c835606a211c7955312329d0f6eb7310fbb2f48f11ca70ffbed683f57f8
                                                                                          • Instruction Fuzzy Hash: 8E51B671D00118BADB209BA19C46FFF7A7CEB5075AF100066FE00A9182E7788E89C769

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1233 452d21-452d44 GetModuleHandleA 1234 452d46-452d52 LoadLibraryA 1233->1234 1235 452d5b-452d69 GetProcAddress 1233->1235 1234->1235 1236 452d54-452d56 1234->1236 1235->1236 1237 452d6b-452d7b DnsQuery_A 1235->1237 1238 452dee-452df1 1236->1238 1237->1236 1239 452d7d-452d88 1237->1239 1240 452deb 1239->1240 1241 452d8a-452d8b 1239->1241 1240->1238 1242 452d90-452d95 1241->1242 1243 452d97-452daa GetProcessHeap HeapAlloc 1242->1243 1244 452de2-452de8 1242->1244 1245 452dac-452dd9 call 45ee2a lstrcpynA 1243->1245 1246 452dea 1243->1246 1244->1242 1244->1246 1249 452de0 1245->1249 1250 452ddb-452dde 1245->1250 1246->1240 1249->1244 1250->1244
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00452F01,?,004520FF,00462000), ref: 00452D3A
                                                                                          • LoadLibraryA.KERNEL32(?), ref: 00452D4A
                                                                                          • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00452D61
                                                                                          • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 00452D77
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00452D99
                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00452DA0
                                                                                          • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00452DCB
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                          • String ID: DnsQuery_A$dnsapi.dll
                                                                                          • API String ID: 233223969-3847274415
                                                                                          • Opcode ID: 73c29efe08fd9db4aa73cb9cec328e793d533a67f9c0f37199451c86bc64ed4a
                                                                                          • Instruction ID: 4beb266edf8abb430aba619eedd2a89cc652ba4eee44f9816cdc14df1b08614b
                                                                                          • Opcode Fuzzy Hash: 73c29efe08fd9db4aa73cb9cec328e793d533a67f9c0f37199451c86bc64ed4a
                                                                                          • Instruction Fuzzy Hash: D7218171900226ABCB119F54DD449EFBBB8EF0A752F104023FD05E3211E3F4998987D9

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1251 4580c9-4580ed call 456ec3 1254 4580ef call 457ee6 1251->1254 1255 4580f9-458115 call 45704c 1251->1255 1258 4580f4 1254->1258 1260 458225-45822b 1255->1260 1261 45811b-458121 1255->1261 1258->1260 1262 45822d-458233 1260->1262 1263 45826c-458273 1260->1263 1261->1260 1264 458127-45812a 1261->1264 1262->1263 1265 458235-45823f call 45675c 1262->1265 1264->1260 1266 458130-458167 call 452544 RegOpenKeyExA 1264->1266 1269 458244-45824b 1265->1269 1272 458216-458222 call 45ee2a 1266->1272 1273 45816d-45818b RegQueryValueExA 1266->1273 1269->1263 1271 45824d-458269 call 4524c2 call 45ec2e 1269->1271 1271->1263 1272->1260 1276 4581f7-4581fe 1273->1276 1277 45818d-458191 1273->1277 1281 458200-458206 call 45ec2e 1276->1281 1282 45820d-458210 RegCloseKey 1276->1282 1277->1276 1278 458193-458196 1277->1278 1278->1276 1283 458198-4581a8 call 45ebcc 1278->1283 1289 45820c 1281->1289 1282->1272 1283->1282 1291 4581aa-4581c2 RegQueryValueExA 1283->1291 1289->1282 1291->1276 1292 4581c4-4581ca 1291->1292 1293 4581cd-4581d2 1292->1293 1293->1293 1294 4581d4-4581e5 call 45ebcc 1293->1294 1294->1282 1297 4581e7-4581f5 call 45ef00 1294->1297 1297->1289
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 0045815F
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0045A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00458187
                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0045A45F,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 004581BE
                                                                                          • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,771B0F10,00000000), ref: 00458210
                                                                                            • Part of subcall function 0045675C: SetFileAttributesA.KERNEL32(?,00000080,?,771B0F10,00000000), ref: 0045677E
                                                                                            • Part of subcall function 0045675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,771B0F10,00000000), ref: 0045679A
                                                                                            • Part of subcall function 0045675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,771B0F10,00000000), ref: 004567B0
                                                                                            • Part of subcall function 0045675C: SetFileAttributesA.KERNEL32(?,00000002,?,771B0F10,00000000), ref: 004567BF
                                                                                            • Part of subcall function 0045675C: GetFileSize.KERNEL32(000000FF,00000000,?,771B0F10,00000000), ref: 004567D3
                                                                                            • Part of subcall function 0045675C: ReadFile.KERNELBASE(000000FF,?,00000040,00458244,00000000,?,771B0F10,00000000), ref: 00456807
                                                                                            • Part of subcall function 0045675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0045681F
                                                                                            • Part of subcall function 0045675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,771B0F10,00000000), ref: 0045683E
                                                                                            • Part of subcall function 0045675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,771B0F10,00000000), ref: 0045685C
                                                                                            • Part of subcall function 0045EC2E: GetProcessHeap.KERNEL32(00000000,'E,00000000,0045EA27,00000000), ref: 0045EC41
                                                                                            • Part of subcall function 0045EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0045EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                          • String ID: C:\Windows\SysWOW64\bzycpcet\pspizbvl.exe
                                                                                          • API String ID: 124786226-577293463
                                                                                          • Opcode ID: c6e0686cea838e2e50318c82dc1167c01b1a6074544295137cd9d1a257921c59
                                                                                          • Instruction ID: 4655488fb6f92ce43636e0611d9bb33c74d7ce5917bc22adf9b73f23f4e134ef
                                                                                          • Opcode Fuzzy Hash: c6e0686cea838e2e50318c82dc1167c01b1a6074544295137cd9d1a257921c59
                                                                                          • Instruction Fuzzy Hash: 4A41C4B1904509BFDB10EBA19D81DBF7B6C9B01305F1004BFF905E2142FEB85E488B2A

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1300 451ac3-451adc LoadLibraryA 1301 451ae2-451af3 GetProcAddress 1300->1301 1302 451b6b-451b70 1300->1302 1303 451af5-451b01 1301->1303 1304 451b6a 1301->1304 1305 451b1c-451b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 451b03-451b09 call 45ebed 1305->1306 1307 451b29-451b2b 1305->1307 1314 451b0e-451b12 1306->1314 1308 451b2d-451b32 1307->1308 1309 451b5b-451b5e 1307->1309 1311 451b34-451b3b 1308->1311 1312 451b69 1308->1312 1309->1312 1313 451b60-451b68 call 45ec2e 1309->1313 1315 451b54-451b59 1311->1315 1316 451b3d-451b52 1311->1316 1312->1304 1313->1312 1314->1307 1318 451b14-451b1b 1314->1318 1315->1309 1315->1311 1316->1315 1316->1316 1318->1305
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00451AD4
                                                                                          • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00451AE9
                                                                                          • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00451B20
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                          • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                          • API String ID: 3646706440-1087626847
                                                                                          • Opcode ID: 4b27fb7cd242fc8721ad64152521b4f04ec3e99f068c6751478d6c318061b6c1
                                                                                          • Instruction ID: d58a1c0b2f8b8cbdad9be44bec04ddfb7817c24b41a0c6d52b0786a99789d168
                                                                                          • Opcode Fuzzy Hash: 4b27fb7cd242fc8721ad64152521b4f04ec3e99f068c6751478d6c318061b6c1
                                                                                          • Instruction Fuzzy Hash: 95110A71E01124AFCB15DBA5CC84DEFBBB9EB44B12B244057E405A7222E6746E48CB88

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1320 45e3ca-45e3ee RegOpenKeyExA 1321 45e3f4-45e3fb 1320->1321 1322 45e528-45e52d 1320->1322 1323 45e3fe-45e403 1321->1323 1323->1323 1324 45e405-45e40f 1323->1324 1325 45e414-45e452 call 45ee08 call 45f1ed RegQueryValueExA 1324->1325 1326 45e411-45e413 1324->1326 1331 45e51d-45e527 RegCloseKey 1325->1331 1332 45e458-45e486 call 45f1ed RegQueryValueExA 1325->1332 1326->1325 1331->1322 1335 45e488-45e48a 1332->1335 1335->1331 1336 45e490-45e4a1 call 45db2e 1335->1336 1336->1331 1339 45e4a3-45e4a6 1336->1339 1340 45e4a9-45e4d3 call 45f1ed RegQueryValueExA 1339->1340 1343 45e4d5-45e4da 1340->1343 1344 45e4e8-45e4ea 1340->1344 1343->1344 1345 45e4dc-45e4e6 1343->1345 1344->1331 1346 45e4ec-45e516 call 452544 call 45e332 1344->1346 1345->1340 1345->1344 1346->1331
                                                                                          APIs
                                                                                          • RegOpenKeyExA.KERNELBASE(80000001,0045E5F2,00000000,00020119,0045E5F2,004622F8), ref: 0045E3E6
                                                                                          • RegQueryValueExA.ADVAPI32(0045E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0045E44E
                                                                                          • RegQueryValueExA.ADVAPI32(0045E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0045E482
                                                                                          • RegQueryValueExA.ADVAPI32(0045E5F2,?,00000000,?,80000001,?), ref: 0045E4CF
                                                                                          • RegCloseKey.ADVAPI32(0045E5F2,?,?,?,?,000000C8,000000E4), ref: 0045E520
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: QueryValue$CloseOpen
                                                                                          • String ID:
                                                                                          • API String ID: 1586453840-0
                                                                                          • Opcode ID: a7ef8f01a6569c54d92e2d429de33fa24434523b5d15da4f7a90ad51d46b9ffe
                                                                                          • Instruction ID: 6d0e5307c8f516721f775e5adf668504028abc1d2b953c4160a37e0e6ad8e0a6
                                                                                          • Opcode Fuzzy Hash: a7ef8f01a6569c54d92e2d429de33fa24434523b5d15da4f7a90ad51d46b9ffe
                                                                                          • Instruction Fuzzy Hash: 0D4128B2D0021DBFDF119FD5DC81DEEBBB9EB04345F044066EA10A2252E3759F198B65

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1351 45f26d-45f303 setsockopt * 5
                                                                                          APIs
                                                                                          • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0045F2A0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0045F2C0
                                                                                          • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0045F2DD
                                                                                          • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0045F2EC
                                                                                          • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0045F2FD
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: setsockopt
                                                                                          • String ID:
                                                                                          • API String ID: 3981526788-0
                                                                                          • Opcode ID: 94868f68dead73769c7179e6617034427155ccf3e598d2f562528fed71c6e76a
                                                                                          • Instruction ID: eb7e020830b10779ab4ddaea0e9d8fd408bfd8a746974b61e35589d19b1f85b8
                                                                                          • Opcode Fuzzy Hash: 94868f68dead73769c7179e6617034427155ccf3e598d2f562528fed71c6e76a
                                                                                          • Instruction Fuzzy Hash: 4411F8B2A40248BAEB11DF94CD85F9E7FBCEB44751F008066BB04EA1D0E6B19A44CB94

                                                                                          Control-flow Graph

                                                                                          • Executed
                                                                                          • Not Executed
                                                                                          control_flow_graph 1352 451bdf-451c04 call 451ac3 1354 451c09-451c0b 1352->1354 1355 451c0d-451c1d GetComputerNameA 1354->1355 1356 451c5a-451c5e 1354->1356 1357 451c45-451c57 GetVolumeInformationA 1355->1357 1358 451c1f-451c24 1355->1358 1357->1356 1358->1357 1359 451c26-451c3b 1358->1359 1359->1359 1360 451c3d-451c3f 1359->1360 1360->1357 1361 451c41-451c43 1360->1361 1361->1356
                                                                                          APIs
                                                                                            • Part of subcall function 00451AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00451AD4
                                                                                            • Part of subcall function 00451AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00451AE9
                                                                                            • Part of subcall function 00451AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00451B20
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00451C15
                                                                                          • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00451C51
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: hi_id$localcfg
                                                                                          • API String ID: 2794401326-2393279970
                                                                                          • Opcode ID: 9c107f3e1f0db621dc9200b310d58acc7cef018d39da09f4d885b4253fbeedf1
                                                                                          • Instruction ID: 55179416bede89a3039c1c9e181570ba68307c533c05cbe377c6193f7d44b09e
                                                                                          • Opcode Fuzzy Hash: 9c107f3e1f0db621dc9200b310d58acc7cef018d39da09f4d885b4253fbeedf1
                                                                                          • Instruction Fuzzy Hash: C9019672940118BFEB11DAF8CCC5AEFBBBCE744746F100476EA02E3211D2B49D488665
                                                                                          APIs
                                                                                            • Part of subcall function 00451AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00451AD4
                                                                                            • Part of subcall function 00451AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00451AE9
                                                                                            • Part of subcall function 00451AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 00451B20
                                                                                          • GetComputerNameA.KERNEL32(?,0000000F), ref: 00451BA3
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,00451EFD,00000000,00000000,00000000,00000000), ref: 00451BB8
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2794401326-1857712256
                                                                                          • Opcode ID: 90f8384f9c4fb814d6ef4ccbf3ad176897f8cfe3ba3775833383867050d4870b
                                                                                          • Instruction ID: d399a4a3427fb1f89c5069825f42dd043560b6c8299babe7a124cd13c5a2252d
                                                                                          • Opcode Fuzzy Hash: 90f8384f9c4fb814d6ef4ccbf3ad176897f8cfe3ba3775833383867050d4870b
                                                                                          • Instruction Fuzzy Hash: 5D018BB2D00108BFEB019BE9CC81AEFFABCAB48655F150162AA01E3151E5B0AE0846A1
                                                                                          APIs
                                                                                          • inet_addr.WS2_32(00000002), ref: 00452693
                                                                                          • gethostbyname.WS2_32(00000002), ref: 0045269F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynameinet_addr
                                                                                          • String ID: time_cfg
                                                                                          • API String ID: 1594361348-2401304539
                                                                                          • Opcode ID: c977e37c101f63bf2c481d9bbab01b91473690c765c8ce71973e5c297d3f68cc
                                                                                          • Instruction ID: cec561af5cab3a6c2ac47a0f59f81008c1282486e0dd7ea2372cbc428d2bf8c9
                                                                                          • Opcode Fuzzy Hash: c977e37c101f63bf2c481d9bbab01b91473690c765c8ce71973e5c297d3f68cc
                                                                                          • Instruction Fuzzy Hash: E7E08C302041218FCB108B28F848A8737E4AF06331F014182F840C32A1D7B4DC808689
                                                                                          APIs
                                                                                            • Part of subcall function 0045EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0045EC0A,00000000,80000001,?,0045DB55,7FFF0001), ref: 0045EBAD
                                                                                            • Part of subcall function 0045EBA0: HeapSize.KERNEL32(00000000,?,0045DB55,7FFF0001), ref: 0045EBB4
                                                                                          • GetProcessHeap.KERNEL32(00000000,'E,00000000,0045EA27,00000000), ref: 0045EC41
                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 0045EC48
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$FreeSize
                                                                                          • String ID: 'E
                                                                                          • API String ID: 1305341483-2717944224
                                                                                          • Opcode ID: 2a5aff5f431b8d953d4b25f9e4e6df52600025519d6d6cb98a9b2aec4944cc38
                                                                                          • Instruction ID: 2dc07175ac01d3909a92b820b6f77cc7029cb8bbeaf449d415ed157de3dcbaa8
                                                                                          • Opcode Fuzzy Hash: 2a5aff5f431b8d953d4b25f9e4e6df52600025519d6d6cb98a9b2aec4944cc38
                                                                                          • Instruction Fuzzy Hash: 4AC012324062306BC5552B51BD0DFDB7B189F47713F0D040AF8056615597A4994046EA
                                                                                          APIs
                                                                                            • Part of subcall function 0045DD05: GetTickCount.KERNEL32 ref: 0045DD0F
                                                                                            • Part of subcall function 0045DD05: InterlockedExchange.KERNEL32(004636B4,00000001), ref: 0045DD44
                                                                                            • Part of subcall function 0045DD05: GetCurrentThreadId.KERNEL32 ref: 0045DD53
                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,771B0F10,?,00000000,?,0045A445), ref: 0045E558
                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,771B0F10,?,00000000,?,0045A445), ref: 0045E583
                                                                                          • CloseHandle.KERNEL32(00000000,?,771B0F10,?,00000000,?,0045A445), ref: 0045E5B2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                          • String ID:
                                                                                          • API String ID: 3683885500-0
                                                                                          • Opcode ID: 7b9248ab86805dc1ef1754a050951aeaa9e37e285fc953d6a4393641c6745225
                                                                                          • Instruction ID: bdf79045aba55851d0a700c16c5b168d92807f27db9e232731d19960b952c630
                                                                                          • Opcode Fuzzy Hash: 7b9248ab86805dc1ef1754a050951aeaa9e37e285fc953d6a4393641c6745225
                                                                                          • Instruction Fuzzy Hash: 3221F8B19403047AE1257A639C07F5B391CDF5575AF10002BFE09A11E3F99DDA1881FE
                                                                                          APIs
                                                                                          • Sleep.KERNELBASE(000003E8), ref: 004588A5
                                                                                            • Part of subcall function 0045F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0045E342,00000000,7686EA50,80000001,00000000,0045E513,?,00000000,00000000,?,000000E4), ref: 0045F089
                                                                                            • Part of subcall function 0045F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0045E342,00000000,7686EA50,80000001,00000000,0045E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0045F093
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$FileSystem$Sleep
                                                                                          • String ID: localcfg$rresolv
                                                                                          • API String ID: 1561729337-486471987
                                                                                          • Opcode ID: 56955fe4b8f7921c403b5cfe37f4e956ed5cf2ecb032962091623fa687e5c93a
                                                                                          • Instruction ID: e9e8c90870aabebc454f51c3de5e4475acf0d94dc3ae421a7dee2298123f9738
                                                                                          • Opcode Fuzzy Hash: 56955fe4b8f7921c403b5cfe37f4e956ed5cf2ecb032962091623fa687e5c93a
                                                                                          • Instruction Fuzzy Hash: 8A2193315483007AF318B7666E4BF6A26A8DB05B5AFA4042FFD04A61C3FEDD554C81AF
                                                                                          APIs
                                                                                          • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004622F8,004542B6,00000000,00000001,004622F8,00000000,?,004598FD), ref: 00454021
                                                                                          • GetLastError.KERNEL32(?,004598FD,00000001,00000100,004622F8,0045A3C7), ref: 0045402C
                                                                                          • Sleep.KERNEL32(000001F4,?,004598FD,00000001,00000100,004622F8,0045A3C7), ref: 00454046
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateErrorFileLastSleep
                                                                                          • String ID:
                                                                                          • API String ID: 408151869-0
                                                                                          • Opcode ID: 133360e59f3c7bcedd3a6ec7d8f6b965be5cf49263426baee4767709900748bd
                                                                                          • Instruction ID: 619079c5ce3407b9444882a6849ec9eec54f89ef15ff8dadd3daaed30c338fb1
                                                                                          • Opcode Fuzzy Hash: 133360e59f3c7bcedd3a6ec7d8f6b965be5cf49263426baee4767709900748bd
                                                                                          • Instruction Fuzzy Hash: FDF0A7312401016AD7350B24BC49BAB33A1DBC2B2AF354B26F7B5EA1E1C67448C99B1D
                                                                                          APIs
                                                                                          • GetEnvironmentVariableA.KERNEL32(0045DC19,?,00000104), ref: 0045DB7F
                                                                                          • lstrcpyA.KERNEL32(?,004628F8), ref: 0045DBA4
                                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0045DBC2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                          • String ID:
                                                                                          • API String ID: 2536392590-0
                                                                                          • Opcode ID: ba4b4e7f872305ea2799fcd7787a2e16644b07e5f3809c15c82e20c3089d2b99
                                                                                          • Instruction ID: 2f568c3343a626d6db499979d1e2781317ba47398a89152adab438a528db624d
                                                                                          • Opcode Fuzzy Hash: ba4b4e7f872305ea2799fcd7787a2e16644b07e5f3809c15c82e20c3089d2b99
                                                                                          • Instruction Fuzzy Hash: E2F09070500209ABEF20DF64EC49FDA3B69AB10308F1045A4FB51A40E0E7F2E589CB19
                                                                                          APIs
                                                                                          • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0045EC5E
                                                                                          • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0045EC72
                                                                                          • GetTickCount.KERNEL32 ref: 0045EC78
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$CountFileInformationSystemTickVolume
                                                                                          • String ID:
                                                                                          • API String ID: 1209300637-0
                                                                                          • Opcode ID: b143d6739c6d786fc971aa01d1634fa42cae31ab0fd21b39203fcd5e7d0d09c7
                                                                                          • Instruction ID: b5ae04a05d3219104989919e0ccaf63441f54d75ef642fb26effd6ad11c56cfa
                                                                                          • Opcode Fuzzy Hash: b143d6739c6d786fc971aa01d1634fa42cae31ab0fd21b39203fcd5e7d0d09c7
                                                                                          • Instruction Fuzzy Hash: 2BE0BFF5810104BFEB11EBB0EC4EEBB77BCFB08315F500660F912D6090EAB09A048B65
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 004530D8
                                                                                          • gethostbyname.WS2_32(?), ref: 004530E2
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbynamegethostname
                                                                                          • String ID:
                                                                                          • API String ID: 3961807697-0
                                                                                          • Opcode ID: b3a0a6c2b2c066d0a227623f95f8794eae8f54002e61293d069e66dbb184ae21
                                                                                          • Instruction ID: dc74a8eab7fccb8c1c1d7f280b4d08ca927940a60d1dea3f05c1caabafde072e
                                                                                          • Opcode Fuzzy Hash: b3a0a6c2b2c066d0a227623f95f8794eae8f54002e61293d069e66dbb184ae21
                                                                                          • Instruction Fuzzy Hash: 50E065719002199BCB009BA8EC8AF8B77ACBF04308F084461F905E3255FA74E9088794
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0045EBFE,7FFF0001,?,0045DB55,7FFF0001), ref: 0045EBD3
                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,0045DB55,7FFF0001), ref: 0045EBDA
                                                                                            • Part of subcall function 0045EB74: GetProcessHeap.KERNEL32(00000000,00000000,0045EC28,00000000,?,0045DB55,7FFF0001), ref: 0045EB81
                                                                                            • Part of subcall function 0045EB74: HeapSize.KERNEL32(00000000,?,0045DB55,7FFF0001), ref: 0045EB88
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AllocateSize
                                                                                          • String ID:
                                                                                          • API String ID: 2559512979-0
                                                                                          • Opcode ID: 164893fdfe7479852dfd1771787a9195fdd443b6d9dcc4020210626f957e10e1
                                                                                          • Instruction ID: 8543aae5c5e8d674bad0d648166d6c37bead04fddb242bc03f4155c073930bcb
                                                                                          • Opcode Fuzzy Hash: 164893fdfe7479852dfd1771787a9195fdd443b6d9dcc4020210626f957e10e1
                                                                                          • Instruction Fuzzy Hash: 8DC08C322082206BCA0127A5BC0CEDB3E98EF0A3A3F080029FA09C2160DB75494087AB
                                                                                          APIs
                                                                                          • recv.WS2_32(000000C8,?,00000000,0045CA44), ref: 0045F476
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: recv
                                                                                          • String ID:
                                                                                          • API String ID: 1507349165-0
                                                                                          • Opcode ID: 1c5ae62860c57b8096a2d1a5d5e44e5db2d1c6b37ed973135e01a81d4fe8dd81
                                                                                          • Instruction ID: 5f926ef09f6a1a067283066da254864cd3b08861c65f6c30dd32549400494a9a
                                                                                          • Opcode Fuzzy Hash: 1c5ae62860c57b8096a2d1a5d5e44e5db2d1c6b37ed973135e01a81d4fe8dd81
                                                                                          • Instruction Fuzzy Hash: 82F08232201549AB9B019E5ADC84CAB3BADFB9A3117040132FE04D3111D631E8298765
                                                                                          APIs
                                                                                          • closesocket.WS2_32(00000000), ref: 00451992
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: closesocket
                                                                                          • String ID:
                                                                                          • API String ID: 2781271927-0
                                                                                          • Opcode ID: 6dc6fad8cb6eb2efcb59553a15ea4a45ab88191f48a249e62151e83ef84279a8
                                                                                          • Instruction ID: 907dcc9cfdbf1bc8139f8f4df05e0c7cb6ac2c658e6745df05f7747c1e6ce22d
                                                                                          • Opcode Fuzzy Hash: 6dc6fad8cb6eb2efcb59553a15ea4a45ab88191f48a249e62151e83ef84279a8
                                                                                          • Instruction Fuzzy Hash: 0CD012661486316A52112759BC155BFAB9CDF45663B11842BFC48C0161D638CC45839A
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0045DDB5
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID:
                                                                                          • API String ID: 1586166983-0
                                                                                          • Opcode ID: 37060f13141977412198d774e8efcc6e5e5097efab89007002d140abec4e9435
                                                                                          • Instruction ID: 1232fbc217db20898c6211901fd6466d87fd90e7ee995a3fd9c1d8904daeb5fc
                                                                                          • Opcode Fuzzy Hash: 37060f13141977412198d774e8efcc6e5e5097efab89007002d140abec4e9435
                                                                                          • Instruction Fuzzy Hash: 7BF05E32A00602DBCB308E249944657B3F4AF85327B14483BEA5592261E779DC4DCB16
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00459816,EntryPoint), ref: 0045638F
                                                                                          • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00459816,EntryPoint), ref: 004563A9
                                                                                          • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004563CA
                                                                                          • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004563EB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                          • String ID:
                                                                                          • API String ID: 1965334864-0
                                                                                          • Opcode ID: 59f968a95f707829e03266f58ac56d2d4b4a876e5f324fbef5799f985bf8ac63
                                                                                          • Instruction ID: 0099dfc5af788ef9aaa8b96b9c079489d1ea04ad4a6c391e86ba69ab3c8e0e6d
                                                                                          • Opcode Fuzzy Hash: 59f968a95f707829e03266f58ac56d2d4b4a876e5f324fbef5799f985bf8ac63
                                                                                          • Instruction Fuzzy Hash: AB11A3B2600219BFDB119F65DC49F9B3BA8EB057A9F114065FD08E7291E6B5DC008AA8
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00451839,00459646), ref: 00451012
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004510C2
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004510E1
                                                                                          • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00451101
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00451121
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00451140
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00451160
                                                                                          • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00451180
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0045119F
                                                                                          • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004511BF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004511DF
                                                                                          • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004511FE
                                                                                          • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0045121A
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressProc$LibraryLoad
                                                                                          • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                          • API String ID: 2238633743-3228201535
                                                                                          • Opcode ID: fbe981d26e56003fc34904dcb89135e60ce182b250b36f3eb73750bf12bc84e2
                                                                                          • Instruction ID: 0e52f9f3f45c2b14af43f46a90398e8e466cc762398b3fa7fb35f097c6d38516
                                                                                          • Opcode Fuzzy Hash: fbe981d26e56003fc34904dcb89135e60ce182b250b36f3eb73750bf12bc84e2
                                                                                          • Instruction Fuzzy Hash: FE512FB1542681A6D7158F68AC80B5636A46749723F180377E920D22F2F7F8CA8DCF5F
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0045B2B3
                                                                                          • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0045B2C2
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0045B2D0
                                                                                          • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0045B2E1
                                                                                          • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0045B31A
                                                                                          • GetTimeZoneInformation.KERNEL32(?), ref: 0045B329
                                                                                          • wsprintfA.USER32 ref: 0045B3B7
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                          • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                          • API String ID: 766114626-2976066047
                                                                                          • Opcode ID: f14d474c0bfc15d2fe91fb7b4ffc73ff3dddf35f8b0c4d1cd15f6c6037894bc8
                                                                                          • Instruction ID: 5ffbae2012f4fedd80ac42d16ab710c29e8e8bd9cbfa0b5e9f8bc99318432294
                                                                                          • Opcode Fuzzy Hash: f14d474c0bfc15d2fe91fb7b4ffc73ff3dddf35f8b0c4d1cd15f6c6037894bc8
                                                                                          • Instruction Fuzzy Hash: FB512171D0021CAACF18DFD5D8498EFBBB9FF49305F10856AE901B6150E3B84A89CB99
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                          • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                          • API String ID: 2400214276-165278494
                                                                                          • Opcode ID: aaaaf404c9d1f5d13f423a99772788b98ecee8ca4f05feefc7b3e1016b4281d3
                                                                                          • Instruction ID: 95a1b0971c5b8ee57a30abe40787b6687f72c16296e77c1f592719d17e9d4ebd
                                                                                          • Opcode Fuzzy Hash: aaaaf404c9d1f5d13f423a99772788b98ecee8ca4f05feefc7b3e1016b4281d3
                                                                                          • Instruction Fuzzy Hash: 27617E72940208AFDB609FB4DC45FEA77E9FF08301F24406AF969D3162EA7599448F19
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0045A7FB
                                                                                          • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0045A87E
                                                                                          • send.WS2_32(00000000,?,00000000,00000000), ref: 0045A893
                                                                                          • wsprintfA.USER32 ref: 0045A8AF
                                                                                          • send.WS2_32(00000000,.,00000005,00000000), ref: 0045A8D2
                                                                                          • wsprintfA.USER32 ref: 0045A8E2
                                                                                          • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0045A97C
                                                                                          • wsprintfA.USER32 ref: 0045A9B9
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$send$lstrlenrecv
                                                                                          • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                          • API String ID: 3650048968-2394369944
                                                                                          • Opcode ID: 232ada008a4bf5e112cc6630a7ce2409e928249193a0d3661bcc9d12cd8d0b05
                                                                                          • Instruction ID: 59ab668eaf0636b758048e8fc998b1a8ae6a6a0af14eb60edb91fcfc66ff89d6
                                                                                          • Opcode Fuzzy Hash: 232ada008a4bf5e112cc6630a7ce2409e928249193a0d3661bcc9d12cd8d0b05
                                                                                          • Instruction Fuzzy Hash: C6A15A71900305ABDF209A54DC85FAF3769AB0030AF240627FE01A6193EA7DAD6DC75F
                                                                                          APIs
                                                                                          • ShellExecuteExW.SHELL32(?), ref: 0045139A
                                                                                          • lstrlenW.KERNEL32(-00000003), ref: 00451571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ExecuteShelllstrlen
                                                                                          • String ID: $%systemroot%\system32\cmd.exe$<$@$D$uac$useless$wusa.exe
                                                                                          • API String ID: 1628651668-1839596206
                                                                                          • Opcode ID: 7ad915224aa6167c551c6f8de10de29c3ede77a2faffbb6de142901e3961534f
                                                                                          • Instruction ID: 683d8944c4b737422eedc1fb653096b800b59fcc03761c4b8e54096a2beb882f
                                                                                          • Opcode Fuzzy Hash: 7ad915224aa6167c551c6f8de10de29c3ede77a2faffbb6de142901e3961534f
                                                                                          • Instruction Fuzzy Hash: B5F19FB55083419FD320DF64C888B6BB7E4FB88305F10492EF99697361E7B89948CF5A
                                                                                          APIs
                                                                                          • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,771AF380), ref: 00452A83
                                                                                          • HeapAlloc.KERNEL32(00000000,?,771AF380), ref: 00452A86
                                                                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00452AA0
                                                                                          • htons.WS2_32(00000000), ref: 00452ADB
                                                                                          • select.WS2_32 ref: 00452B28
                                                                                          • recv.WS2_32(?,00000000,00001000,00000000), ref: 00452B4A
                                                                                          • htons.WS2_32(?), ref: 00452B71
                                                                                          • htons.WS2_32(?), ref: 00452B8C
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00452BFB
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                          • String ID:
                                                                                          • API String ID: 1639031587-0
                                                                                          • Opcode ID: 0f46c8fe5609ee764fc20de9ae4f72a63c7d71ca54746266a9b5c00642bcfb0d
                                                                                          • Instruction ID: c525da74e067e8e8e7337ae5a50f6138be06168ac4dbc5ec47b1429e95efe41e
                                                                                          • Opcode Fuzzy Hash: 0f46c8fe5609ee764fc20de9ae4f72a63c7d71ca54746266a9b5c00642bcfb0d
                                                                                          • Instruction Fuzzy Hash: BB61E0719043059BC3219F51DE08B6FBBE8BB4A342F04081BFC4597253D7F8E8488BAA
                                                                                          APIs
                                                                                          • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,771B0F10,?,771B0F10,00000000), ref: 004570C2
                                                                                          • RegEnumValueA.ADVAPI32(771B0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,771B0F10,00000000), ref: 0045719E
                                                                                          • RegCloseKey.ADVAPI32(771B0F10,?,771B0F10,00000000), ref: 004571B2
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00457208
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00457291
                                                                                          • ___ascii_stricmp.LIBCMT ref: 004572C2
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 004572D0
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 00457314
                                                                                          • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0045738D
                                                                                          • RegCloseKey.ADVAPI32(771B0F10), ref: 004573D8
                                                                                            • Part of subcall function 0045F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004622F8,000000C8,00457150,?), ref: 0045F1AD
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                          • String ID: $"
                                                                                          • API String ID: 4293430545-3817095088
                                                                                          • Opcode ID: 5f293f5a3b5fe6d804c77c020548040f9ea60da7af8acd39d871a2e29bd0122e
                                                                                          • Instruction ID: 7e5d09ebc545bbdcd1d14ef255debd576e2993abb63358bc0472aea30f7ecdb9
                                                                                          • Opcode Fuzzy Hash: 5f293f5a3b5fe6d804c77c020548040f9ea60da7af8acd39d871a2e29bd0122e
                                                                                          • Instruction Fuzzy Hash: D7B19672904209BEDB159FA1EC45BDF77B8AF04316F10047BFD01E2192EB799A48CB69
                                                                                          APIs
                                                                                          • GetLocalTime.KERNEL32(?), ref: 0045AD98
                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045ADA6
                                                                                            • Part of subcall function 0045AD08: gethostname.WS2_32(?,00000080), ref: 0045AD1C
                                                                                            • Part of subcall function 0045AD08: lstrlenA.KERNEL32(00000000), ref: 0045AD60
                                                                                            • Part of subcall function 0045AD08: lstrlenA.KERNEL32(00000000), ref: 0045AD69
                                                                                            • Part of subcall function 0045AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0045AD7F
                                                                                            • Part of subcall function 004530B5: gethostname.WS2_32(?,00000080), ref: 004530D8
                                                                                            • Part of subcall function 004530B5: gethostbyname.WS2_32(?), ref: 004530E2
                                                                                          • wsprintfA.USER32 ref: 0045AEA5
                                                                                            • Part of subcall function 0045A7A3: inet_ntoa.WS2_32(?), ref: 0045A7A9
                                                                                          • wsprintfA.USER32 ref: 0045AE4F
                                                                                          • wsprintfA.USER32 ref: 0045AE5E
                                                                                            • Part of subcall function 0045EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0045EF92
                                                                                            • Part of subcall function 0045EF7C: lstrlenA.KERNEL32(?), ref: 0045EF99
                                                                                            • Part of subcall function 0045EF7C: lstrlenA.KERNEL32(00000000), ref: 0045EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                          • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                          • API String ID: 3631595830-1816598006
                                                                                          • Opcode ID: fa570846e3dcdf28709fa4dbaba3d310f49cc104538cbcb2c17a01eb5d10a733
                                                                                          • Instruction ID: b81b335d9186296a43262bcb181e5ea39e43f1feddbbac3652c94398803fb5b6
                                                                                          • Opcode Fuzzy Hash: fa570846e3dcdf28709fa4dbaba3d310f49cc104538cbcb2c17a01eb5d10a733
                                                                                          • Instruction Fuzzy Hash: 1E4141B290020C6BDF25EFA1DC46EEF3BADFB08305F14442BFD1592152EA79E6188B55
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(iphlpapi.dll,771B23A0,?,000DBBA0,?,00000000,00452F0F,?,004520FF,00462000), ref: 00452E01
                                                                                          • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00452F0F,?,004520FF,00462000), ref: 00452E11
                                                                                          • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00452E2E
                                                                                          • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00452F0F,?,004520FF,00462000), ref: 00452E4C
                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00452F0F,?,004520FF,00462000), ref: 00452E4F
                                                                                          • htons.WS2_32(00000035), ref: 00452E88
                                                                                          • inet_addr.WS2_32(?), ref: 00452E93
                                                                                          • gethostbyname.WS2_32(?), ref: 00452EA6
                                                                                          • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00452F0F,?,004520FF,00462000), ref: 00452EE3
                                                                                          • HeapFree.KERNEL32(00000000,?,00000000,00452F0F,?,004520FF,00462000), ref: 00452EE6
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                          • String ID: GetNetworkParams$iphlpapi.dll
                                                                                          • API String ID: 929413710-2099955842
                                                                                          • Opcode ID: 8a594a112979816133b1e9cec1111d690f04b53e66bbdab5d80bde5cd59db0bf
                                                                                          • Instruction ID: b1524ba4e31978ce2358e83697ae25037260c5a9cf66d5c9cb58dca3bbf314f6
                                                                                          • Opcode Fuzzy Hash: 8a594a112979816133b1e9cec1111d690f04b53e66bbdab5d80bde5cd59db0bf
                                                                                          • Instruction Fuzzy Hash: 9E31F631900209ABDB119BB89D4AAAF7778AF06322F140127FD14E3391EBB8DD458B5D
                                                                                          APIs
                                                                                          • GetVersionExA.KERNEL32(?,?,00459DD7,?,00000022,?,?,00000000,00000001), ref: 00459340
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00459DD7,?,00000022,?,?,00000000,00000001), ref: 0045936E
                                                                                          • GetModuleFileNameA.KERNEL32(00000000,?,00459DD7,?,00000022,?,?,00000000,00000001), ref: 00459375
                                                                                          • wsprintfA.USER32 ref: 004593CE
                                                                                          • wsprintfA.USER32 ref: 0045940C
                                                                                          • wsprintfA.USER32 ref: 0045948D
                                                                                          • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004594F1
                                                                                          • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00459526
                                                                                          • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00459571
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                          • String ID: runas
                                                                                          • API String ID: 3696105349-4000483414
                                                                                          • Opcode ID: 576d311e1d38b6f5088bee275991ce4e335cb5fabc2c906fc4ff811c4cb17379
                                                                                          • Instruction ID: 292fb9d49636dfa2a24bb9adfe8ddee1fa25f60518dcfba805803f391ce3f947
                                                                                          • Opcode Fuzzy Hash: 576d311e1d38b6f5088bee275991ce4e335cb5fabc2c906fc4ff811c4cb17379
                                                                                          • Instruction Fuzzy Hash: 81A150B294060CFBEB259F91CD45FDF3BACEB05746F100027FE0592152E7B999488BA9
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00452078
                                                                                          • GetTickCount.KERNEL32 ref: 004520D4
                                                                                          • GetTickCount.KERNEL32 ref: 004520DB
                                                                                          • GetTickCount.KERNEL32 ref: 0045212B
                                                                                          • GetTickCount.KERNEL32 ref: 00452132
                                                                                          • GetTickCount.KERNEL32 ref: 00452142
                                                                                            • Part of subcall function 0045F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0045E342,00000000,7686EA50,80000001,00000000,0045E513,?,00000000,00000000,?,000000E4), ref: 0045F089
                                                                                            • Part of subcall function 0045F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0045E342,00000000,7686EA50,80000001,00000000,0045E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0045F093
                                                                                            • Part of subcall function 0045E854: lstrcpyA.KERNEL32(00000001,?,?,0045D8DF,00000001,localcfg,except_info,00100000,00460264), ref: 0045E88B
                                                                                            • Part of subcall function 0045E854: lstrlenA.KERNEL32(00000001,?,0045D8DF,00000001,localcfg,except_info,00100000,00460264), ref: 0045E899
                                                                                            • Part of subcall function 00451C5F: wsprintfA.USER32 ref: 00451CE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                          • String ID: D-C$localcfg$net_type$rbl_bl$rbl_ip
                                                                                          • API String ID: 3976553417-2502931797
                                                                                          • Opcode ID: 2e87a37ae9f414588edd0d1c85cab700b6cc904519663d809bf7f5957b9dda89
                                                                                          • Instruction ID: b10b112ac3fbca6d6cefb97772cdc6c2c3abd4102bfa23d5ce5fe5878346ca0e
                                                                                          • Opcode Fuzzy Hash: 2e87a37ae9f414588edd0d1c85cab700b6cc904519663d809bf7f5957b9dda89
                                                                                          • Instruction Fuzzy Hash: 6051E130505B456ED728AF21EF55B573BD4AB02719F10007FEA41862E3EBF8998CCA1E
                                                                                          APIs
                                                                                          • wsprintfA.USER32 ref: 0045B467
                                                                                            • Part of subcall function 0045EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0045EF92
                                                                                            • Part of subcall function 0045EF7C: lstrlenA.KERNEL32(?), ref: 0045EF99
                                                                                            • Part of subcall function 0045EF7C: lstrlenA.KERNEL32(00000000), ref: 0045EFA0
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$wsprintf
                                                                                          • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                          • API String ID: 1220175532-2340906255
                                                                                          • Opcode ID: 77ace0a948fa1ea76f0d2b3f6e23bfbbafcfbf0871a7154dd9a5b4860cb51309
                                                                                          • Instruction ID: e40ad48c29cdf60bad868e323b2b61bb81cc5822941d964eb786075dd6c77ba6
                                                                                          • Opcode Fuzzy Hash: 77ace0a948fa1ea76f0d2b3f6e23bfbbafcfbf0871a7154dd9a5b4860cb51309
                                                                                          • Instruction Fuzzy Hash: 474162B25401197EDF01AB96CCC2DFF7B6CEF4974DB14011AFD04A2142EB78AA1887B9
                                                                                          APIs
                                                                                            • Part of subcall function 0045A4C7: GetTickCount.KERNEL32 ref: 0045A4D1
                                                                                            • Part of subcall function 0045A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0045A4FA
                                                                                          • GetTickCount.KERNEL32 ref: 0045C31F
                                                                                          • GetTickCount.KERNEL32 ref: 0045C32B
                                                                                          • GetTickCount.KERNEL32 ref: 0045C363
                                                                                          • GetTickCount.KERNEL32 ref: 0045C378
                                                                                          • GetTickCount.KERNEL32 ref: 0045C44D
                                                                                          • InterlockedIncrement.KERNEL32(0045C4E4), ref: 0045C4AE
                                                                                          • CreateThread.KERNEL32(00000000,00000000,0045B535,00000000,?,0045C4E0), ref: 0045C4C1
                                                                                          • CloseHandle.KERNEL32(00000000,?,0045C4E0,00463588,00458810), ref: 0045C4CC
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1553760989-1857712256
                                                                                          • Opcode ID: ae2298583dca6172a5dbe93c2b9a706fa6abe563f7d0f6d86b603edbadb6d60a
                                                                                          • Instruction ID: f67d95654b872eadc932ada97fba44e7b33ae0f5d3c3fb17cc27f73cb44fed57
                                                                                          • Opcode Fuzzy Hash: ae2298583dca6172a5dbe93c2b9a706fa6abe563f7d0f6d86b603edbadb6d60a
                                                                                          • Instruction Fuzzy Hash: E6519DB1500B448FC7248F69C5C452BBBE9FB49301B50593FD98BC7A91E778F8488B14
                                                                                          APIs
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0045BE4F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0045BE5B
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0045BE67
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0045BF6A
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0045BF7F
                                                                                          • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0045BF94
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmpi
                                                                                          • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                          • API String ID: 1586166983-1625972887
                                                                                          • Opcode ID: 057ea858d3dd8b19e1dc48940da6addecc0fec35009b91c9fe036b58789e3fa5
                                                                                          • Instruction ID: 3ba0c24274a5fbf563ec394b5567f2b64a74022d26ed8a86c82e5534c056d350
                                                                                          • Opcode Fuzzy Hash: 057ea858d3dd8b19e1dc48940da6addecc0fec35009b91c9fe036b58789e3fa5
                                                                                          • Instruction Fuzzy Hash: 75519032A0021AAFDB158F65CC41B5E7BA9EF04346F14406BEC41DB252E738EA49CFD9
                                                                                          APIs
                                                                                          • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,771A8A60,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456A7D
                                                                                          • GetDiskFreeSpaceA.KERNEL32(00459E9D,00459A60,?,?,?,004622F8,?,?,?,00459A60,?,?,00459E9D), ref: 00456ABB
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456B40
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456B4E
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456B5F
                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456B6F
                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456B7D
                                                                                          • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00459A60,?,?,00459E9D), ref: 00456B80
                                                                                          • GetLastError.KERNEL32(?,?,?,00459A60,?,?,00459E9D,?,?,?,?,?,00459E9D,?,00000022,?), ref: 00456B96
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                          • String ID:
                                                                                          • API String ID: 3188212458-0
                                                                                          • Opcode ID: 18f0ad2a595243c42a30c680b8588b3f7c9c49908947901c2020e5e4d90d16b9
                                                                                          • Instruction ID: 46f7209a282575ff3b7cfbe7776659e7c810d09fa2c3d3b3460abbb1b5654a6a
                                                                                          • Opcode Fuzzy Hash: 18f0ad2a595243c42a30c680b8588b3f7c9c49908947901c2020e5e4d90d16b9
                                                                                          • Instruction Fuzzy Hash: 7F3126B290014CBFCB019FA09D44ADF7B78EF45301F154077EA51E3252E7B4A9498F6A
                                                                                          APIs
                                                                                          • GetUserNameA.ADVAPI32(?,0045D7C3), ref: 00456F7A
                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0045D7C3), ref: 00456FC1
                                                                                          • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00456FE8
                                                                                          • LocalFree.KERNEL32(00000120), ref: 0045701F
                                                                                          • wsprintfA.USER32 ref: 00457036
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                          • String ID: /%d$|
                                                                                          • API String ID: 676856371-4124749705
                                                                                          • Opcode ID: 7e17ff93d473e1c7f12dd5900b0832f6fc21f23ef76e3f8e9b333b9cf3a6e0b9
                                                                                          • Instruction ID: 29ffc896019a5c488a13712ec9e312993da8c231dde92de29af48a6d107b3aaf
                                                                                          • Opcode Fuzzy Hash: 7e17ff93d473e1c7f12dd5900b0832f6fc21f23ef76e3f8e9b333b9cf3a6e0b9
                                                                                          • Instruction Fuzzy Hash: 0C313C72904108BFDB01DFA5D849ADB7BBCEF04315F048066F949DB242EA79DA088B98
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004622F8,000000E4,00456DDC,000000C8), ref: 00456CE7
                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 00456CEE
                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00456D14
                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00456D2B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                          • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                          • API String ID: 1082366364-3395550214
                                                                                          • Opcode ID: a6720255fca6150eb9fb69ed00a51ee46ff59fa5b07c944254576dfe92a13c58
                                                                                          • Instruction ID: 91a6e4de9ddb02d06ae5f1735c86df976c421b9055566cfd6765171499dc5196
                                                                                          • Opcode Fuzzy Hash: a6720255fca6150eb9fb69ed00a51ee46ff59fa5b07c944254576dfe92a13c58
                                                                                          • Instruction Fuzzy Hash: 9921265174164439F72657229C89F7B2E5C8B13746F09046BFC0497293FADE889D82AF
                                                                                          APIs
                                                                                          • CreateProcessA.KERNEL32(00000000,00459947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004622F8), ref: 004597B1
                                                                                          • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004622F8), ref: 004597EB
                                                                                          • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004622F8), ref: 004597F9
                                                                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004622F8), ref: 00459831
                                                                                          • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004622F8), ref: 0045984E
                                                                                          • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,004622F8), ref: 0045985B
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                          • String ID: D
                                                                                          • API String ID: 2981417381-2746444292
                                                                                          • Opcode ID: 9012ac479da233c42b35aaa8e7879dad0b582e3cf9e150fe49ad6d229cdbdc31
                                                                                          • Instruction ID: 2e53b746f5f16d510907a7612248e325c6d4aab66e1922ed785e9b49b64472fd
                                                                                          • Opcode Fuzzy Hash: 9012ac479da233c42b35aaa8e7879dad0b582e3cf9e150fe49ad6d229cdbdc31
                                                                                          • Instruction Fuzzy Hash: 3E218D71D11219FBDB119FA1DC49EEF7B7CEF09351F000062F908E1151EB759A48CAA9
                                                                                          APIs
                                                                                            • Part of subcall function 0045DD05: GetTickCount.KERNEL32 ref: 0045DD0F
                                                                                            • Part of subcall function 0045DD05: InterlockedExchange.KERNEL32(004636B4,00000001), ref: 0045DD44
                                                                                            • Part of subcall function 0045DD05: GetCurrentThreadId.KERNEL32 ref: 0045DD53
                                                                                            • Part of subcall function 0045DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0045DDB5
                                                                                          • lstrcpynA.KERNEL32(?,00451E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0045EAAA,?,?), ref: 0045E8DE
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0045EAAA,?,?,00000001,?,00451E84,?), ref: 0045E935
                                                                                          • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0045EAAA,?,?,00000001,?,00451E84,?,0000000A), ref: 0045E93D
                                                                                          • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0045EAAA,?,?,00000001,?,00451E84,?), ref: 0045E94F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                          • String ID: flags_upd$localcfg
                                                                                          • API String ID: 204374128-3505511081
                                                                                          • Opcode ID: 3ea0dfab2cb606774bd1caff11ff5806666f703b765ca490461a31fc69cd95bd
                                                                                          • Instruction ID: af492b2a776b8f5503b9c650c9eca4401c979a412645a8aacb8530f8915d929b
                                                                                          • Opcode Fuzzy Hash: 3ea0dfab2cb606774bd1caff11ff5806666f703b765ca490461a31fc69cd95bd
                                                                                          • Instruction Fuzzy Hash: 51514172D00209AFCB11DFA9C985DAEB7F9FF44309F14056EE805A3212E775EA18CB54
                                                                                          APIs
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Code
                                                                                          • String ID:
                                                                                          • API String ID: 3609698214-0
                                                                                          • Opcode ID: d8e4d4b77f95a0594cfa208b8a8ce2d3029c39c90d3004482df1f10acb68f235
                                                                                          • Instruction ID: 57c2449dfc3fddd3ec5ae574e852e38468c86a52466c4734aa088276e3f594d5
                                                                                          • Opcode Fuzzy Hash: d8e4d4b77f95a0594cfa208b8a8ce2d3029c39c90d3004482df1f10acb68f235
                                                                                          • Instruction Fuzzy Hash: AA21F372100105FFDB129B71FC49E9F3BACDB04366B214426F942E2092EB74DA08D67D
                                                                                          APIs
                                                                                          • GetTempPathA.KERNEL32(00000400,?,00000000,004622F8), ref: 0045907B
                                                                                          • wsprintfA.USER32 ref: 004590E9
                                                                                          • CreateFileA.KERNEL32(004622F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0045910E
                                                                                          • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00459122
                                                                                          • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0045912D
                                                                                          • CloseHandle.KERNEL32(00000000), ref: 00459134
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                          • String ID:
                                                                                          • API String ID: 2439722600-0
                                                                                          • Opcode ID: 3ded0395f55181e2482a86db7aa26f8d8d4ee03cfe02b69376cf6384b7243203
                                                                                          • Instruction ID: 620814d37df617deb2f6a1e4cbca2145696878fbe5c501fb86152fb8e8fb8728
                                                                                          • Opcode Fuzzy Hash: 3ded0395f55181e2482a86db7aa26f8d8d4ee03cfe02b69376cf6384b7243203
                                                                                          • Instruction Fuzzy Hash: 9111B7B26405147BF7256B23DC0AFAF366DDBC5705F00806AFB0AA1092FAB48E059669
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0045DD0F
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0045DD20
                                                                                          • GetTickCount.KERNEL32 ref: 0045DD2E
                                                                                          • Sleep.KERNEL32(00000000,?,771B0F10,?,00000000,0045E538,?,771B0F10,?,00000000,?,0045A445), ref: 0045DD3B
                                                                                          • InterlockedExchange.KERNEL32(004636B4,00000001), ref: 0045DD44
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0045DD53
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 3819781495-0
                                                                                          • Opcode ID: 470bcc5b15ef9539169baa48b7ee5edc75b84084112a3bba8b7a73a746541b4c
                                                                                          • Instruction ID: b41d7d52adee7af0fb09b9096c761df8674d765ad5e2ba20c43df07140e4c156
                                                                                          • Opcode Fuzzy Hash: 470bcc5b15ef9539169baa48b7ee5edc75b84084112a3bba8b7a73a746541b4c
                                                                                          • Instruction Fuzzy Hash: 25F0BE72904205ABD7A05F65FC84B2A3BB4EB44313F000076EA0AC2262E7E9555D8E2F
                                                                                          APIs
                                                                                          • gethostname.WS2_32(?,00000080), ref: 0045AD1C
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0045AD60
                                                                                          • lstrlenA.KERNEL32(00000000), ref: 0045AD69
                                                                                          • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0045AD7F
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$gethostnamelstrcpy
                                                                                          • String ID: LocalHost
                                                                                          • API String ID: 3695455745-3154191806
                                                                                          • Opcode ID: b09b091d8be495c66dd886dbe31372ecd520747283a8858173104601954fb644
                                                                                          • Instruction ID: d247c8c1f9a889028dab893fa26d810880dc9bb2def042d61f631bc3fed984b2
                                                                                          • Opcode Fuzzy Hash: b09b091d8be495c66dd886dbe31372ecd520747283a8858173104601954fb644
                                                                                          • Instruction Fuzzy Hash: 570149208441895DDF3126289844BB77F775B9774BF100267DCC087613E6AC885F835F
                                                                                          APIs
                                                                                          • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004598FD,00000001,00000100,004622F8,0045A3C7), ref: 00454290
                                                                                          • CloseHandle.KERNEL32(0045A3C7), ref: 004543AB
                                                                                          • CloseHandle.KERNEL32(00000001), ref: 004543AE
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CloseHandle$CreateEvent
                                                                                          • String ID:
                                                                                          • API String ID: 1371578007-0
                                                                                          • Opcode ID: 3d1785673b15d5ab18ff5d1bbdafaff51fd49b969dca51201bc0c18c7a3aa4d3
                                                                                          • Instruction ID: e1c199d6270dbb0af57ae66aa461f2d6f5edb3a6e8acc8a5fc3fbb3bae38d81a
                                                                                          • Opcode Fuzzy Hash: 3d1785673b15d5ab18ff5d1bbdafaff51fd49b969dca51201bc0c18c7a3aa4d3
                                                                                          • Instruction Fuzzy Hash: 2F41C471D00109BADF109FA2CD46F9FBFB8EF4035AF100156F904A6192D7788A44DB65
                                                                                          APIs
                                                                                          • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004564CF,00000000), ref: 0045609C
                                                                                          • LoadLibraryA.KERNEL32(?,?,004564CF,00000000), ref: 004560C3
                                                                                          • GetProcAddress.KERNEL32(?,00000014), ref: 0045614A
                                                                                          • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0045619E
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Read$AddressLibraryLoadProc
                                                                                          • String ID:
                                                                                          • API String ID: 2438460464-0
                                                                                          • Opcode ID: 8069aa3dcb1719c2ae74518209c80c7474e339a87e8e317c617cbc531a78bca6
                                                                                          • Instruction ID: bd6280be14f04b0ce19a2819da5a2eb24abeac2ebef1aa7423b4ed073bb7d8cc
                                                                                          • Opcode Fuzzy Hash: 8069aa3dcb1719c2ae74518209c80c7474e339a87e8e317c617cbc531a78bca6
                                                                                          • Instruction Fuzzy Hash: 0141BF71A00505AFDB24CF58C880BBAB7B8EF14356F65806AEC05D7392E738ED49CB84
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID:
                                                                                          • String ID:
                                                                                          • API String ID:
                                                                                          • Opcode ID: 3fb87dba0453db0a18972efef385f02c9cba6291c624d522b153d847f457e210
                                                                                          • Instruction ID: 7c4169744b4334e993870a23d11f0772031cac0ac1da4c1569a76197dc095db1
                                                                                          • Opcode Fuzzy Hash: 3fb87dba0453db0a18972efef385f02c9cba6291c624d522b153d847f457e210
                                                                                          • Instruction Fuzzy Hash: 1831B571A00309ABCF109FA6CD826BEB7F4FF49706F10445BF905E6242E3B8DA458B58
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0045272E
                                                                                          • htons.WS2_32(00000001), ref: 00452752
                                                                                          • htons.WS2_32(0000000F), ref: 004527D5
                                                                                          • htons.WS2_32(00000001), ref: 004527E3
                                                                                          • sendto.WS2_32(?,00462BF8,00000009,00000000,00000010,00000010), ref: 00452802
                                                                                            • Part of subcall function 0045EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0045EBFE,7FFF0001,?,0045DB55,7FFF0001), ref: 0045EBD3
                                                                                            • Part of subcall function 0045EBCC: RtlAllocateHeap.NTDLL(00000000,?,0045DB55,7FFF0001), ref: 0045EBDA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                          • String ID:
                                                                                          • API String ID: 1128258776-0
                                                                                          • Opcode ID: 46d5cf4d3df9056393a440aa11b025c91596792ea3f20635319ecc308f764f71
                                                                                          • Instruction ID: e0fd3a5bc0b0b75f2d40a490c9a20bdf4e283333186239924c1eb119e3cbb9df
                                                                                          • Opcode Fuzzy Hash: 46d5cf4d3df9056393a440aa11b025c91596792ea3f20635319ecc308f764f71
                                                                                          • Instruction Fuzzy Hash: 6E313534240382AFD710CF76DC90A667760FF1E758B19406EE8558B323E2F2E846C70A
                                                                                          APIs
                                                                                          • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004622F8), ref: 0045915F
                                                                                          • GetModuleFileNameA.KERNEL32(00000000), ref: 00459166
                                                                                          • CharToOemA.USER32(?,?), ref: 00459174
                                                                                          • wsprintfA.USER32 ref: 004591A9
                                                                                            • Part of subcall function 00459064: GetTempPathA.KERNEL32(00000400,?,00000000,004622F8), ref: 0045907B
                                                                                            • Part of subcall function 00459064: wsprintfA.USER32 ref: 004590E9
                                                                                            • Part of subcall function 00459064: CreateFileA.KERNEL32(004622F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0045910E
                                                                                            • Part of subcall function 00459064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00459122
                                                                                            • Part of subcall function 00459064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0045912D
                                                                                            • Part of subcall function 00459064: CloseHandle.KERNEL32(00000000), ref: 00459134
                                                                                          • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004591E1
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                          • String ID:
                                                                                          • API String ID: 3857584221-0
                                                                                          • Opcode ID: 6bf829490e96da07ce3780ca48a050a7bc908b62bb7d96f713636faba154e889
                                                                                          • Instruction ID: 4b1afcc6a20420d803622d9a5ebcd8f46ccf668594bd7e45c92ed0078db59efe
                                                                                          • Opcode Fuzzy Hash: 6bf829490e96da07ce3780ca48a050a7bc908b62bb7d96f713636faba154e889
                                                                                          • Instruction Fuzzy Hash: 600184F68001187BD72097519D49EDF367CDB85701F0000A6FB05E1081EAF49A888F75
                                                                                          APIs
                                                                                          • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00452491,?,?,?,0045E844,-00000030,?,?,?,00000001), ref: 00452429
                                                                                          • lstrlenA.KERNEL32(?,?,00452491,?,?,?,0045E844,-00000030,?,?,?,00000001,00451E3D,00000001,localcfg,lid_file_upd), ref: 0045243E
                                                                                          • lstrcmpiA.KERNEL32(?,?), ref: 00452452
                                                                                          • lstrlenA.KERNEL32(?,?,00452491,?,?,?,0045E844,-00000030,?,?,?,00000001,00451E3D,00000001,localcfg,lid_file_upd), ref: 00452467
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrlen$lstrcmpi
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 1808961391-1857712256
                                                                                          • Opcode ID: 07bd2db06cd662c78bf35709a15cb967613a7ccf47378211ee7b364db2000a74
                                                                                          • Instruction ID: 08bec74ecc916698921a1d57a82e32772f22e32380b836fc365d72d7b7d96795
                                                                                          • Opcode Fuzzy Hash: 07bd2db06cd662c78bf35709a15cb967613a7ccf47378211ee7b364db2000a74
                                                                                          • Instruction Fuzzy Hash: 70011A31600218AF8F11EF69DD808DE7BA9EF46355B05C427EC5997212E3B4EA45CA98
                                                                                          APIs
                                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00456F0F
                                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,*pE), ref: 00456F24
                                                                                          • FreeSid.ADVAPI32(?), ref: 00456F3E
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                          • String ID: *pE
                                                                                          • API String ID: 3429775523-3809662669
                                                                                          • Opcode ID: 2dfce98a000d712d5b0fee9ce9ff89771d626c52ad4201a9335a9939ec327ff9
                                                                                          • Instruction ID: 73d14cbca183cbfc413657e2220855adc9e7a2b73d1d4721b727856710003cad
                                                                                          • Opcode Fuzzy Hash: 2dfce98a000d712d5b0fee9ce9ff89771d626c52ad4201a9335a9939ec327ff9
                                                                                          • Instruction Fuzzy Hash: 40015E72A01608FFDB10DFE4ED85AAE77B8EB04305F50487AE605E2152E3B49948CA59
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: wsprintf
                                                                                          • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                          • API String ID: 2111968516-120809033
                                                                                          • Opcode ID: f1e335131c7c5f80ccd0b54e921f06a3bb59eb11f560458ec446b87f1ea314ce
                                                                                          • Instruction ID: f93e04fefba7c0e0a1843121bd5f3f4bc49d5298de209c694cd76d3d8c3b1e7b
                                                                                          • Opcode Fuzzy Hash: f1e335131c7c5f80ccd0b54e921f06a3bb59eb11f560458ec446b87f1ea314ce
                                                                                          • Instruction Fuzzy Hash: D941CF729042989FDB21CF798D44BEE3BF89F49311F240056FD64D3252E639EA09CBA4
                                                                                          APIs
                                                                                            • Part of subcall function 0045DD05: GetTickCount.KERNEL32 ref: 0045DD0F
                                                                                            • Part of subcall function 0045DD05: InterlockedExchange.KERNEL32(004636B4,00000001), ref: 0045DD44
                                                                                            • Part of subcall function 0045DD05: GetCurrentThreadId.KERNEL32 ref: 0045DD53
                                                                                          • lstrcmpA.KERNEL32(771B0F18,00000000,?,771B0F10,00000000,?,00455EC1), ref: 0045E693
                                                                                          • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,771B0F10,00000000,?,00455EC1), ref: 0045E6E9
                                                                                          • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,771B0F10,00000000,?,00455EC1), ref: 0045E722
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                          • String ID: 89ABCDEF
                                                                                          • API String ID: 3343386518-71641322
                                                                                          • Opcode ID: 96a9740e7ae3894101740544e701bf736c338a8d7778cfa31937a0a59413f2fd
                                                                                          • Instruction ID: b91ae743c2297c34fdb9bbc3bc9db0d78eebb4160227d90aeb762fe57a4bdc2c
                                                                                          • Opcode Fuzzy Hash: 96a9740e7ae3894101740544e701bf736c338a8d7778cfa31937a0a59413f2fd
                                                                                          • Instruction Fuzzy Hash: 0731D231500701DBCB398F62D88476777E4AF25396F10442FE99587652E7B8EA88CB4A
                                                                                          APIs
                                                                                          • RegCreateKeyExA.ADVAPI32(80000001,0045E2A3,00000000,00000000,00000000,00020106,00000000,0045E2A3,00000000,000000E4), ref: 0045E0B2
                                                                                          • RegSetValueExA.ADVAPI32(0045E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004622F8), ref: 0045E127
                                                                                          • RegDeleteValueA.ADVAPI32(0045E2A3,?,?,?,?,?,000000C8,004622F8), ref: 0045E158
                                                                                          • RegCloseKey.ADVAPI32(0045E2A3,?,?,?,?,000000C8,004622F8,?,?,?,?,?,?,?,?,0045E2A3), ref: 0045E161
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Value$CloseCreateDelete
                                                                                          • String ID:
                                                                                          • API String ID: 2667537340-0
                                                                                          • Opcode ID: 3a293b77e157feab516fe1e4000e31eb40dc59e5b4a1a49cf50e0f9148f1b6a0
                                                                                          • Instruction ID: 956d8b59245814aa0126eb58baef1cfbb41ce04340209aaffc9adb9503f0d3b0
                                                                                          • Opcode Fuzzy Hash: 3a293b77e157feab516fe1e4000e31eb40dc59e5b4a1a49cf50e0f9148f1b6a0
                                                                                          • Instruction Fuzzy Hash: 3F215071A00229BBDF209FA6DC89EDF7F79EF09754F004062FD04A6151E6718B18DB95
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00000000,00000000,0045A3C7,00000000,00000000,000007D0,00000001), ref: 00453F44
                                                                                          • GetLastError.KERNEL32 ref: 00453F4E
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00453F5F
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453F72
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                          • String ID:
                                                                                          • API String ID: 3373104450-0
                                                                                          • Opcode ID: 7fa5c0b799b387b89d23fd9be310602f9cc47103cf8d6f0186ae8f797e03e4fc
                                                                                          • Instruction ID: a06f641612f21be91a38e96e8c44ac1d2157e402325100c0f5b8d43abeb3aed0
                                                                                          • Opcode Fuzzy Hash: 7fa5c0b799b387b89d23fd9be310602f9cc47103cf8d6f0186ae8f797e03e4fc
                                                                                          • Instruction Fuzzy Hash: EB010C72915109ABDF01DF90ED44BEF7B7CEB04396F104026FA01E2151E774DA158BB6
                                                                                          APIs
                                                                                          • ReadFile.KERNEL32(00000000,00000000,0045A3C7,00000000,00000000,000007D0,00000001), ref: 00453FB8
                                                                                          • GetLastError.KERNEL32 ref: 00453FC2
                                                                                          • WaitForSingleObject.KERNEL32(00000004,?), ref: 00453FD3
                                                                                          • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00453FE6
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                          • String ID:
                                                                                          • API String ID: 888215731-0
                                                                                          • Opcode ID: 0731c7a1bddd687a8a6e799b7a09a5a15634b71c94fa9bcc50f1849c560fa8e8
                                                                                          • Instruction ID: 62c4be2f6fb6c9490d700730fe7191ce812da41a7be2ce8957ff7d943743218a
                                                                                          • Opcode Fuzzy Hash: 0731c7a1bddd687a8a6e799b7a09a5a15634b71c94fa9bcc50f1849c560fa8e8
                                                                                          • Instruction Fuzzy Hash: 8801177291110AABDF01DF90ED45BEF3B7CEB04356F004022FD02E2050E7749A148BB6
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 0045A4D1
                                                                                          • GetTickCount.KERNEL32 ref: 0045A4E4
                                                                                          • Sleep.KERNEL32(00000000,?,0045C2E9,0045C4E0,00000000,localcfg,?,0045C4E0,00463588,00458810), ref: 0045A4F1
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 0045A4FA
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 12d4890236749a5e392ce50f15df743a1457186524b5503b200b96a2dcff33c9
                                                                                          • Instruction ID: 25fdee8d33b1cba829ee0fd9ed546dd45dee5a68954a6aba2fc678be6d87d62b
                                                                                          • Opcode Fuzzy Hash: 12d4890236749a5e392ce50f15df743a1457186524b5503b200b96a2dcff33c9
                                                                                          • Instruction Fuzzy Hash: 50E0263320020467C6001BE5BD84F6B3388AB4A762F010132FF04D3242E69AA85541BF
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00454E9E
                                                                                          • GetTickCount.KERNEL32 ref: 00454EAD
                                                                                          • Sleep.KERNEL32(0000000A,?,00000001), ref: 00454EBA
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00454EC3
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: 007bfad4e3c165b09952189f77988571a652048760c0c2e15fcb65dac501d158
                                                                                          • Instruction ID: 1cee8403b9d03df5432fb1acea8772955b59a23de8c1a5281a98b359c9b60576
                                                                                          • Opcode Fuzzy Hash: 007bfad4e3c165b09952189f77988571a652048760c0c2e15fcb65dac501d158
                                                                                          • Instruction Fuzzy Hash: B6E0263220020427D60023BABC84F576289AB86366F010532EB08C6181D69A988205BA
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00454BDD
                                                                                          • GetTickCount.KERNEL32 ref: 00454BEC
                                                                                          • Sleep.KERNEL32(00000000,?,?,?,02A1E084,004550F2), ref: 00454BF9
                                                                                          • InterlockedExchange.KERNEL32(02A1E078,00000001), ref: 00454C02
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: e3871878ce8858f21c807fa7c4991cbee0514a9797fb3e763a031bd5a69b8381
                                                                                          • Instruction ID: 65f86059779b8aa9be0a84bc2326954b6126174702fa42148c1b6562369d18b2
                                                                                          • Opcode Fuzzy Hash: e3871878ce8858f21c807fa7c4991cbee0514a9797fb3e763a031bd5a69b8381
                                                                                          • Instruction Fuzzy Hash: E7E0863224521467C61017A56D80F5B77989BD5366F060473FB08D6151D59AE48541BA
                                                                                          APIs
                                                                                          • GetTickCount.KERNEL32 ref: 00453103
                                                                                          • GetTickCount.KERNEL32 ref: 0045310F
                                                                                          • Sleep.KERNEL32(00000000), ref: 0045311C
                                                                                          • InterlockedExchange.KERNEL32(?,00000001), ref: 00453128
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick$ExchangeInterlockedSleep
                                                                                          • String ID:
                                                                                          • API String ID: 2207858713-0
                                                                                          • Opcode ID: f8be4a66bf55b6f6a761d4502aefb66559227bd940067035c063295a73b1644e
                                                                                          • Instruction ID: c2612821dd07afb844c4f8cc04d0ead2f987a4287ebc2f377ea2408c0db2bf63
                                                                                          • Opcode Fuzzy Hash: f8be4a66bf55b6f6a761d4502aefb66559227bd940067035c063295a73b1644e
                                                                                          • Instruction Fuzzy Hash: 1EE0C231200215ABDB006F76BD44B4F6A9ADF847A3F010432FA01D61A1D6944D05897B
                                                                                          APIs
                                                                                          • WriteFile.KERNEL32(00459A60,?,?,00000000,00000000,00459A60,?,00000000), ref: 004569F9
                                                                                          • WriteFile.KERNEL32(00459A60,?,00459A60,00000000,00000000), ref: 00456A27
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: FileWrite
                                                                                          • String ID: ,kE
                                                                                          • API String ID: 3934441357-1319723493
                                                                                          • Opcode ID: ebbaf7e2b0a8d3d6dad23903e5861fc78b68b42c33d9d1a56293342ccf7d0e3c
                                                                                          • Instruction ID: cfe7e3c84b58f820c6ac756347d37c85462845e79f8c2349659edf58e5e68f03
                                                                                          • Opcode Fuzzy Hash: ebbaf7e2b0a8d3d6dad23903e5861fc78b68b42c33d9d1a56293342ccf7d0e3c
                                                                                          • Instruction Fuzzy Hash: 2F314B72A00209EFDB24CF58DD84BAA77F4EB14316F51846AEC01E7201D374EE58CB65
                                                                                          APIs
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTick
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 536389180-1857712256
                                                                                          • Opcode ID: bcaed46bd1c1f7c24044b5ddf3b20c3714f8e0de5a6b5af41dc6c815d558dc66
                                                                                          • Instruction ID: 7f692a4f52ed16448b070c683ddb9fda955a20d7306c03cf61701311fd87528d
                                                                                          • Opcode Fuzzy Hash: bcaed46bd1c1f7c24044b5ddf3b20c3714f8e0de5a6b5af41dc6c815d558dc66
                                                                                          • Instruction Fuzzy Hash: 7121AE32610115AFDB109F64D88166ABBF9AB20312B29006FDC01E7293DF78E94C875A
                                                                                          APIs
                                                                                          Strings
                                                                                          • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0045C057
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CountTickwsprintf
                                                                                          • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                          • API String ID: 2424974917-1012700906
                                                                                          • Opcode ID: a1c97c65fbe8c6f0bc5d31b6067bce2c1736d43a09fe49bbee67d1ff85d0d4bb
                                                                                          • Instruction ID: dee9b98d87c03c3a49f5fe96d6f639b7c4f84cc32a01cce6e6eacb9e356ecfe3
                                                                                          • Opcode Fuzzy Hash: a1c97c65fbe8c6f0bc5d31b6067bce2c1736d43a09fe49bbee67d1ff85d0d4bb
                                                                                          • Instruction Fuzzy Hash: 10119772100100FFDB429BA9DD44E567FA6FF88318B3491ACF6188E166D633D863EB50
                                                                                          APIs
                                                                                            • Part of subcall function 004530FA: GetTickCount.KERNEL32 ref: 00453103
                                                                                            • Part of subcall function 004530FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00453128
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00453929
                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00453939
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 3716169038-2903620461
                                                                                          • Opcode ID: 8ef935f39c53b90dc290e51200adecef8c904de422cbdc9af52d558b1a6a5542
                                                                                          • Instruction ID: c23d2aaac41f9bdc56065093316df8c61fb46fdb9ad20269ea80c3c2d8d29b34
                                                                                          • Opcode Fuzzy Hash: 8ef935f39c53b90dc290e51200adecef8c904de422cbdc9af52d558b1a6a5542
                                                                                          • Instruction Fuzzy Hash: 161158B1900215EFD720DF0AD581A5DF3F4FB05757F10852EE84097292D7B8AA88CFA9
                                                                                          APIs
                                                                                          • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0045BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0045ABB9
                                                                                          • InterlockedIncrement.KERNEL32(00463640), ref: 0045ABE1
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: IncrementInterlockedlstrcpyn
                                                                                          • String ID: %FROM_EMAIL
                                                                                          • API String ID: 224340156-2903620461
                                                                                          • Opcode ID: 99eb4968e01bae0413f774fe324885d7979eb5a6efba502aa5b67b1734a9c8d6
                                                                                          • Instruction ID: d7bb0d4b177be1ad4ba0e6849e01259bb65fcdd5b538b1279a96c654a3f36315
                                                                                          • Opcode Fuzzy Hash: 99eb4968e01bae0413f774fe324885d7979eb5a6efba502aa5b67b1734a9c8d6
                                                                                          • Instruction Fuzzy Hash: 5801F1315083C4AFDB21CF18D881F867BA6AF15315F144586FA808B303C3B9EA58CBD6
                                                                                          APIs
                                                                                          • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004526C3
                                                                                          • inet_ntoa.WS2_32(?), ref: 004526E4
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: gethostbyaddrinet_ntoa
                                                                                          • String ID: localcfg
                                                                                          • API String ID: 2112563974-1857712256
                                                                                          • Opcode ID: 79656c7ed79c53b518bd87b79d6b921bde2c6ecfb40bcc3d3710413b0d0924d8
                                                                                          • Instruction ID: 923ca10ac179065bdd36e2e22d40fb2e05b91002513aabd7366431c1f3223ea3
                                                                                          • Opcode Fuzzy Hash: 79656c7ed79c53b518bd87b79d6b921bde2c6ecfb40bcc3d3710413b0d0924d8
                                                                                          • Instruction Fuzzy Hash: 8BF082321482097FEB04AFA1ED09A9B379CEF05751F104467FE08CA091EBB5D944979D
                                                                                          APIs
                                                                                          • LoadLibraryA.KERNEL32(ntdll.dll,0045EB54,_alldiv,0045F0B7,80000001,00000000,00989680,00000000,?,?,?,0045E342,00000000,7686EA50,80000001,00000000), ref: 0045EAF2
                                                                                          • GetProcAddress.KERNEL32(776F0000,00000000), ref: 0045EB07
                                                                                          Strings
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: AddressLibraryLoadProc
                                                                                          • String ID: ntdll.dll
                                                                                          • API String ID: 2574300362-2227199552
                                                                                          • Opcode ID: e1227c046a191a5b7c39a87e2427aa2bf0d04f57205a7f60711f984045e9a122
                                                                                          • Instruction ID: 5372a8a08bed4c02eb53afac7823b29f9d98728b0306ad8f648b08dd30d5ca92
                                                                                          • Opcode Fuzzy Hash: e1227c046a191a5b7c39a87e2427aa2bf0d04f57205a7f60711f984045e9a122
                                                                                          • Instruction Fuzzy Hash: D4D0C7346003426B8F25CF65DE0A94776996750703B404026F806C1621F7F4E548D60E
                                                                                          APIs
                                                                                            • Part of subcall function 00452D21: GetModuleHandleA.KERNEL32(00000000,771B23A0,?,00000000,00452F01,?,004520FF,00462000), ref: 00452D3A
                                                                                            • Part of subcall function 00452D21: LoadLibraryA.KERNEL32(?), ref: 00452D4A
                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00452F73
                                                                                          • HeapFree.KERNEL32(00000000), ref: 00452F7A
                                                                                          Memory Dump Source
                                                                                          • Source File: 00000018.00000002.3691471117.0000000000450000.00000040.00000400.00020000.00000000.sdmp, Offset: 00450000, based on PE: true
                                                                                          Joe Sandbox IDA Plugin
                                                                                          • Snapshot File: hcaresult_24_2_450000_svchost.jbxd
                                                                                          Yara matches
                                                                                          Similarity
                                                                                          • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                          • String ID:
                                                                                          • API String ID: 1017166417-0
                                                                                          • Opcode ID: f8d6d7cad6c1189b0a86d2bd88554609ba148a2ea7db1932527e64493523d0f1
                                                                                          • Instruction ID: fb5f3c1885d13adc67b0d4adfcebb5edfec967f11c72bb50e6285e35069514cf
                                                                                          • Opcode Fuzzy Hash: f8d6d7cad6c1189b0a86d2bd88554609ba148a2ea7db1932527e64493523d0f1
                                                                                          • Instruction Fuzzy Hash: A251E2319002069FCF01DF64DC889FAB774FF16306F10416AEC96C7211E7769A19CB88