Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe
Analysis ID:1469237
MD5:56781772c92e1822beec9faee18fadc9
SHA1:889af8e28ecda1df1e79c1f4abe533959b29a9db
SHA256:4f0a6b89e63437c52a7adf09a15950b3ba5b9d1d7c8791a8559721ae24875894
Tags:exe
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Modifies existing windows services
One or more processes crash
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe (PID: 572 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe" MD5: 56781772C92E1822BEEC9FAEE18FADC9)
    • cmd.exe (PID: 7148 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcbeaetw\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2108 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szylttbf.exe" C:\Windows\SysWOW64\jcbeaetw\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 5260 cmdline: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2260 cmdline: "C:\Windows\System32\sc.exe" description jcbeaetw "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 2604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2956 cmdline: "C:\Windows\System32\sc.exe" start jcbeaetw MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 1576 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 6056 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1032 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • szylttbf.exe (PID: 6788 cmdline: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe" MD5: 83E4D0728F822668A2CFF9EF2C227B53)
    • svchost.exe (PID: 6548 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 6220 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 540 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3292 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 3652 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 572 -ip 572 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6196 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6788 -ip 6788 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3816 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: Tofsee

{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x2544:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xee95:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_TofseeDetects TofseeditekSHen
    • 0x1123e:$s1: n%systemroot%\system32\cmd.exe
    • 0x10310:$s2: loader_id
    • 0x10340:$s3: start_srv
    • 0x10370:$s4: lid_file_upd
    • 0x10364:$s5: localcfg
    • 0x10a94:$s6: Incorrect respons
    • 0x10b74:$s7: mx connect error
    • 0x10af0:$s8: Error sending command (sent = %d/%d)
    • 0x10c28:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
    00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
    • 0x15b0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
    00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.3.szylttbf.exe.650000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      12.3.szylttbf.exe.650000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      12.2.szylttbf.exe.400000.0.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        12.2.szylttbf.exe.400000.0.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        12.2.szylttbf.exe.400000.0.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspect Svchost Activity
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe", ParentImage: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe, ParentProcessId: 6788, ParentProcessName: szylttbf.exe, ProcessCommandLine: svchost.exe, ProcessId: 6548, ProcessName: svchost.exe
        Sigma detected: Suspicious New Service Creation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe, ParentProcessId: 572, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5260, ProcessName: sc.exe
        Sigma detected: Suspicious Outbound SMTP Connections
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 104.47.54.36, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 6548, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49709
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe", ParentImage: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe, ParentProcessId: 6788, ParentProcessName: szylttbf.exe, ProcessCommandLine: svchost.exe, ProcessId: 6548, ProcessName: svchost.exe
        Sigma detected: Windows Defender Exclusions Added - Registry
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6548, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\jcbeaetw
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe, ParentProcessId: 572, ParentProcessName: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 5260, ProcessName: sc.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3292, ProcessName: svchost.exe

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeAvira: detected
        Antivirus detection for URL or domain
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\szylttbf.exeAvira: detection malicious, Label: HEUR/AGEN.1318110
        Found malware configuration
        Source: 12.2.szylttbf.exe.620e67.1.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Multi AV Scanner detection for submitted file
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeReversingLabs: Detection: 34%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.4% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\szylttbf.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeUnpacked PE file: 12.2.szylttbf.exe.400000.0.unpack
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Adds extensions / path to Windows Defender exclusion list (Registry)
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\jcbeaetwJump to behavior

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.133.13.231 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 98.136.96.91 98.136.96.91
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 104.47.54.36 104.47.54.36
        Source: Joe Sandbox ViewASN Name: YAHOO-NE1US YAHOO-NE1US
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: global trafficTCP traffic: 192.168.2.5:49709 -> 104.47.54.36:25
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 98.136.96.91:25
        Source: global trafficTCP traffic: 192.168.2.5:49716 -> 64.233.166.26:25
        Source: global trafficTCP traffic: 192.168.2.5:49718 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta5.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe PID: 572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: szylttbf.exe PID: 6788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 12.3.szylttbf.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.szylttbf.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 12.2.szylttbf.exe.620e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 12.2.szylttbf.exe.620e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000002.2221208662.0000000000688000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,EntryPoint,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jcbeaetw\Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_0040C91312_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_0275C91319_2_0275C913
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: String function: 021127AB appears 35 times
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 572 -ip 572
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 12.3.szylttbf.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.szylttbf.exe.650000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 12.2.szylttbf.exe.620e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 12.2.szylttbf.exe.620e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000002.2221208662.0000000000688000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: classification engineClassification label: mal100.troj.evad.winEXE@32/3@9/5
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,CloseHandle,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0075E5DE CreateToolhelp32Snapshot,Module32First,0_2_0075E5DE
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_02759A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,19_2_02759A6B
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:3652:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:6196:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:320:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:120:WilError_03
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeFile created: C:\Users\user\AppData\Local\Temp\szylttbf.exeJump to behavior
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeReversingLabs: Detection: 34%
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-15069
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_12-15059
        Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcbeaetw\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szylttbf.exe" C:\Windows\SysWOW64\jcbeaetw\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jcbeaetw "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jcbeaetw
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe"
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 572 -ip 572
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1032
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6788 -ip 6788
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 540
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcbeaetw\Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szylttbf.exe" C:\Windows\SysWOW64\jcbeaetw\Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jcbeaetw "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jcbeaetwJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 572 -ip 572Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1032Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6788 -ip 6788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 540Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.balowey:W;.xaci:R;.rojoj:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeUnpacked PE file: 12.2.szylttbf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.balowey:W;.xaci:R;.rojoj:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeUnpacked PE file: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeUnpacked PE file: 12.2.szylttbf.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: section name: .balowey
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: section name: .xaci
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: section name: .rojoj
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_007618C6 push 0000002Bh; iretd 0_2_007618CC
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_0068CA6E push 0000002Bh; iretd 12_2_0068CA74
        Source: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeStatic PE information: section name: .text entropy: 7.465820885978803

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeFile created: C:\Users\user\AppData\Local\Temp\szylttbf.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\jcbeaetwJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\securiteinfo.com.win32.crypterx-gen.13041.27911.exeJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,19_2_0275199C
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_12-16390
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-16511
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_19-7607
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_19-6143
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-16262
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-15440
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_19-7325
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_0-15256
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-15308
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_19-7443
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_12-15074
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-15086
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeAPI coverage: 6.0 %
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeAPI coverage: 4.8 %
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000013.00000002.3295484043.0000000002C00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_12-16451
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_19-7668
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_0-16572
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0075DEBB push dword ptr fs:[00000030h]0_2_0075DEBB
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0211092B mov eax, dword ptr fs:[00000030h]0_2_0211092B
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_02110D90 mov eax, dword ptr fs:[00000030h]0_2_02110D90
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_0062092B mov eax, dword ptr fs:[00000030h]12_2_0062092B
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_00620D90 mov eax, dword ptr fs:[00000030h]12_2_00620D90
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_00689063 push dword ptr fs:[00000030h]12_2_00689063
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,12_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_02759A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,19_2_02759A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 98.136.96.91 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 195.133.13.231 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 104.47.54.36 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 64.233.166.26 25Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2750000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2750000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2750000Jump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 284F008Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcbeaetw\Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szylttbf.exe" C:\Windows\SysWOW64\jcbeaetw\Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description jcbeaetw "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start jcbeaetwJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nulJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 572 -ip 572Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1032Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6788 -ip 6788Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 540Jump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe PID: 572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: szylttbf.exe PID: 6788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 12.2.szylttbf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2130000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.650000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.2110e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.650000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.620e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.szylttbf.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.3.szylttbf.exe.650000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.2750000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 19.2.svchost.exe.2750000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe PID: 572, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: szylttbf.exe PID: 6788, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6548, type: MEMORYSTR
        Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exeCode function: 12_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,12_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 19_2_027588B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,19_2_027588B0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		41
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution        		14
        Windows Service        		1
        Access Token Manipulation        		3
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service        		22
        Software Packing        		NTDS15
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets111
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion        		Cached Domain Credentials1
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1469237 Sample: SecuriteInfo.com.Win32.Cryp... Startdate: 08/07/2024 Architecture: WINDOWS Score: 100 53 yahoo.com 2->53 55 vanaheim.cn 2->55 57 6 other IPs or domains 2->57 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 11 other signatures 2->71 8 szylttbf.exe 2->8         started        11 SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        16 svchost.exe 2->16         started        signatures3 process4 file5 81 Detected unpacking (changes PE section rights) 8->81 83 Detected unpacking (overwrites its own PE header) 8->83 85 Found API chain indicative of debugger detection 8->85 91 3 other signatures 8->91 18 svchost.exe 1 8->18         started        22 WerFault.exe 2 8->22         started        51 C:\Users\user\AppData\Local\...\szylttbf.exe, PE32 11->51 dropped 87 Uses netsh to modify the Windows network and firewall settings 11->87 89 Modifies the windows firewall 11->89 24 cmd.exe 1 11->24         started        27 netsh.exe 2 11->27         started        29 cmd.exe 2 11->29         started        35 4 other processes 11->35 31 WerFault.exe 2 14->31         started        33 WerFault.exe 2 14->33         started        signatures6 process7 dnsIp8 59 mta5.am0.yahoodns.net 98.136.96.91, 25 YAHOO-NE1US United States 18->59 61 microsoft-com.mail.protection.outlook.com 104.47.54.36, 25 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->61 63 3 other IPs or domains 18->63 73 System process connects to network (likely due to code injection or exploit) 18->73 75 Found API chain indicative of debugger detection 18->75 77 Deletes itself after installation 18->77 79 Adds extensions / path to Windows Defender exclusion list (Registry) 18->79 49 C:\Windows\SysWOW64\...\szylttbf.exe (copy), PE32 24->49 dropped 37 conhost.exe 24->37         started        39 conhost.exe 27->39         started        41 conhost.exe 29->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe34%ReversingLabsWin32.Trojan.CrypterX
        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe100%AviraHEUR/AGEN.1318110
        SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\szylttbf.exe100%AviraHEUR/AGEN.1318110
        C:\Users\user\AppData\Local\Temp\szylttbf.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        jotunheim.name:4430%Avira URL Cloudsafe
        vanaheim.cn:443100%Avira URL Cloudphishing

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        mxs.mail.ru
        		217.69.139.150
        		truetrue
          		unknown
          mta5.am0.yahoodns.net
          		98.136.96.91
          		truetrue
            		unknown
            microsoft-com.mail.protection.outlook.com
            		104.47.54.36
            		truetrue
              		unknown
              vanaheim.cn
              		195.133.13.231
              		truetrue
                		unknown
                smtp.google.com
                		64.233.166.26
                		truefalse
                  		unknown
                  google.com
                  		unknown
                  		unknowntrue
                    		unknown
                    yahoo.com
                    		unknown
                    		unknowntrue
                      		unknown
                      mail.ru
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        vanaheim.cn:443true
                        • Avira URL Cloud: phishing
                        		unknown
                        jotunheim.name:443true
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        98.136.96.91
                        		mta5.am0.yahoodns.netUnited States
                        		36646YAHOO-NE1UStrue
                        64.233.166.26
                        		smtp.google.comUnited States
                        		15169GOOGLEUSfalse
                        217.69.139.150
                        		mxs.mail.ruRussian Federation
                        		47764MAILRU-ASMailRuRUtrue
                        195.133.13.231
                        		vanaheim.cnRussian Federation
                        		197695AS-REGRUtrue
                        104.47.54.36
                        		microsoft-com.mail.protection.outlook.comUnited States
                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1469237
                        Start date and time:2024-07-08 17:22:06 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 6m 47s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@32/3@9/5
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 68
                        • Number of non-executed functions: 265
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 20.236.44.162, 20.112.250.133, 20.70.246.20, 20.231.239.246, 20.76.201.171
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtEnumerateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        11:23:58API Interceptor2x Sleep call for process: svchost.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        98.136.96.91lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                            newtpp.exeGet hashmaliciousPhorpiexBrowse
                              gEkl9O5tiu.exeGet hashmaliciousPhorpiexBrowse
                                file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                  .exeGet hashmaliciousUnknownBrowse
                                    l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                      message.txt.exeGet hashmaliciousUnknownBrowse
                                        test.dat.exeGet hashmaliciousUnknownBrowse
                                          Update-KB7390-x86.exeGet hashmaliciousUnknownBrowse
                                            217.69.139.150vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                              AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                  lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                    dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                      rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                        OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                          G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                            x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                              x7RlIzQDk1.exeGet hashmaliciousUnknownBrowse
                                                                195.133.13.231SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                  vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                    AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      104.47.54.36vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                        bill.txt.exeGet hashmaliciousUnknownBrowse
                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                            rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                              DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                  Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
                                                                                    L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                                                                                      file.exeGet hashmaliciousTofseeBrowse
                                                                                        U9dDsItOij.exeGet hashmaliciousTofseeBrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          mta5.am0.yahoodns.netvyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 67.195.204.72
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          I7ldmFS13W.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.204.73
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 98.136.96.74
                                                                                          file.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.77
                                                                                          newtpp.exeGet hashmaliciousPhorpiexBrowse
                                                                                          • 67.195.204.77
                                                                                          file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.110
                                                                                          file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                                                          • 67.195.228.109
                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                          • 67.195.228.111
                                                                                          vanaheim.cnSecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 62.76.228.127
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 62.76.228.127
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 141.8.199.94
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 141.8.199.94
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 109.107.161.150
                                                                                          DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                          • 85.208.208.90
                                                                                          kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
                                                                                          • 77.232.138.239
                                                                                          microsoft-com.mail.protection.outlook.comSecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.11.0
                                                                                          bill.txt.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.47.54.36
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.54.36
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 52.101.40.26
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.54.36
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          DWoKcG581L.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          mxs.mail.ruSecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                                          • 94.100.180.31
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          a5hbkmGD7N.exeGet hashmaliciousPushdoBrowse
                                                                                          • 94.100.180.31

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          MAILRU-ASMailRuRUSecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 94.100.180.31
                                                                                          http://ct31152.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 94.100.180.226
                                                                                          http://cb00287.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 217.69.129.214
                                                                                          http://cv59800.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 217.69.129.214
                                                                                          I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 217.69.139.150
                                                                                          https://cs13786.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 217.69.129.214
                                                                                          http://cf20871.tw1.ru/Get hashmaliciousUnknownBrowse
                                                                                          • 5.61.23.11
                                                                                          MICROSOFT-CORP-MSN-AS-BLOCKUShttps://ahmemorialeducationaltrust-my.sharepoint.com/:o:/g/personal/anitarajendran-coll_presidency_edu_in/EvAuvxLSBnRIuoqh1SaEQtkBFVHwK8EWwIIbP-pKLo1ojA?e=5%3aEiFCka&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.136.10
                                                                                          https://commdado-my.sharepoint.com/:o:/g/personal/dondi_giuseppe_commercialdado_it/EgcvgPn4-NdFixyQ4aFkj6EBbxxwR-oS0CTDFPyJEs3MKA?e=I59h3v&xsdata=MDV8MDJ8dmFsZW50aW5hLml6em9AZW5lcnBhYy5jb218YThmM2EzYTk3YWIzNDA3Y2Y4Y2QwOGRjOWMwZDBjOTJ8MTYwMmFlODIwMjY2NDBkNjkxMGIxMTY4MGZlMGY2YTV8MHwwfDYzODU1NjgyODM1NDc2NjQxNHxVbmtub3dufFRXRnBiR1pzYjNkOGV5SldJam9pTUM0d0xqQXdNREFpTENKUUlqb2lWMmx1TXpJaUxDSkJUaUk2SWsxaGFXd2lMQ0pYVkNJNk1uMD18NDAwMDB8fHw%3d&sdata=OUJxUjdKTmk0R2R2RzNscEJIZjJuWHhXdTJ0YnNCQmoyUmRlOWtxVlZvWT0%3dGet hashmaliciousUnknownBrowse
                                                                                          • 51.116.253.170
                                                                                          https://public-usa.mkt.dynamics.com/api/orgs/d7bf9933-0b3a-ef11-8e4b-000d3a106c0b/r/TDEgwpm1AUWqGuhxxSAcVwAAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Flink.mail.beehiiv.com%252Fls%252Fclick%253Fupn%253Du001.zV-2FAVEm-2FntcfbYMbzjaqbKZhAB-2FHhugJeFwz-2B4eDrq0xOMBQTM6qlBDRp75xHtySEdSKBszynN0RsLNImFmRmJGSCpsyuJM9bG8EB51sE4kW8XhzvRA-2BPtYYa-2B8QdjWMLCGEPxD3KrjRK89cl78vwPZBLWr2w7GMKSrXIn6S5ME-3DNlCi_04d4ywoI7MJdsiYCN-2BN3DcUV-2B5xfwat-2BOgMDujJ1c-2F1Yv6NlNivSyla3VBW2cjbr1yCOzHfMtbC8Z-2F4vXjnE7ALgpquLSNdhC7u38lmdLt2T6ipD6w6zyxyCHgz0XVbQES5WlZWU5UK-2F7jiXFjJMZnUhx-2BmdMZRiz6S2UNsBylqJ0eRKaX7ox8IC1QS9BJs-2FOp5ANI-2F3N9-2BkzY0zfUpu34-2FJzKpSaGCuqlPgMs88LTPgmgOGL4Q-2FnrnbiXZBJHFlVZxGFxtQ9ikryZpedOQgzoJOiPHqeU1B-2FuiPrZyb-2FCU8AyhbjwazN6wkHgNMqW2U421Q3Bse8i1IPiy6FmhXBqCiy71NcD1RwBQ1vXLrObsqZ08rjy-2Fvnv6paNjRw2yjigHa6OFZOGU-2BhN8d06w7h9ZANDTIwsYFfg1gNLn-2BA5B9bLK0s0uLZkFU4rvvWMQU%2523_msdynmkt_donottrack%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%220%22%3Anull%7D%7D&digest=d6IExTJM16fguE87xMA5SuNRU%2BKUfss25XRRndnMwLY%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15eeGet hashmaliciousUnknownBrowse
                                                                                          • 52.146.76.30
                                                                                          Invoice #INV-97267267 is due for auto-renewals.zipGet hashmaliciousUnknownBrowse
                                                                                          • 20.50.73.4
                                                                                          https://hr.economictimes.indiatimes.com/etl.php?url=https://link.mail.beehiiv.com/ls/click?upn=u001.C7CyaRD6J7Tdcqj9-2FMOqGE7r0wgi8kv64sAcgUPyKxo5WVoDX535gK1GDXQwPdAQrihn70HxgcGt2YBaUq1CgXa4w9UpnKYDWVk4wstl4BzTl0nByfbAMK9adrJtPNZDcYNrLz06jcC5tefVJ0MSELmrJVBWp2H-2FJNpadLpkW49aZHb0SN7faZdRSrGyWuvMdp4__d7CEfkoadLhLBotLDjFJV7Gf-2FGq-2FLbbkNC53nfsKxrXBgvOKDfwaSxCVShLSUOB96Cn1WOBmKtjwKglvs4Ik-2BSw75NpxJFloSreNjVrf23EvzQ1FRnAoElvJF-2B8D-2BMukEyUOFyqiDfOcPKVuQi4IrT2aGHp2KaoeXacWORZxyg-2BV2JHBFjW8KSG6ohd2I1l-2Bys1eXb0UaY6hTGOmp7v7bQMT64tqZtgUnbI7dAvCSbjKmaiKyIN7QZWXlla-2Bl8SOGSAyzrZKFQV17NyAoV171-2FYqo1ABGkQoLEipNqxGy4lfga0v-2FXAFNABPZkTJ1ZqclpC2FUhBDYSM-2Bab4YaBlh-2BErAoNeIxttwbVnYGtNKIF4zBYqTFz4qjHn2b3VZ8BmkRPY4ofkEnlvrjKe2YQtpdmmW90mogImF21NdSt2XKUr9ey1x1i70RJFZn5ES3dCGet hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.42
                                                                                          https://app.smartdraw.com/share.aspx/?pubDocShare=8BF69438A0CE0C51404F4607C82DF20E2D0Get hashmaliciousUnknownBrowse
                                                                                          • 20.84.234.130
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 104.47.53.36
                                                                                          https://m.exactag.com/ai.aspx?tc=d9725599bc40b07205bbd26a23a8d2e6b6b4f9&url=http%253Amouradmikhail.com%2Fwinner%2F33008%2F%2FYS5zZWd1bmFAYW5kYXJpYS5jb20=Get hashmaliciousUnknownBrowse
                                                                                          • 13.107.246.45
                                                                                          file.exeGet hashmaliciousAmadey, Mars Stealer, Stealc, VidarBrowse
                                                                                          • 94.245.104.56
                                                                                          RFQ - From Arcadia Aerospace Industries Entry CodeRBW51-PU5Y-9A5R.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 13.107.253.42
                                                                                          AS-REGRUOrder 81307529516.LZ.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          DRAFT CONTRACT COPY_938840.scrGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          Shipping Documents.exeGet hashmaliciousFormBookBrowse
                                                                                          • 37.140.192.90
                                                                                          vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 195.133.13.231
                                                                                          Scan405.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          ScanPDF_102.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          TOgpmvvWoj.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          AuT5pFGTFw.exeGet hashmaliciousFormBookBrowse
                                                                                          • 194.58.112.174
                                                                                          YAHOO-NE1USAvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.75
                                                                                          s4WsI8Qcm4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                          • 98.139.105.91
                                                                                          NgAzrOQSgK.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.139.7.69
                                                                                          lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                                                                          • 98.136.96.91
                                                                                          V#U2550DEOS.EXEGet hashmaliciousBrontokBrowse
                                                                                          • 74.6.231.20
                                                                                          vylI38MZOn.elfGet hashmaliciousMiraiBrowse
                                                                                          • 98.137.87.64
                                                                                          https://www.canva.com/design/DAGDiia04Xg/_SQxN5BXpIl2RgDD44fATw/edit?utm_content=DAGDiia04Xg&utm_campaign=designshare&utm_medium=link2&utm_source=sharebuttonGet hashmaliciousHTMLPhisherBrowse
                                                                                          • 98.137.155.8
                                                                                          P5uKPY120j.elfGet hashmaliciousMiraiBrowse
                                                                                          • 216.252.107.75
                                                                                          806aab44-6c03-4577-a3c4-83aa13dc7875.tmpGet hashmaliciousUnknownBrowse
                                                                                          • 98.137.155.8

                                                                                          JA3 Fingerprints

                                                                                          No context

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Temp\szylttbf.exe

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11432960
                                                                                          Entropy (8bit):5.220017315820614
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:BLNXXUki1mTUmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBl:BRHCcT
                                                                                          MD5:83E4D0728F822668A2CFF9EF2C227B53
                                                                                          SHA1:15C0C2011BC56C18F2D6F16777149597F7C38E54
                                                                                          SHA-256:9A043CE162703B46A72571561FEE1AD07175BA7E604CB33B06E882146FF6C766
                                                                                          SHA-512:DA1689085251433F70EA44D6CFC16B780E9A4E9581187A4095A8B77328DF6089814A5C360B10775398EE091A8C9407F980A3A43FC2178162048BBAC7E2384133
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........bq..."..."..."..."..."..."..."..."...".(w"..."..."..."..."..."..."..."..."..."Rich..."........................PE..L.....ad.................l........................@..........................@......."..........................................P....`..................................................................................p............................text....k.......l.................. ..`.rdata... ......."...p..............@..@.data...<c..........................@....balowey|.... ......................@....xaci........@......................@..@.rojoj.......P......................@....rsrc........`......................@..@........................................................................................................................................................................................................................................

                                                                                          C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe (copy)

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\cmd.exe
                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):11432960
                                                                                          Entropy (8bit):5.220017315820614
                                                                                          Encrypted:false
                                                                                          SSDEEP:6144:BLNXXUki1mTUmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBmHBl:BRHCcT
                                                                                          MD5:83E4D0728F822668A2CFF9EF2C227B53
                                                                                          SHA1:15C0C2011BC56C18F2D6F16777149597F7C38E54
                                                                                          SHA-256:9A043CE162703B46A72571561FEE1AD07175BA7E604CB33B06E882146FF6C766
                                                                                          SHA-512:DA1689085251433F70EA44D6CFC16B780E9A4E9581187A4095A8B77328DF6089814A5C360B10775398EE091A8C9407F980A3A43FC2178162048BBAC7E2384133
                                                                                          Malicious:true
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........bq..."..."..."..."..."..."..."..."...".(w"..."..."..."..."..."..."..."..."..."Rich..."........................PE..L.....ad.................l........................@..........................@......."..........................................P....`..................................................................................p............................text....k.......l.................. ..`.rdata... ......."...p..............@..@.data...<c..........................@....balowey|.... ......................@....xaci........@......................@..@.rojoj.......P......................@....rsrc........`......................@..@........................................................................................................................................................................................................................................

                                                                                          \Device\ConDrv

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\netsh.exe
                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):3773
                                                                                          Entropy (8bit):4.7109073551842435
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                                          MD5:DA3247A302D70819F10BCEEBAF400503
                                                                                          SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                                          SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                                          SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                                          Malicious:false
                                                                                          Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                          Entropy (8bit):6.552164584453548
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                          File name:SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe
                                                                                          File size:168'960 bytes
                                                                                          MD5:56781772c92e1822beec9faee18fadc9
                                                                                          SHA1:889af8e28ecda1df1e79c1f4abe533959b29a9db
                                                                                          SHA256:4f0a6b89e63437c52a7adf09a15950b3ba5b9d1d7c8791a8559721ae24875894
                                                                                          SHA512:7a46f160e3881578c8991ed07a746696738eb994b8f161796ef87081d1d6345927149f168197300750862564b672abaf522db193aa43d980aeef2abd115a460f
                                                                                          SSDEEP:3072:jJLNXOgUQ4IiNpjhmD/Sc11y5Td0Cfq/UVwE7wQWLc:NLNXXUki1mTUmH
                                                                                          TLSH:31F34A6076F59136F3F79A341A74A6A41A3BF8736936C18EAE50121B0D336C19EE1F13
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........bq..."..."..."..."..."..."..."..."...".(w"..."..."..."..."..."..."..."..."..."Rich..."........................PE..L.....ad...

                                                                                          File Icon

                                                                                          Icon Hash:cb97354d5555599a

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x40169b
                                                                                          Entrypoint Section:.text
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                          DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x6461F0CE [Mon May 15 08:43:58 2023 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:5
                                                                                          OS Version Minor:0
                                                                                          File Version Major:5
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:5
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:5208417a665309604e7c3226aaaeb5e4

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          call 00007F4F74EBB7BDh
                                                                                          jmp 00007F4F74EB767Eh
                                                                                          mov edi, edi
                                                                                          push ebp
                                                                                          mov ebp, esp
                                                                                          sub esp, 00000328h
                                                                                          mov dword ptr [0041C818h], eax
                                                                                          mov dword ptr [0041C814h], ecx
                                                                                          mov dword ptr [0041C810h], edx
                                                                                          mov dword ptr [0041C80Ch], ebx
                                                                                          mov dword ptr [0041C808h], esi
                                                                                          mov dword ptr [0041C804h], edi
                                                                                          mov word ptr [0041C830h], ss
                                                                                          mov word ptr [0041C824h], cs
                                                                                          mov word ptr [0041C800h], ds
                                                                                          mov word ptr [0041C7FCh], es
                                                                                          mov word ptr [0041C7F8h], fs
                                                                                          mov word ptr [0041C7F4h], gs
                                                                                          pushfd
                                                                                          pop dword ptr [0041C828h]
                                                                                          mov eax, dword ptr [ebp+00h]
                                                                                          mov dword ptr [0041C81Ch], eax
                                                                                          mov eax, dword ptr [ebp+04h]
                                                                                          mov dword ptr [0041C820h], eax
                                                                                          lea eax, dword ptr [ebp+08h]
                                                                                          mov dword ptr [0041C82Ch], eax
                                                                                          mov eax, dword ptr [ebp-00000320h]
                                                                                          mov dword ptr [0041C768h], 00010001h
                                                                                          mov eax, dword ptr [0041C820h]
                                                                                          mov dword ptr [0041C71Ch], eax
                                                                                          mov dword ptr [0041C710h], C0000409h
                                                                                          mov dword ptr [0041C714h], 00000001h
                                                                                          mov eax, dword ptr [0041B004h]
                                                                                          mov dword ptr [ebp-00000328h], eax
                                                                                          mov eax, dword ptr [0041B008h]
                                                                                          mov dword ptr [ebp-00000324h], eax
                                                                                          call dword ptr [00000094h]

                                                                                          Rich Headers

                                                                                          Programming Language:
                                                                                          • [C++] VS2008 build 21022
                                                                                          • [ASM] VS2008 build 21022
                                                                                          • [ C ] VS2008 build 21022
                                                                                          • [IMP] VS2005 build 50727
                                                                                          • [RES] VS2008 build 21022
                                                                                          • [LNK] VS2008 build 21022

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1988c0x50.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000xdbb8.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x180000x170.rdata
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x10000x16b100x16c000ebc79b2a3798792e0658b7b079d1681False0.7967891483516484data7.465820885978803IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rdata0x180000x20c00x2200c20193acc30729fe20d80c398acfefe8False0.3625919117647059data5.451629537787536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .data0x1b0000x9633c0x1800897508375183028ff55df2d5b9feab62False0.14892578125data1.6086341555943506IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .balowey0xb20000x107c0x800c99a74c555371a433d121f551d6c6398False0.01123046875data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .xaci0xb40000xc0x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .rojoj0xb50000x4000x4000f343b0931126a20f133d67c2b018a3bFalse0.0166015625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .rsrc0xb60000xdbb80xdc007d501b5057fbdae1abc422181e773c68False0.5225319602272728data5.193791367871725IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          POJ0xbcee80x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6326129666011788
                                                                                          RT_CURSOR0xbd3000x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                                                                          RT_ICON0xb66b00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6108742004264393
                                                                                          RT_ICON0xb75580x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6917870036101083
                                                                                          RT_ICON0xb7e000x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7517281105990783
                                                                                          RT_ICON0xb84c80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7955202312138728
                                                                                          RT_ICON0xb8a300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5929460580912863
                                                                                          RT_ICON0xbafd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.7223264540337712
                                                                                          RT_ICON0xbc0800x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.7360655737704918
                                                                                          RT_ICON0xbca080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8838652482269503
                                                                                          RT_STRING0xbd5f80x19cdata0.5072815533980582
                                                                                          RT_STRING0xbd7980x636data0.44150943396226416
                                                                                          RT_STRING0xbddd00x7f8data0.42205882352941176
                                                                                          RT_STRING0xbe5c80x52adata0.443267776096823
                                                                                          RT_STRING0xbeaf80x258data0.4816666666666667
                                                                                          RT_STRING0xbed500x70cdata0.43015521064301554
                                                                                          RT_STRING0xbf4600x592data0.44600280504908835
                                                                                          RT_STRING0xbf9f80x69adata0.4307692307692308
                                                                                          RT_STRING0xc00980x63adata0.43224592220828106
                                                                                          RT_STRING0xc06d80x9c8data0.40894568690095845
                                                                                          RT_STRING0xc10a00x8fcdata0.40956521739130436
                                                                                          RT_STRING0xc19a00x5ccdata0.44070080862533695
                                                                                          RT_STRING0xc1f700x618data0.43653846153846154
                                                                                          RT_STRING0xc25880x690data0.43392857142857144
                                                                                          RT_STRING0xc2c180x6e6data0.42638731596828994
                                                                                          RT_STRING0xc33000x86cdata0.4114100185528757
                                                                                          RT_STRING0xc3b700x46data0.6142857142857143
                                                                                          RT_ACCELERATOR0xbd2e80x18data1.2916666666666667
                                                                                          RT_GROUP_CURSOR0xbd4300x14data1.15
                                                                                          RT_GROUP_ICON0xbce700x76dataTurkishTurkey0.6610169491525424
                                                                                          RT_VERSION0xbd4480x1b0data0.5925925925925926

                                                                                          Imports

                                                                                          DLLImport
                                                                                          KERNEL32.dllCreateJobObjectW, SleepEx, GetCommProperties, GetModuleHandleW, GetConsoleAliasesA, GlobalAlloc, SetVolumeMountPointA, lstrcpynW, GetModuleFileNameW, SetConsoleTitleA, ReleaseActCtx, SetLastError, GetProcAddress, BuildCommDCBW, GetAtomNameA, LoadLibraryA, WriteConsoleA, UnhandledExceptionFilter, InterlockedExchangeAdd, SetFileApisToANSI, AddAtomA, OpenJobObjectW, FoldStringW, lstrcatW, EnumDateFormatsW, FindFirstVolumeA, LocalFree, FlushFileBuffers, CloseHandle, GetLastError, HeapFree, MultiByteToWideChar, HeapAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, HeapSize, CreateFileA
                                                                                          USER32.dllGetProcessDefaultLayout
                                                                                          WINHTTP.dllWinHttpAddRequestHeaders

                                                                                          Possible Origin

                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                          TurkishTurkey

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jul 8, 2024 17:23:15.843873024 CEST4970925192.168.2.5104.47.54.36
                                                                                          Jul 8, 2024 17:23:16.936583042 CEST4970925192.168.2.5104.47.54.36
                                                                                          Jul 8, 2024 17:23:18.936575890 CEST4970925192.168.2.5104.47.54.36
                                                                                          Jul 8, 2024 17:23:19.017240047 CEST49713443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:23:19.017292023 CEST44349713195.133.13.231192.168.2.5
                                                                                          Jul 8, 2024 17:23:19.017353058 CEST49713443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:23:22.952213049 CEST4970925192.168.2.5104.47.54.36
                                                                                          Jul 8, 2024 17:23:30.967886925 CEST4970925192.168.2.5104.47.54.36
                                                                                          Jul 8, 2024 17:23:35.876173019 CEST4971425192.168.2.598.136.96.91
                                                                                          Jul 8, 2024 17:23:36.889805079 CEST4971425192.168.2.598.136.96.91
                                                                                          Jul 8, 2024 17:23:38.905385971 CEST4971425192.168.2.598.136.96.91
                                                                                          Jul 8, 2024 17:23:42.920979023 CEST4971425192.168.2.598.136.96.91
                                                                                          Jul 8, 2024 17:23:50.921092033 CEST4971425192.168.2.598.136.96.91
                                                                                          Jul 8, 2024 17:23:55.905966043 CEST4971625192.168.2.564.233.166.26
                                                                                          Jul 8, 2024 17:23:56.920952082 CEST4971625192.168.2.564.233.166.26
                                                                                          Jul 8, 2024 17:23:58.921118021 CEST4971625192.168.2.564.233.166.26
                                                                                          Jul 8, 2024 17:23:59.014839888 CEST49713443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:23:59.015059948 CEST44349713195.133.13.231192.168.2.5
                                                                                          Jul 8, 2024 17:23:59.015866995 CEST49713443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:23:59.125675917 CEST49717443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:23:59.125731945 CEST44349717195.133.13.231192.168.2.5
                                                                                          Jul 8, 2024 17:23:59.125858068 CEST49717443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:24:02.921040058 CEST4971625192.168.2.564.233.166.26
                                                                                          Jul 8, 2024 17:24:10.936629057 CEST4971625192.168.2.564.233.166.26
                                                                                          Jul 8, 2024 17:24:16.131616116 CEST4971825192.168.2.5217.69.139.150
                                                                                          Jul 8, 2024 17:24:17.124058008 CEST4971825192.168.2.5217.69.139.150
                                                                                          Jul 8, 2024 17:24:19.127422094 CEST4971825192.168.2.5217.69.139.150
                                                                                          Jul 8, 2024 17:24:23.124085903 CEST4971825192.168.2.5217.69.139.150
                                                                                          Jul 8, 2024 17:24:31.124102116 CEST4971825192.168.2.5217.69.139.150
                                                                                          Jul 8, 2024 17:24:39.140100002 CEST49717443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:24:39.140403986 CEST44349717195.133.13.231192.168.2.5
                                                                                          Jul 8, 2024 17:24:39.140552044 CEST49717443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:24:39.249994040 CEST49719443192.168.2.5195.133.13.231
                                                                                          Jul 8, 2024 17:24:39.250044107 CEST44349719195.133.13.231192.168.2.5
                                                                                          Jul 8, 2024 17:24:39.250163078 CEST49719443192.168.2.5195.133.13.231

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Jul 8, 2024 17:23:15.585850000 CEST5985853192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:23:15.842935085 CEST53598581.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:23:18.519751072 CEST5155453192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:23:19.016736984 CEST53515541.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:23:35.859358072 CEST6417453192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:23:35.866733074 CEST53641741.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:23:35.867619038 CEST5929753192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST53592971.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:23:55.890255928 CEST5012953192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:23:55.897691011 CEST53501291.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:23:55.898361921 CEST5286653192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:23:55.905390978 CEST53528661.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:24:15.921591043 CEST5222453192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:24:16.122243881 CEST53522241.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:24:16.123073101 CEST6415253192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:24:16.131067991 CEST53641521.1.1.1192.168.2.5
                                                                                          Jul 8, 2024 17:25:03.881047964 CEST6167153192.168.2.51.1.1.1
                                                                                          Jul 8, 2024 17:25:03.911577940 CEST53616711.1.1.1192.168.2.5

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Jul 8, 2024 17:23:15.585850000 CEST192.168.2.51.1.1.10x9f22Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:18.519751072 CEST192.168.2.51.1.1.10x3319Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.859358072 CEST192.168.2.51.1.1.10x3e56Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.867619038 CEST192.168.2.51.1.1.10xf2cfStandard query (0)mta5.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.890255928 CEST192.168.2.51.1.1.10xf2b6Standard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.898361921 CEST192.168.2.51.1.1.10xaac9Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:24:15.921591043 CEST192.168.2.51.1.1.10x532eStandard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:24:16.123073101 CEST192.168.2.51.1.1.10x1c2Standard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:25:03.881047964 CEST192.168.2.51.1.1.10x3298Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Jul 8, 2024 17:23:15.842935085 CEST1.1.1.1192.168.2.50x9f22No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:15.842935085 CEST1.1.1.1192.168.2.50x9f22No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:19.016736984 CEST1.1.1.1192.168.2.50x3319No error (0)vanaheim.cn195.133.13.231A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.866733074 CEST1.1.1.1192.168.2.50x3e56No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.866733074 CEST1.1.1.1192.168.2.50x3e56No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.866733074 CEST1.1.1.1192.168.2.50x3e56No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net98.136.96.91A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net67.195.204.73A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:35.875583887 CEST1.1.1.1192.168.2.50xf2cfNo error (0)mta5.am0.yahoodns.net67.195.204.72A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.897691011 CEST1.1.1.1192.168.2.50xf2b6No error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.905390978 CEST1.1.1.1192.168.2.50xaac9No error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.905390978 CEST1.1.1.1192.168.2.50xaac9No error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.905390978 CEST1.1.1.1192.168.2.50xaac9No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.905390978 CEST1.1.1.1192.168.2.50xaac9No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:23:55.905390978 CEST1.1.1.1192.168.2.50xaac9No error (0)smtp.google.com74.125.133.27A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:24:16.122243881 CEST1.1.1.1192.168.2.50x532eNo error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                                          Jul 8, 2024 17:24:16.131067991 CEST1.1.1.1192.168.2.50x1c2No error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:24:16.131067991 CEST1.1.1.1192.168.2.50x1c2No error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:25:03.911577940 CEST1.1.1.1192.168.2.50x3298No error (0)microsoft-com.mail.protection.outlook.com104.47.53.36A (IP address)IN (0x0001)false
                                                                                          Jul 8, 2024 17:25:03.911577940 CEST1.1.1.1192.168.2.50x3298No error (0)microsoft-com.mail.protection.outlook.com104.47.54.36A (IP address)IN (0x0001)false

                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:11:22:55
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:168'960 bytes
                                                                                          MD5 hash:56781772C92E1822BEEC9FAEE18FADC9
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.2110248416.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:11:23:04
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jcbeaetw\
                                                                                          Imagebase:0x790000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:3
                                                                                          Start time:11:23:04
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:11:23:04
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\szylttbf.exe" C:\Windows\SysWOW64\jcbeaetw\
                                                                                          Imagebase:0x790000
                                                                                          File size:236'544 bytes
                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:11:23:04
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:11:23:05
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" create jcbeaetw binPath= "C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d\"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                                          Imagebase:0xc90000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:11:23:05
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:8
                                                                                          Start time:11:23:05
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" description jcbeaetw "wifi internet conection"
                                                                                          Imagebase:0xc90000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:11:23:05
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:10
                                                                                          Start time:11:23:06
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\sc.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\sc.exe" start jcbeaetw
                                                                                          Imagebase:0xc90000
                                                                                          File size:61'440 bytes
                                                                                          MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:moderate
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:11
                                                                                          Start time:11:23:06
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:12
                                                                                          Start time:11:23:06
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe /d"C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe"
                                                                                          Imagebase:0x400000
                                                                                          File size:11'432'960 bytes
                                                                                          MD5 hash:83E4D0728F822668A2CFF9EF2C227B53
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2221092359.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                                          • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000C.00000002.2221208662.0000000000688000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000C.00000003.2206909011.0000000000650000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:13
                                                                                          Start time:11:23:07
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                                          Imagebase:0x1080000
                                                                                          File size:82'432 bytes
                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:14
                                                                                          Start time:11:23:07
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                          Imagebase:0x7ff7e52b0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:15
                                                                                          Start time:11:23:07
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          Imagebase:0x7ff6d64d0000
                                                                                          File size:862'208 bytes
                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:16
                                                                                          Start time:11:23:07
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 572 -ip 572
                                                                                          Imagebase:0xca0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:17
                                                                                          Start time:11:23:07
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 572 -s 1032
                                                                                          Imagebase:0xca0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:19
                                                                                          Start time:11:23:13
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:svchost.exe
                                                                                          Imagebase:0x6f0000
                                                                                          File size:46'504 bytes
                                                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:20
                                                                                          Start time:11:23:13
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6788 -ip 6788
                                                                                          Imagebase:0xca0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:21
                                                                                          Start time:11:23:14
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 540
                                                                                          Imagebase:0xca0000
                                                                                          File size:483'680 bytes
                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:23
                                                                                          Start time:11:23:40
                                                                                          Start date:08/07/2024
                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                          Imagebase:0x7ff7e52b0000
                                                                                          File size:55'320 bytes
                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:false
                                                                                          Programmed in:C, C++ or other language
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:3.8%
                                                                                            Dynamic/Decrypted Code Coverage:2.2%
                                                                                            Signature Coverage:24.7%
                                                                                            Total number of Nodes:1601
                                                                                            Total number of Limit Nodes:32
                                                                                            execution_graph 15026 2110005 15031 211092b GetPEB 15026->15031 15028 2110030 15033 211003c 15028->15033 15032 2110972 15031->15032 15032->15028 15034 2110049 15033->15034 15048 2110e0f SetErrorMode SetErrorMode 15034->15048 15039 2110265 15040 21102ce VirtualProtect 15039->15040 15042 211030b 15040->15042 15041 2110439 VirtualFree 15045 21105f4 LoadLibraryA 15041->15045 15047 21104be 15041->15047 15042->15041 15043 21104e3 LoadLibraryA 15043->15047 15046 21108c7 15045->15046 15047->15043 15047->15045 15049 2110223 15048->15049 15050 2110d90 15049->15050 15051 2110dad 15050->15051 15052 2110dbb GetPEB 15051->15052 15053 2110238 VirtualAlloc 15051->15053 15052->15053 15053->15039 15054 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15172 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15054->15172 15056 409a95 15057 409aa3 GetModuleHandleA GetModuleFileNameA 15056->15057 15062 40a3c7 15056->15062 15071 409ac4 15057->15071 15058 40a41c CreateThread WSAStartup 15340 40e52e 15058->15340 16218 40405e CreateEventA 15058->16218 15060 409afd GetCommandLineA 15069 409b22 15060->15069 15061 40a406 DeleteFileA 15061->15062 15063 40a40d 15061->15063 15062->15058 15062->15061 15062->15063 15066 40a3ed GetLastError 15062->15066 15063->15058 15064 40a445 15359 40eaaf 15064->15359 15066->15063 15067 40a3f8 Sleep 15066->15067 15067->15061 15068 40a44d 15363 401d96 15068->15363 15074 409c0c 15069->15074 15081 409b47 15069->15081 15071->15060 15072 40a457 15411 4080c9 15072->15411 15173 4096aa 15074->15173 15085 409b96 lstrlenA 15081->15085 15090 409b58 15081->15090 15082 40a1d2 15091 40a1e3 GetCommandLineA 15082->15091 15083 409c39 15086 40a167 GetModuleHandleA GetModuleFileNameA 15083->15086 15179 404280 CreateEventA 15083->15179 15085->15090 15088 409c05 ExitProcess 15086->15088 15089 40a189 15086->15089 15089->15088 15098 40a1b2 GetDriveTypeA 15089->15098 15090->15088 15096 40675c 21 API calls 15090->15096 15117 40a205 15091->15117 15099 409be3 15096->15099 15098->15088 15100 40a1c5 15098->15100 15099->15088 15277 406a60 CreateFileA 15099->15277 15321 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15100->15321 15106 40a491 15107 40a49f GetTickCount 15106->15107 15109 40a4be Sleep 15106->15109 15116 40a4b7 GetTickCount 15106->15116 15457 40c913 15106->15457 15107->15106 15107->15109 15109->15106 15111 409ca0 GetTempPathA 15112 409e3e 15111->15112 15113 409cba 15111->15113 15120 409e6b GetEnvironmentVariableA 15112->15120 15122 409e04 15112->15122 15233 4099d2 lstrcpyA 15113->15233 15116->15109 15121 40a285 lstrlenA 15117->15121 15130 40a239 15117->15130 15120->15122 15123 409e7d 15120->15123 15121->15130 15316 40ec2e 15122->15316 15124 4099d2 16 API calls 15123->15124 15126 409e9d 15124->15126 15126->15122 15129 409eb0 lstrcpyA lstrlenA 15126->15129 15127 409d5f 15296 406cc9 15127->15296 15132 409ef4 15129->15132 15329 406ec3 15130->15329 15131 40a3c2 15333 4098f2 15131->15333 15136 406dc2 6 API calls 15132->15136 15139 409f03 15132->15139 15135 40a35f 15135->15131 15135->15135 15141 40a37b 15135->15141 15136->15139 15137 40a39d StartServiceCtrlDispatcherA 15137->15131 15140 409f32 RegOpenKeyExA 15139->15140 15142 409f48 RegSetValueExA RegCloseKey 15140->15142 15146 409f70 15140->15146 15141->15137 15142->15146 15143 409cf6 15240 409326 15143->15240 15152 409f9d GetModuleHandleA GetModuleFileNameA 15146->15152 15147 409e0c DeleteFileA 15147->15112 15148 409dde GetFileAttributesExA 15148->15147 15149 409df7 15148->15149 15149->15122 15151 409dff 15149->15151 15306 4096ff 15151->15306 15154 409fc2 15152->15154 15155 40a093 15152->15155 15154->15155 15161 409ff1 GetDriveTypeA 15154->15161 15156 40a103 CreateProcessA 15155->15156 15157 40a0a4 wsprintfA 15155->15157 15158 40a13a 15156->15158 15159 40a12a DeleteFileA 15156->15159 15312 402544 15157->15312 15158->15122 15165 4096ff 3 API calls 15158->15165 15159->15158 15161->15155 15163 40a00d 15161->15163 15167 40a02d lstrcatA 15163->15167 15165->15122 15168 40a046 15167->15168 15169 40a052 lstrcatA 15168->15169 15170 40a064 lstrcatA 15168->15170 15169->15170 15170->15155 15171 40a081 lstrcatA 15170->15171 15171->15155 15172->15056 15174 4096b9 15173->15174 15560 4073ff 15174->15560 15176 4096e2 15177 4096f7 15176->15177 15580 40704c 15176->15580 15177->15082 15177->15083 15180 4042a5 15179->15180 15181 40429d 15179->15181 15605 403ecd 15180->15605 15181->15086 15206 40675c 15181->15206 15183 4042b0 15609 404000 15183->15609 15186 4043c1 CloseHandle 15186->15181 15187 4042ce 15615 403f18 WriteFile 15187->15615 15192 4043ba CloseHandle 15192->15186 15193 404318 15194 403f18 4 API calls 15193->15194 15195 404331 15194->15195 15196 403f18 4 API calls 15195->15196 15197 40434a 15196->15197 15623 40ebcc GetProcessHeap RtlAllocateHeap 15197->15623 15200 403f18 4 API calls 15201 404389 15200->15201 15202 40ec2e codecvt 4 API calls 15201->15202 15203 40438f 15202->15203 15204 403f8c 4 API calls 15203->15204 15205 40439f CloseHandle CloseHandle 15204->15205 15205->15181 15207 406784 CreateFileA 15206->15207 15208 40677a SetFileAttributesA 15206->15208 15209 4067a4 CreateFileA 15207->15209 15210 4067b5 15207->15210 15208->15207 15209->15210 15211 4067c5 15210->15211 15212 4067ba SetFileAttributesA 15210->15212 15213 406977 15211->15213 15214 4067cf GetFileSize 15211->15214 15212->15211 15213->15086 15213->15111 15213->15112 15215 4067e5 15214->15215 15231 406922 15214->15231 15217 4067ed ReadFile 15215->15217 15215->15231 15216 40696e CloseHandle 15216->15213 15218 406811 SetFilePointer 15217->15218 15217->15231 15219 40682a ReadFile 15218->15219 15218->15231 15220 406848 SetFilePointer 15219->15220 15219->15231 15221 406867 15220->15221 15220->15231 15222 4068d5 15221->15222 15223 406878 ReadFile 15221->15223 15222->15216 15225 40ebcc 4 API calls 15222->15225 15224 4068d0 15223->15224 15226 406891 15223->15226 15224->15222 15227 4068f8 15225->15227 15226->15223 15226->15224 15228 406900 SetFilePointer 15227->15228 15227->15231 15229 40695a 15228->15229 15230 40690d ReadFile 15228->15230 15232 40ec2e codecvt 4 API calls 15229->15232 15230->15229 15230->15231 15231->15216 15232->15231 15234 4099eb 15233->15234 15235 409a2f lstrcatA 15234->15235 15236 40ee2a 15235->15236 15237 409a4b lstrcatA 15236->15237 15238 406a60 13 API calls 15237->15238 15239 409a60 15238->15239 15239->15112 15239->15143 15290 406dc2 15239->15290 15629 401910 15240->15629 15243 40934a GetModuleHandleA GetModuleFileNameA 15245 40937f 15243->15245 15246 4093a4 15245->15246 15247 4093d9 15245->15247 15249 4093c3 wsprintfA 15246->15249 15248 409401 wsprintfA 15247->15248 15251 409415 15248->15251 15249->15251 15250 4094a0 15631 406edd 15250->15631 15251->15250 15254 406cc9 5 API calls 15251->15254 15253 4094ac 15255 40962f 15253->15255 15256 4094e8 RegOpenKeyExA 15253->15256 15260 409439 15254->15260 15261 409646 15255->15261 15659 401820 15255->15659 15258 409502 15256->15258 15259 4094fb 15256->15259 15265 40951f RegQueryValueExA 15258->15265 15259->15255 15263 40958a 15259->15263 15644 40ef1e lstrlenA 15260->15644 15264 4095d6 15261->15264 15639 4091eb 15261->15639 15263->15261 15267 409593 15263->15267 15264->15147 15264->15148 15268 409530 15265->15268 15269 409539 15265->15269 15267->15264 15646 40f0e4 15267->15646 15271 40956e RegCloseKey 15268->15271 15272 409556 RegQueryValueExA 15269->15272 15270 409462 15273 40947e wsprintfA 15270->15273 15271->15259 15272->15268 15272->15271 15273->15250 15275 4095bb 15275->15264 15653 4018e0 15275->15653 15278 406b8c GetLastError 15277->15278 15279 406a8f GetDiskFreeSpaceA 15277->15279 15281 406b86 15278->15281 15280 406ac5 15279->15280 15289 406ad7 15279->15289 15707 40eb0e 15280->15707 15281->15088 15285 406b56 CloseHandle 15285->15281 15288 406b65 GetLastError CloseHandle 15285->15288 15286 406b36 GetLastError CloseHandle 15287 406b7f DeleteFileA 15286->15287 15287->15281 15288->15287 15701 406987 15289->15701 15291 406dd7 15290->15291 15295 406e24 15290->15295 15292 406cc9 5 API calls 15291->15292 15293 406ddc 15292->15293 15294 406e02 GetVolumeInformationA 15293->15294 15293->15295 15294->15295 15295->15127 15297 406cdc GetModuleHandleA GetProcAddress 15296->15297 15298 406dbe lstrcpyA lstrcatA lstrcatA 15296->15298 15299 406d12 GetSystemDirectoryA 15297->15299 15302 406cfd 15297->15302 15298->15143 15300 406d27 GetWindowsDirectoryA 15299->15300 15301 406d1e 15299->15301 15303 406d42 15300->15303 15301->15300 15305 406d8b 15301->15305 15302->15299 15302->15305 15304 40ef1e lstrlenA 15303->15304 15304->15305 15305->15298 15307 402544 15306->15307 15308 40972d RegOpenKeyExA 15307->15308 15309 409740 15308->15309 15311 409765 15308->15311 15310 40974f RegDeleteValueA RegCloseKey 15309->15310 15310->15311 15311->15122 15313 402554 lstrcatA 15312->15313 15314 40ee2a 15313->15314 15315 40a0ec lstrcatA 15314->15315 15315->15156 15317 40ec37 15316->15317 15318 40a15d 15316->15318 15715 40eba0 15317->15715 15318->15086 15318->15088 15322 402544 15321->15322 15323 40919e wsprintfA 15322->15323 15324 4091bb 15323->15324 15718 409064 GetTempPathA 15324->15718 15327 4091d5 ShellExecuteA 15328 4091e7 15327->15328 15328->15088 15330 406ecc 15329->15330 15332 406ed5 15329->15332 15331 406e36 2 API calls 15330->15331 15331->15332 15332->15135 15334 4098f6 15333->15334 15335 404280 30 API calls 15334->15335 15336 409904 Sleep 15334->15336 15337 409915 15334->15337 15335->15334 15336->15334 15336->15337 15339 409947 15337->15339 15725 40977c 15337->15725 15339->15062 15747 40dd05 GetTickCount 15340->15747 15342 40e538 15754 40dbcf 15342->15754 15344 40e544 15345 40e555 GetFileSize 15344->15345 15349 40e5b8 15344->15349 15346 40e5b1 CloseHandle 15345->15346 15347 40e566 15345->15347 15346->15349 15764 40db2e 15347->15764 15773 40e3ca RegOpenKeyExA 15349->15773 15351 40e576 ReadFile 15351->15346 15353 40e58d 15351->15353 15768 40e332 15353->15768 15355 40e5f2 15357 40e3ca 19 API calls 15355->15357 15358 40e629 15355->15358 15357->15358 15358->15064 15360 40eabe 15359->15360 15362 40eaba 15359->15362 15361 40dd05 6 API calls 15360->15361 15360->15362 15361->15362 15362->15068 15364 40ee2a 15363->15364 15365 401db4 GetVersionExA 15364->15365 15366 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15365->15366 15368 401e24 15366->15368 15369 401e16 GetCurrentProcess 15366->15369 15826 40e819 15368->15826 15369->15368 15371 401e3d 15372 40e819 11 API calls 15371->15372 15373 401e4e 15372->15373 15374 401e77 15373->15374 15833 40df70 15373->15833 15842 40ea84 15374->15842 15377 401e6c 15379 40df70 12 API calls 15377->15379 15379->15374 15380 40e819 11 API calls 15381 401e93 15380->15381 15846 40199c inet_addr LoadLibraryA 15381->15846 15384 40e819 11 API calls 15385 401eb9 15384->15385 15386 401ed8 15385->15386 15387 40f04e 4 API calls 15385->15387 15388 40e819 11 API calls 15386->15388 15389 401ec9 15387->15389 15390 401eee 15388->15390 15391 40ea84 30 API calls 15389->15391 15392 401f0a 15390->15392 15859 401b71 15390->15859 15391->15386 15393 40e819 11 API calls 15392->15393 15395 401f23 15393->15395 15404 401f3f 15395->15404 15863 401bdf 15395->15863 15396 401efd 15397 40ea84 30 API calls 15396->15397 15397->15392 15399 40e819 11 API calls 15401 401f5e 15399->15401 15405 40ea84 30 API calls 15401->15405 15407 401f77 15401->15407 15402 40ea84 30 API calls 15402->15404 15404->15399 15405->15407 15870 4030b5 15407->15870 15408 406ec3 2 API calls 15410 401f8e GetTickCount 15408->15410 15410->15072 15412 406ec3 2 API calls 15411->15412 15413 4080eb 15412->15413 15414 4080f9 15413->15414 15415 4080ef 15413->15415 15417 40704c 16 API calls 15414->15417 15918 407ee6 15415->15918 15419 408110 15417->15419 15418 408269 CreateThread 15436 405e6c 15418->15436 16247 40877e 15418->16247 15421 408156 RegOpenKeyExA 15419->15421 15422 4080f4 15419->15422 15420 40675c 21 API calls 15426 408244 15420->15426 15421->15422 15423 40816d RegQueryValueExA 15421->15423 15422->15418 15422->15420 15424 4081f7 15423->15424 15425 40818d 15423->15425 15427 40820d RegCloseKey 15424->15427 15429 40ec2e codecvt 4 API calls 15424->15429 15425->15424 15430 40ebcc 4 API calls 15425->15430 15426->15418 15428 40ec2e codecvt 4 API calls 15426->15428 15427->15422 15428->15418 15435 4081dd 15429->15435 15431 4081a0 15430->15431 15431->15427 15432 4081aa RegQueryValueExA 15431->15432 15432->15424 15433 4081c4 15432->15433 15434 40ebcc 4 API calls 15433->15434 15434->15435 15435->15427 15986 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15436->15986 15438 405e71 15987 40e654 15438->15987 15440 405ec1 15441 403132 15440->15441 15442 40df70 12 API calls 15441->15442 15443 40313b 15442->15443 15444 40c125 15443->15444 15998 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15444->15998 15446 40c12d 15447 40e654 13 API calls 15446->15447 15448 40c2bd 15447->15448 15449 40e654 13 API calls 15448->15449 15450 40c2c9 15449->15450 15451 40e654 13 API calls 15450->15451 15452 40a47a 15451->15452 15453 408db1 15452->15453 15454 408dbc 15453->15454 15455 40e654 13 API calls 15454->15455 15456 408dec Sleep 15455->15456 15456->15106 15458 40c92f 15457->15458 15459 40c93c 15458->15459 15999 40c517 15458->15999 15461 40ca2b 15459->15461 15462 40e819 11 API calls 15459->15462 15461->15106 15463 40c96a 15462->15463 15464 40e819 11 API calls 15463->15464 15465 40c97d 15464->15465 15466 40e819 11 API calls 15465->15466 15467 40c990 15466->15467 15468 40c9aa 15467->15468 15469 40ebcc 4 API calls 15467->15469 15468->15461 16016 402684 15468->16016 15469->15468 15474 40ca26 16023 40c8aa 15474->16023 15477 40ca44 15478 40ca4b closesocket 15477->15478 15479 40ca83 15477->15479 15478->15474 15480 40ea84 30 API calls 15479->15480 15481 40caac 15480->15481 15482 40f04e 4 API calls 15481->15482 15483 40cab2 15482->15483 15484 40ea84 30 API calls 15483->15484 15485 40caca 15484->15485 15486 40ea84 30 API calls 15485->15486 15487 40cad9 15486->15487 16031 40c65c 15487->16031 15490 40cb60 closesocket 15490->15461 15492 40dad2 closesocket 15493 40e318 23 API calls 15492->15493 15493->15461 15494 40df4c 20 API calls 15555 40cb70 15494->15555 15499 40e654 13 API calls 15499->15555 15505 40ea84 30 API calls 15505->15555 15506 40cc1c GetTempPathA 15506->15555 15507 40d569 closesocket Sleep 16078 40e318 15507->16078 15508 40d815 wsprintfA 15508->15555 15509 40c517 23 API calls 15509->15555 15511 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15511->15555 15512 40e8a1 30 API calls 15512->15555 15513 40d582 ExitProcess 15514 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15514->15555 15515 40cfe3 GetSystemDirectoryA 15515->15555 15516 40675c 21 API calls 15516->15555 15517 40d027 GetSystemDirectoryA 15517->15555 15518 40cfad GetEnvironmentVariableA 15518->15555 15519 40d105 lstrcatA 15519->15555 15520 40ef1e lstrlenA 15520->15555 15521 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15521->15555 15522 40cc9f CreateFileA 15525 40ccc6 WriteFile 15522->15525 15522->15555 15523 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15523->15555 15524 40d15b CreateFileA 15526 40d182 WriteFile CloseHandle 15524->15526 15524->15555 15527 40cdcc CloseHandle 15525->15527 15528 40cced CloseHandle 15525->15528 15526->15555 15527->15555 15533 40cd2f 15528->15533 15529 40d149 SetFileAttributesA 15529->15524 15530 40cd16 wsprintfA 15530->15533 15531 40d36e GetEnvironmentVariableA 15531->15555 15532 40d1bf SetFileAttributesA 15532->15555 15533->15530 16060 407fcf 15533->16060 15534 407ead 6 API calls 15534->15555 15535 40d22d GetEnvironmentVariableA 15535->15555 15537 40d3af lstrcatA 15540 40d3f2 CreateFileA 15537->15540 15537->15555 15539 407fcf 64 API calls 15539->15555 15543 40d415 WriteFile CloseHandle 15540->15543 15540->15555 15541 40cd81 WaitForSingleObject CloseHandle CloseHandle 15544 40f04e 4 API calls 15541->15544 15542 40cda5 15545 407ee6 64 API calls 15542->15545 15543->15555 15544->15542 15546 40cdbd DeleteFileA 15545->15546 15546->15555 15547 40d4b1 CreateProcessA 15550 40d4e8 CloseHandle CloseHandle 15547->15550 15547->15555 15548 40d3e0 SetFileAttributesA 15548->15540 15549 40d26e lstrcatA 15551 40d2b1 CreateFileA 15549->15551 15549->15555 15550->15555 15552 40d2d8 WriteFile CloseHandle 15551->15552 15551->15555 15552->15555 15553 407ee6 64 API calls 15553->15555 15554 40d452 SetFileAttributesA 15554->15555 15555->15492 15555->15494 15555->15499 15555->15505 15555->15506 15555->15507 15555->15508 15555->15509 15555->15511 15555->15512 15555->15514 15555->15515 15555->15516 15555->15517 15555->15518 15555->15519 15555->15520 15555->15521 15555->15522 15555->15523 15555->15524 15555->15529 15555->15531 15555->15532 15555->15534 15555->15535 15555->15537 15555->15539 15555->15540 15555->15547 15555->15548 15555->15549 15555->15551 15555->15553 15555->15554 15556 40d29f SetFileAttributesA 15555->15556 15559 40d31d SetFileAttributesA 15555->15559 16039 40c75d 15555->16039 16051 407e2f 15555->16051 16073 407ead 15555->16073 16083 4031d0 15555->16083 16100 403c09 15555->16100 16110 403a00 15555->16110 16114 40e7b4 15555->16114 16117 40c06c 15555->16117 16123 406f5f GetUserNameA 15555->16123 16134 40e854 15555->16134 16144 407dd6 15555->16144 15556->15551 15559->15555 15561 40741b 15560->15561 15562 406dc2 6 API calls 15561->15562 15563 40743f 15562->15563 15564 407469 RegOpenKeyExA 15563->15564 15566 4077f9 15564->15566 15576 407487 ___ascii_stricmp 15564->15576 15565 407703 RegEnumKeyA 15567 407714 RegCloseKey 15565->15567 15565->15576 15566->15176 15567->15566 15568 40f1a5 lstrlenA 15568->15576 15569 4074d2 RegOpenKeyExA 15569->15576 15570 40772c 15572 407742 RegCloseKey 15570->15572 15573 40774b 15570->15573 15571 407521 RegQueryValueExA 15571->15576 15572->15573 15574 4077ec RegCloseKey 15573->15574 15574->15566 15575 4076e4 RegCloseKey 15575->15576 15576->15565 15576->15568 15576->15569 15576->15570 15576->15571 15576->15575 15577 407769 15576->15577 15579 40777e GetFileAttributesExA 15576->15579 15578 4077e3 RegCloseKey 15577->15578 15578->15574 15579->15577 15581 407073 15580->15581 15582 4070b9 RegOpenKeyExA 15581->15582 15583 4070d0 15582->15583 15597 4071b8 15582->15597 15584 406dc2 6 API calls 15583->15584 15587 4070d5 15584->15587 15585 40719b RegEnumValueA 15586 4071af RegCloseKey 15585->15586 15585->15587 15586->15597 15587->15585 15589 4071d0 15587->15589 15603 40f1a5 lstrlenA 15587->15603 15590 407205 RegCloseKey 15589->15590 15591 407227 15589->15591 15590->15597 15592 4072b8 ___ascii_stricmp 15591->15592 15593 40728e RegCloseKey 15591->15593 15594 4072cd RegCloseKey 15592->15594 15595 4072dd 15592->15595 15593->15597 15594->15597 15596 407311 RegCloseKey 15595->15596 15599 407335 15595->15599 15596->15597 15597->15177 15598 4073d5 RegCloseKey 15600 4073e4 15598->15600 15599->15598 15601 40737e GetFileAttributesExA 15599->15601 15602 407397 15599->15602 15601->15602 15602->15598 15604 40f1c3 15603->15604 15604->15587 15606 403edc 15605->15606 15608 403ee2 15605->15608 15607 406dc2 6 API calls 15606->15607 15607->15608 15608->15183 15610 40400b CreateFileA 15609->15610 15611 40402c GetLastError 15610->15611 15612 404052 15610->15612 15611->15612 15613 404037 15611->15613 15612->15181 15612->15186 15612->15187 15613->15612 15614 404041 Sleep 15613->15614 15614->15610 15614->15612 15616 403f7c 15615->15616 15617 403f4e GetLastError 15615->15617 15619 403f8c ReadFile 15616->15619 15617->15616 15618 403f5b WaitForSingleObject GetOverlappedResult 15617->15618 15618->15616 15620 403fc2 GetLastError 15619->15620 15622 403ff0 15619->15622 15621 403fcf WaitForSingleObject GetOverlappedResult 15620->15621 15620->15622 15621->15622 15622->15192 15622->15193 15626 40eb74 15623->15626 15627 40eb7b GetProcessHeap HeapSize 15626->15627 15628 404350 15626->15628 15627->15628 15628->15200 15630 401924 GetVersionExA 15629->15630 15630->15243 15632 406eef AllocateAndInitializeSid 15631->15632 15638 406f55 15631->15638 15633 406f44 15632->15633 15634 406f1c CheckTokenMembership 15632->15634 15633->15638 15665 406e36 GetUserNameW 15633->15665 15635 406f3b FreeSid 15634->15635 15636 406f2e 15634->15636 15635->15633 15636->15635 15638->15253 15640 409308 15639->15640 15643 40920e 15639->15643 15640->15264 15641 4092f1 Sleep 15641->15643 15642 4092bf ShellExecuteA 15642->15640 15642->15643 15643->15640 15643->15641 15643->15642 15643->15643 15645 40ef32 15644->15645 15645->15270 15647 40f0f1 15646->15647 15648 40f0ed 15646->15648 15649 40f119 15647->15649 15650 40f0fa lstrlenA SysAllocStringByteLen 15647->15650 15648->15275 15652 40f11c MultiByteToWideChar 15649->15652 15651 40f117 15650->15651 15650->15652 15651->15275 15652->15651 15654 401820 17 API calls 15653->15654 15655 4018f2 15654->15655 15656 4018f9 15655->15656 15668 401280 15655->15668 15656->15264 15658 401908 15658->15264 15680 401000 15659->15680 15661 401839 15662 401851 GetCurrentProcess 15661->15662 15663 40183d 15661->15663 15664 401864 15662->15664 15663->15261 15664->15261 15666 406e97 15665->15666 15667 406e5f LookupAccountNameW 15665->15667 15666->15638 15667->15666 15669 4012e1 15668->15669 15670 4016f9 GetLastError 15669->15670 15677 4013a8 15669->15677 15671 401699 15670->15671 15671->15658 15672 401570 lstrlenW 15672->15677 15673 4015be GetStartupInfoW 15673->15677 15674 4015ff CreateProcessWithLogonW 15675 4016bf GetLastError 15674->15675 15676 40163f WaitForSingleObject 15674->15676 15675->15671 15676->15677 15678 401659 CloseHandle 15676->15678 15677->15671 15677->15672 15677->15673 15677->15674 15679 401668 CloseHandle 15677->15679 15678->15677 15679->15677 15681 401023 15680->15681 15682 40100d LoadLibraryA 15680->15682 15684 4010b5 GetProcAddress 15681->15684 15699 4010ae 15681->15699 15682->15681 15683 401021 15682->15683 15683->15661 15685 4010d1 GetProcAddress 15684->15685 15686 40127b 15684->15686 15685->15686 15687 4010f0 GetProcAddress 15685->15687 15686->15661 15687->15686 15688 401110 GetProcAddress 15687->15688 15688->15686 15689 401130 GetProcAddress 15688->15689 15689->15686 15690 40114f GetProcAddress 15689->15690 15690->15686 15691 40116f GetProcAddress 15690->15691 15691->15686 15692 40118f GetProcAddress 15691->15692 15692->15686 15693 4011ae GetProcAddress 15692->15693 15693->15686 15694 4011ce GetProcAddress 15693->15694 15694->15686 15695 4011ee GetProcAddress 15694->15695 15695->15686 15696 401209 GetProcAddress 15695->15696 15696->15686 15697 401225 GetProcAddress 15696->15697 15697->15686 15698 401241 GetProcAddress 15697->15698 15698->15686 15700 40125c GetProcAddress 15698->15700 15699->15661 15700->15686 15703 4069b9 WriteFile 15701->15703 15704 406a3c 15703->15704 15706 4069ff 15703->15706 15704->15285 15704->15286 15705 406a10 WriteFile 15705->15704 15705->15706 15706->15704 15706->15705 15708 40eb17 15707->15708 15709 40eb21 15707->15709 15711 40eae4 15708->15711 15709->15289 15712 40eb02 GetProcAddress 15711->15712 15713 40eaed LoadLibraryA 15711->15713 15712->15709 15713->15712 15714 40eb01 15713->15714 15714->15709 15716 40eba7 GetProcessHeap HeapSize 15715->15716 15717 40ebbf GetProcessHeap HeapFree 15715->15717 15716->15717 15717->15318 15719 40908d 15718->15719 15720 4090e2 wsprintfA 15719->15720 15721 40ee2a 15720->15721 15722 4090fd CreateFileA 15721->15722 15723 40911a lstrlenA WriteFile CloseHandle 15722->15723 15724 40913f 15722->15724 15723->15724 15724->15327 15724->15328 15726 40ee2a 15725->15726 15727 409794 CreateProcessA 15726->15727 15728 4097c2 15727->15728 15729 4097bb 15727->15729 15730 4097d4 GetThreadContext 15728->15730 15729->15339 15731 409801 15730->15731 15732 4097f5 15730->15732 15739 40637c 15731->15739 15733 4097f6 TerminateProcess 15732->15733 15733->15729 15735 409816 15735->15733 15736 40981e WriteProcessMemory 15735->15736 15736->15732 15737 40983b SetThreadContext 15736->15737 15737->15732 15738 409858 ResumeThread 15737->15738 15738->15729 15740 406386 15739->15740 15741 40638a GetModuleHandleA VirtualAlloc 15739->15741 15740->15735 15742 4063b6 15741->15742 15743 4063f5 15741->15743 15744 4063be VirtualAllocEx 15742->15744 15743->15735 15744->15743 15745 4063d6 15744->15745 15746 4063df WriteProcessMemory 15745->15746 15746->15743 15748 40dd41 InterlockedExchange 15747->15748 15749 40dd20 GetCurrentThreadId 15748->15749 15750 40dd4a 15748->15750 15751 40dd53 GetCurrentThreadId 15749->15751 15752 40dd2e GetTickCount 15749->15752 15750->15751 15751->15342 15752->15750 15753 40dd39 Sleep 15752->15753 15753->15748 15755 40dbf0 15754->15755 15787 40db67 GetEnvironmentVariableA 15755->15787 15757 40dc19 15758 40dcda 15757->15758 15759 40db67 3 API calls 15757->15759 15758->15344 15760 40dc5c 15759->15760 15760->15758 15761 40db67 3 API calls 15760->15761 15762 40dc9b 15761->15762 15762->15758 15763 40db67 3 API calls 15762->15763 15763->15758 15765 40db55 15764->15765 15766 40db3a 15764->15766 15765->15346 15765->15351 15791 40ebed 15766->15791 15800 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15768->15800 15770 40e3be 15770->15346 15771 40e342 15771->15770 15803 40de24 15771->15803 15774 40e528 15773->15774 15775 40e3f4 15773->15775 15774->15355 15776 40e434 RegQueryValueExA 15775->15776 15777 40e458 15776->15777 15778 40e51d RegCloseKey 15776->15778 15779 40e46e RegQueryValueExA 15777->15779 15778->15774 15779->15777 15780 40e488 15779->15780 15780->15778 15781 40db2e 8 API calls 15780->15781 15782 40e499 15781->15782 15782->15778 15783 40e4b9 RegQueryValueExA 15782->15783 15784 40e4e8 15782->15784 15783->15782 15783->15784 15784->15778 15785 40e332 14 API calls 15784->15785 15786 40e513 15785->15786 15786->15778 15788 40db89 lstrcpyA CreateFileA 15787->15788 15789 40dbca 15787->15789 15788->15757 15789->15757 15792 40ec01 15791->15792 15793 40ebf6 15791->15793 15795 40eba0 codecvt 2 API calls 15792->15795 15794 40ebcc 4 API calls 15793->15794 15796 40ebfe 15794->15796 15797 40ec0a GetProcessHeap HeapReAlloc 15795->15797 15796->15765 15798 40eb74 2 API calls 15797->15798 15799 40ec28 15798->15799 15799->15765 15814 40eb41 15800->15814 15804 40de3a 15803->15804 15810 40de4e 15804->15810 15818 40dd84 15804->15818 15807 40ebed 8 API calls 15812 40def6 15807->15812 15808 40de9e 15808->15807 15808->15810 15809 40de76 15822 40ddcf 15809->15822 15810->15771 15812->15810 15813 40ddcf lstrcmpA 15812->15813 15813->15810 15815 40eb54 15814->15815 15816 40eb4a 15814->15816 15815->15771 15817 40eae4 2 API calls 15816->15817 15817->15815 15819 40dd96 15818->15819 15820 40ddc5 15818->15820 15819->15820 15821 40ddad lstrcmpiA 15819->15821 15820->15808 15820->15809 15821->15819 15821->15820 15823 40dddd 15822->15823 15825 40de20 15822->15825 15824 40ddfa lstrcmpA 15823->15824 15823->15825 15824->15823 15825->15810 15827 40dd05 6 API calls 15826->15827 15828 40e821 15827->15828 15829 40dd84 lstrcmpiA 15828->15829 15830 40e82c 15829->15830 15832 40e844 15830->15832 15874 402480 15830->15874 15832->15371 15834 40dd05 6 API calls 15833->15834 15835 40df7c 15834->15835 15836 40dd84 lstrcmpiA 15835->15836 15839 40df89 15836->15839 15837 40dfc4 15837->15377 15838 40ddcf lstrcmpA 15838->15839 15839->15837 15839->15838 15840 40ec2e codecvt 4 API calls 15839->15840 15841 40dd84 lstrcmpiA 15839->15841 15840->15839 15841->15839 15843 40ea98 15842->15843 15883 40e8a1 15843->15883 15845 401e84 15845->15380 15847 4019d5 GetProcAddress GetProcAddress GetProcAddress 15846->15847 15848 4019ce 15846->15848 15849 401ab3 FreeLibrary 15847->15849 15850 401a04 15847->15850 15848->15384 15849->15848 15850->15849 15851 401a14 GetProcessHeap 15850->15851 15851->15848 15853 401a2e HeapAlloc 15851->15853 15853->15848 15854 401a42 15853->15854 15855 401a52 HeapReAlloc 15854->15855 15857 401a62 15854->15857 15855->15857 15856 401aa1 FreeLibrary 15856->15848 15857->15856 15858 401a96 HeapFree 15857->15858 15858->15856 15911 401ac3 LoadLibraryA 15859->15911 15862 401bcf 15862->15396 15864 401ac3 12 API calls 15863->15864 15865 401c09 15864->15865 15866 401c41 15865->15866 15867 401c0d GetComputerNameA 15865->15867 15866->15402 15868 401c45 GetVolumeInformationA 15867->15868 15869 401c1f 15867->15869 15868->15866 15869->15866 15869->15868 15871 40ee2a 15870->15871 15872 4030d0 gethostname gethostbyname 15871->15872 15873 401f82 15872->15873 15873->15408 15873->15410 15877 402419 lstrlenA 15874->15877 15876 402491 15876->15832 15878 40243d lstrlenA 15877->15878 15882 402474 15877->15882 15879 402464 lstrlenA 15878->15879 15880 40244e lstrcmpiA 15878->15880 15879->15878 15879->15882 15880->15879 15881 40245c 15880->15881 15881->15879 15881->15882 15882->15876 15884 40dd05 6 API calls 15883->15884 15885 40e8b4 15884->15885 15886 40dd84 lstrcmpiA 15885->15886 15887 40e8c0 15886->15887 15888 40e8c8 lstrcpynA 15887->15888 15898 40e90a 15887->15898 15889 40e8f5 15888->15889 15904 40df4c 15889->15904 15890 402419 4 API calls 15891 40e926 lstrlenA lstrlenA 15890->15891 15892 40e96a 15891->15892 15893 40e94c lstrlenA 15891->15893 15897 40ebcc 4 API calls 15892->15897 15899 40ea27 15892->15899 15893->15892 15895 40e901 15896 40dd84 lstrcmpiA 15895->15896 15896->15898 15900 40e98f 15897->15900 15898->15890 15898->15899 15899->15845 15900->15899 15901 40df4c 20 API calls 15900->15901 15902 40ea1e 15901->15902 15903 40ec2e codecvt 4 API calls 15902->15903 15903->15899 15905 40dd05 6 API calls 15904->15905 15906 40df51 15905->15906 15907 40f04e 4 API calls 15906->15907 15908 40df58 15907->15908 15909 40de24 10 API calls 15908->15909 15910 40df63 15909->15910 15910->15895 15912 401ae2 GetProcAddress 15911->15912 15913 401b68 GetComputerNameA GetVolumeInformationA 15911->15913 15912->15913 15914 401af5 15912->15914 15913->15862 15915 40ebed 8 API calls 15914->15915 15916 401b29 15914->15916 15915->15914 15916->15913 15916->15916 15917 40ec2e codecvt 4 API calls 15916->15917 15917->15913 15919 406ec3 2 API calls 15918->15919 15920 407ef4 15919->15920 15921 4073ff 17 API calls 15920->15921 15930 407fc9 15920->15930 15922 407f16 15921->15922 15922->15930 15931 407809 GetUserNameA 15922->15931 15924 407f63 15925 40ef1e lstrlenA 15924->15925 15924->15930 15926 407fa6 15925->15926 15927 40ef1e lstrlenA 15926->15927 15928 407fb7 15927->15928 15955 407a95 RegOpenKeyExA 15928->15955 15930->15422 15932 40783d LookupAccountNameA 15931->15932 15937 407a8d 15931->15937 15933 407874 GetLengthSid GetFileSecurityA 15932->15933 15932->15937 15934 4078a8 GetSecurityDescriptorOwner 15933->15934 15933->15937 15935 4078c5 EqualSid 15934->15935 15936 40791d GetSecurityDescriptorDacl 15934->15936 15935->15936 15938 4078dc LocalAlloc 15935->15938 15936->15937 15947 407941 15936->15947 15937->15924 15938->15936 15939 4078ef InitializeSecurityDescriptor 15938->15939 15940 407916 LocalFree 15939->15940 15941 4078fb SetSecurityDescriptorOwner 15939->15941 15940->15936 15941->15940 15943 40790b SetFileSecurityA 15941->15943 15942 40795b GetAce 15942->15947 15943->15940 15944 407980 EqualSid 15944->15947 15945 407a3d 15945->15937 15949 407a43 LocalAlloc 15945->15949 15946 4079be EqualSid 15946->15947 15947->15937 15947->15942 15947->15944 15947->15945 15947->15946 15948 40799d DeleteAce 15947->15948 15948->15947 15949->15937 15950 407a56 InitializeSecurityDescriptor 15949->15950 15951 407a62 SetSecurityDescriptorDacl 15950->15951 15952 407a86 LocalFree 15950->15952 15951->15952 15953 407a73 SetFileSecurityA 15951->15953 15952->15937 15953->15952 15954 407a83 15953->15954 15954->15952 15956 407ac4 15955->15956 15957 407acb GetUserNameA 15955->15957 15956->15930 15958 407da7 RegCloseKey 15957->15958 15959 407aed LookupAccountNameA 15957->15959 15958->15956 15959->15958 15960 407b24 RegGetKeySecurity 15959->15960 15960->15958 15961 407b49 GetSecurityDescriptorOwner 15960->15961 15962 407b63 EqualSid 15961->15962 15963 407bb8 GetSecurityDescriptorDacl 15961->15963 15962->15963 15965 407b74 LocalAlloc 15962->15965 15964 407da6 15963->15964 15972 407bdc 15963->15972 15964->15958 15965->15963 15966 407b8a InitializeSecurityDescriptor 15965->15966 15968 407bb1 LocalFree 15966->15968 15969 407b96 SetSecurityDescriptorOwner 15966->15969 15967 407bf8 GetAce 15967->15972 15968->15963 15969->15968 15970 407ba6 RegSetKeySecurity 15969->15970 15970->15968 15971 407c1d EqualSid 15971->15972 15972->15964 15972->15967 15972->15971 15973 407cd9 15972->15973 15974 407c5f EqualSid 15972->15974 15975 407c3a DeleteAce 15972->15975 15973->15964 15976 407d5a LocalAlloc 15973->15976 15978 407cf2 RegOpenKeyExA 15973->15978 15974->15972 15975->15972 15976->15964 15977 407d70 InitializeSecurityDescriptor 15976->15977 15979 407d7c SetSecurityDescriptorDacl 15977->15979 15980 407d9f LocalFree 15977->15980 15978->15976 15983 407d0f 15978->15983 15979->15980 15981 407d8c RegSetKeySecurity 15979->15981 15980->15964 15981->15980 15982 407d9c 15981->15982 15982->15980 15984 407d43 RegSetValueExA 15983->15984 15984->15976 15985 407d54 15984->15985 15985->15976 15986->15438 15988 40dd05 6 API calls 15987->15988 15991 40e65f 15988->15991 15989 40e6a5 15990 40ebcc 4 API calls 15989->15990 15996 40e6f5 15989->15996 15993 40e6b0 15990->15993 15991->15989 15992 40e68c lstrcmpA 15991->15992 15992->15991 15994 40e6b7 15993->15994 15995 40e6e0 lstrcpynA 15993->15995 15993->15996 15994->15440 15995->15996 15996->15994 15997 40e71d lstrcmpA 15996->15997 15997->15996 15998->15446 16000 40c525 15999->16000 16001 40c532 15999->16001 16000->16001 16003 40ec2e codecvt 4 API calls 16000->16003 16002 40c548 16001->16002 16151 40e7ff 16001->16151 16005 40e7ff lstrcmpiA 16002->16005 16012 40c54f 16002->16012 16003->16001 16006 40c615 16005->16006 16007 40ebcc 4 API calls 16006->16007 16006->16012 16007->16012 16008 40c5d1 16010 40ebcc 4 API calls 16008->16010 16010->16012 16011 40e819 11 API calls 16013 40c5b7 16011->16013 16012->15459 16014 40f04e 4 API calls 16013->16014 16015 40c5bf 16014->16015 16015->16002 16015->16008 16017 402692 inet_addr 16016->16017 16018 40268e 16016->16018 16017->16018 16019 40269e gethostbyname 16017->16019 16020 40f428 16018->16020 16019->16018 16154 40f315 16020->16154 16025 40c8d2 16023->16025 16024 40c907 16024->15461 16025->16024 16026 40c517 23 API calls 16025->16026 16026->16024 16027 40f43e 16028 40f473 recv 16027->16028 16029 40f458 16028->16029 16030 40f47c 16028->16030 16029->16028 16029->16030 16030->15477 16032 40c670 16031->16032 16033 40c67d 16031->16033 16034 40ebcc 4 API calls 16032->16034 16035 40c699 16033->16035 16036 40ebcc 4 API calls 16033->16036 16034->16033 16037 40c6f3 16035->16037 16038 40c73c send 16035->16038 16036->16035 16037->15490 16037->15555 16038->16037 16040 40c770 16039->16040 16041 40c77d 16039->16041 16042 40ebcc 4 API calls 16040->16042 16043 40c799 16041->16043 16044 40ebcc 4 API calls 16041->16044 16042->16041 16045 40c7b5 16043->16045 16046 40ebcc 4 API calls 16043->16046 16044->16043 16047 40f43e recv 16045->16047 16046->16045 16048 40c7cb 16047->16048 16049 40f43e recv 16048->16049 16050 40c7d3 16048->16050 16049->16050 16050->15555 16167 407db7 16051->16167 16054 40f04e 4 API calls 16057 407e4c 16054->16057 16055 40f04e 4 API calls 16056 407e96 16055->16056 16056->15555 16058 40f04e 4 API calls 16057->16058 16059 407e70 16057->16059 16058->16059 16059->16055 16059->16056 16061 406ec3 2 API calls 16060->16061 16062 407fdd 16061->16062 16063 4080c2 CreateProcessA 16062->16063 16064 4073ff 17 API calls 16062->16064 16063->15541 16063->15542 16065 407fff 16064->16065 16065->16063 16066 407809 21 API calls 16065->16066 16067 40804d 16066->16067 16067->16063 16068 40ef1e lstrlenA 16067->16068 16069 40809e 16068->16069 16070 40ef1e lstrlenA 16069->16070 16071 4080af 16070->16071 16072 407a95 24 API calls 16071->16072 16072->16063 16074 407db7 2 API calls 16073->16074 16075 407eb8 16074->16075 16076 40f04e 4 API calls 16075->16076 16077 407ece DeleteFileA 16076->16077 16077->15555 16079 40dd05 6 API calls 16078->16079 16080 40e31d 16079->16080 16171 40e177 16080->16171 16082 40e326 16082->15513 16084 4031f3 16083->16084 16094 4031ec 16083->16094 16085 40ebcc 4 API calls 16084->16085 16097 4031fc 16085->16097 16086 40344b 16087 403459 16086->16087 16088 40349d 16086->16088 16090 40f04e 4 API calls 16087->16090 16089 40ec2e codecvt 4 API calls 16088->16089 16089->16094 16091 40345f 16090->16091 16093 4030fa 4 API calls 16091->16093 16092 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 16092->16097 16093->16094 16094->15555 16095 40344d 16096 40ec2e codecvt 4 API calls 16095->16096 16096->16086 16097->16086 16097->16092 16097->16094 16097->16095 16099 403141 lstrcmpiA 16097->16099 16197 4030fa GetTickCount 16097->16197 16099->16097 16101 4030fa 4 API calls 16100->16101 16102 403c1a 16101->16102 16106 403ce6 16102->16106 16202 403a72 16102->16202 16105 403a72 9 API calls 16109 403c5e 16105->16109 16106->15555 16107 403a72 9 API calls 16107->16109 16108 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16108->16109 16109->16106 16109->16107 16109->16108 16111 403a10 16110->16111 16112 4030fa 4 API calls 16111->16112 16113 403a1a 16112->16113 16113->15555 16115 40dd05 6 API calls 16114->16115 16116 40e7be 16115->16116 16116->15555 16118 40c105 16117->16118 16119 40c07e wsprintfA 16117->16119 16118->15555 16211 40bfce GetTickCount wsprintfA 16119->16211 16121 40c0ef 16212 40bfce GetTickCount wsprintfA 16121->16212 16124 407047 16123->16124 16125 406f88 LookupAccountNameA 16123->16125 16124->15555 16127 407025 16125->16127 16128 406fcb 16125->16128 16129 406edd 5 API calls 16127->16129 16131 406fdb ConvertSidToStringSidA 16128->16131 16130 40702a wsprintfA 16129->16130 16130->16124 16131->16127 16132 406ff1 16131->16132 16133 407013 LocalFree 16132->16133 16133->16127 16135 40dd05 6 API calls 16134->16135 16136 40e85c 16135->16136 16137 40dd84 lstrcmpiA 16136->16137 16139 40e867 16137->16139 16138 40e885 lstrcpyA 16216 40dd69 16138->16216 16139->16138 16213 4024a5 16139->16213 16145 407db7 2 API calls 16144->16145 16146 407de1 16145->16146 16147 40f04e 4 API calls 16146->16147 16150 407e16 16146->16150 16148 407df2 16147->16148 16149 40f04e 4 API calls 16148->16149 16148->16150 16149->16150 16150->15555 16152 40dd84 lstrcmpiA 16151->16152 16153 40c58e 16152->16153 16153->16002 16153->16008 16153->16011 16155 40ca1d 16154->16155 16156 40f33b 16154->16156 16155->15474 16155->16027 16157 40f347 htons socket 16156->16157 16158 40f382 ioctlsocket 16157->16158 16159 40f374 closesocket 16157->16159 16160 40f3aa connect select 16158->16160 16161 40f39d 16158->16161 16159->16155 16160->16155 16163 40f3f2 __WSAFDIsSet 16160->16163 16162 40f39f closesocket 16161->16162 16162->16155 16163->16162 16164 40f403 ioctlsocket 16163->16164 16166 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16164->16166 16166->16155 16168 407dc8 InterlockedExchange 16167->16168 16169 407dc0 Sleep 16168->16169 16170 407dd4 16168->16170 16169->16168 16170->16054 16170->16059 16172 40e184 16171->16172 16173 40e2e4 16172->16173 16174 40e223 16172->16174 16187 40dfe2 16172->16187 16173->16082 16174->16173 16177 40dfe2 8 API calls 16174->16177 16176 40e1be 16176->16174 16178 40dbcf 3 API calls 16176->16178 16180 40e23c 16177->16180 16181 40e1d6 16178->16181 16179 40e21a CloseHandle 16179->16174 16180->16173 16191 40e095 RegCreateKeyExA 16180->16191 16181->16174 16181->16179 16182 40e1f9 WriteFile 16181->16182 16182->16179 16184 40e213 16182->16184 16184->16179 16185 40e2a3 16185->16173 16186 40e095 4 API calls 16185->16186 16186->16173 16188 40dffc 16187->16188 16190 40e024 16187->16190 16189 40db2e 8 API calls 16188->16189 16188->16190 16189->16190 16190->16176 16192 40e172 16191->16192 16194 40e0c0 16191->16194 16192->16185 16193 40e13d 16195 40e14e RegDeleteValueA RegCloseKey 16193->16195 16194->16193 16196 40e115 RegSetValueExA 16194->16196 16195->16192 16196->16193 16196->16194 16198 403122 InterlockedExchange 16197->16198 16199 40312e 16198->16199 16200 40310f GetTickCount 16198->16200 16199->16097 16200->16199 16201 40311a Sleep 16200->16201 16201->16198 16203 40f04e 4 API calls 16202->16203 16210 403a83 16203->16210 16204 403ac1 16204->16105 16204->16106 16205 403be6 16207 40ec2e codecvt 4 API calls 16205->16207 16206 403bc0 16206->16205 16208 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16206->16208 16207->16204 16208->16206 16209 403b66 lstrlenA 16209->16204 16209->16210 16210->16204 16210->16206 16210->16209 16211->16121 16212->16118 16214 402419 4 API calls 16213->16214 16215 4024b6 16214->16215 16215->16138 16217 40dd79 lstrlenA 16216->16217 16217->15555 16219 404084 16218->16219 16220 40407d 16218->16220 16221 403ecd 6 API calls 16219->16221 16222 40408f 16221->16222 16223 404000 3 API calls 16222->16223 16225 404095 16223->16225 16224 404130 16226 403ecd 6 API calls 16224->16226 16225->16224 16230 403f18 4 API calls 16225->16230 16227 404159 CreateNamedPipeA 16226->16227 16228 404167 Sleep 16227->16228 16229 404188 ConnectNamedPipe 16227->16229 16228->16224 16232 404176 CloseHandle 16228->16232 16231 404195 GetLastError 16229->16231 16242 4041ab 16229->16242 16233 4040da 16230->16233 16234 40425e DisconnectNamedPipe 16231->16234 16231->16242 16232->16229 16235 403f8c 4 API calls 16233->16235 16234->16229 16236 4040ec 16235->16236 16237 404127 CloseHandle 16236->16237 16238 404101 16236->16238 16237->16224 16239 403f18 4 API calls 16238->16239 16240 40411c ExitProcess 16239->16240 16241 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16241->16242 16242->16229 16242->16234 16242->16241 16243 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16242->16243 16244 40426a CloseHandle CloseHandle 16242->16244 16243->16242 16245 40e318 23 API calls 16244->16245 16246 40427b 16245->16246 16246->16246 16248 408791 16247->16248 16249 40879f 16247->16249 16250 40f04e 4 API calls 16248->16250 16251 4087bc 16249->16251 16253 40f04e 4 API calls 16249->16253 16250->16249 16252 40e819 11 API calls 16251->16252 16254 4087d7 16252->16254 16253->16251 16263 408803 16254->16263 16269 4026b2 gethostbyaddr 16254->16269 16257 4087eb 16259 40e8a1 30 API calls 16257->16259 16257->16263 16259->16263 16262 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16262->16263 16263->16262 16264 40e819 11 API calls 16263->16264 16265 4088a0 Sleep 16263->16265 16267 4026b2 2 API calls 16263->16267 16268 40e8a1 30 API calls 16263->16268 16274 408cee 16263->16274 16282 40c4d6 16263->16282 16285 40c4e2 16263->16285 16288 402011 16263->16288 16323 408328 16263->16323 16264->16263 16265->16263 16267->16263 16268->16263 16270 4026fb 16269->16270 16271 4026cd 16269->16271 16270->16257 16272 4026e1 inet_ntoa 16271->16272 16273 4026de 16271->16273 16272->16273 16273->16257 16275 408d02 GetTickCount 16274->16275 16276 408dae 16274->16276 16275->16276 16277 408d19 16275->16277 16276->16263 16278 408da1 GetTickCount 16277->16278 16281 408d89 16277->16281 16375 40a677 16277->16375 16378 40a688 16277->16378 16278->16276 16281->16278 16386 40c2dc 16282->16386 16286 40c2dc 141 API calls 16285->16286 16287 40c4ec 16286->16287 16287->16263 16289 402020 16288->16289 16290 40202e 16288->16290 16292 40f04e 4 API calls 16289->16292 16291 40204b 16290->16291 16293 40f04e 4 API calls 16290->16293 16294 40206e GetTickCount 16291->16294 16295 40f04e 4 API calls 16291->16295 16292->16290 16293->16291 16296 4020db GetTickCount 16294->16296 16305 402090 16294->16305 16298 402068 16295->16298 16297 402132 GetTickCount GetTickCount 16296->16297 16308 4020e7 16296->16308 16300 40f04e 4 API calls 16297->16300 16298->16294 16299 4020d4 GetTickCount 16299->16296 16302 402159 16300->16302 16301 40212b GetTickCount 16301->16297 16307 40e854 13 API calls 16302->16307 16317 4021b4 16302->16317 16303 402684 2 API calls 16303->16305 16305->16299 16305->16303 16310 4020ce 16305->16310 16713 401978 16305->16713 16306 40f04e 4 API calls 16309 4021d1 16306->16309 16311 40218e 16307->16311 16308->16301 16314 401978 15 API calls 16308->16314 16319 402125 16308->16319 16718 402ef8 16308->16718 16315 40ea84 30 API calls 16309->16315 16321 4021f2 16309->16321 16310->16299 16313 40e819 11 API calls 16311->16313 16318 40219c 16313->16318 16314->16308 16316 4021ec 16315->16316 16320 40f04e 4 API calls 16316->16320 16317->16306 16318->16317 16726 401c5f 16318->16726 16319->16301 16320->16321 16321->16263 16324 407dd6 6 API calls 16323->16324 16325 40833c 16324->16325 16326 406ec3 2 API calls 16325->16326 16349 408340 16325->16349 16327 40834f 16326->16327 16328 40835c 16327->16328 16332 40846b 16327->16332 16329 4073ff 17 API calls 16328->16329 16351 408373 16329->16351 16330 4085df 16333 408626 GetTempPathA 16330->16333 16341 408762 16330->16341 16350 408638 16330->16350 16331 40675c 21 API calls 16331->16330 16334 4084a7 RegOpenKeyExA 16332->16334 16346 408450 16332->16346 16333->16350 16336 4084c0 RegQueryValueExA 16334->16336 16337 40852f 16334->16337 16339 408521 RegCloseKey 16336->16339 16340 4084dd 16336->16340 16342 408564 RegOpenKeyExA 16337->16342 16357 4085a5 16337->16357 16338 4086ad 16338->16341 16343 407e2f 6 API calls 16338->16343 16339->16337 16340->16339 16347 40ebcc 4 API calls 16340->16347 16345 40ec2e codecvt 4 API calls 16341->16345 16341->16349 16344 408573 RegSetValueExA RegCloseKey 16342->16344 16342->16357 16354 4086bb 16343->16354 16344->16357 16345->16349 16346->16330 16346->16331 16353 4084f0 16347->16353 16348 40875b DeleteFileA 16348->16341 16349->16263 16798 406ba7 IsBadCodePtr 16350->16798 16351->16346 16351->16349 16355 4083ea RegOpenKeyExA 16351->16355 16353->16339 16356 4084f8 RegQueryValueExA 16353->16356 16354->16348 16361 4086e0 lstrcpyA lstrlenA 16354->16361 16355->16346 16358 4083fd RegQueryValueExA 16355->16358 16356->16339 16359 408515 16356->16359 16357->16346 16360 40ec2e codecvt 4 API calls 16357->16360 16362 40842d RegSetValueExA 16358->16362 16363 40841e 16358->16363 16364 40ec2e codecvt 4 API calls 16359->16364 16360->16346 16365 407fcf 64 API calls 16361->16365 16366 408447 RegCloseKey 16362->16366 16363->16362 16363->16366 16367 40851d 16364->16367 16368 408719 CreateProcessA 16365->16368 16366->16346 16367->16339 16369 40873d CloseHandle CloseHandle 16368->16369 16370 40874f 16368->16370 16369->16341 16371 407ee6 64 API calls 16370->16371 16372 408754 16371->16372 16373 407ead 6 API calls 16372->16373 16374 40875a 16373->16374 16374->16348 16381 40a63d 16375->16381 16377 40a685 16377->16277 16379 40a63d GetTickCount 16378->16379 16380 40a696 16379->16380 16380->16277 16382 40a645 16381->16382 16383 40a64d 16381->16383 16382->16377 16384 40a66e 16383->16384 16385 40a65e GetTickCount 16383->16385 16384->16377 16385->16384 16402 40a4c7 GetTickCount 16386->16402 16389 40c300 GetTickCount 16391 40c337 16389->16391 16390 40c326 16390->16391 16394 40c32b GetTickCount 16390->16394 16396 40c363 GetTickCount 16391->16396 16401 40c45e 16391->16401 16392 40c4d2 16392->16263 16393 40c4ab InterlockedIncrement CreateThread 16393->16392 16395 40c4cb CloseHandle 16393->16395 16407 40b535 16393->16407 16394->16391 16395->16392 16397 40c373 16396->16397 16396->16401 16398 40c378 GetTickCount 16397->16398 16399 40c37f 16397->16399 16398->16399 16400 40c43b GetTickCount 16399->16400 16400->16401 16401->16392 16401->16393 16403 40a4f7 InterlockedExchange 16402->16403 16404 40a500 16403->16404 16405 40a4e4 GetTickCount 16403->16405 16404->16389 16404->16390 16404->16401 16405->16404 16406 40a4ef Sleep 16405->16406 16406->16403 16408 40b566 16407->16408 16409 40ebcc 4 API calls 16408->16409 16410 40b587 16409->16410 16411 40ebcc 4 API calls 16410->16411 16431 40b590 16411->16431 16412 40bdcd InterlockedDecrement 16413 40bde2 16412->16413 16415 40ec2e codecvt 4 API calls 16413->16415 16416 40bdea 16415->16416 16417 40ec2e codecvt 4 API calls 16416->16417 16419 40bdf2 16417->16419 16418 40bdb7 Sleep 16418->16431 16420 40be05 16419->16420 16422 40ec2e codecvt 4 API calls 16419->16422 16421 40bdcc 16421->16412 16422->16420 16423 40ebed 8 API calls 16423->16431 16426 40b6b6 lstrlenA 16426->16431 16427 4030b5 2 API calls 16427->16431 16428 40b6ed lstrcpyA 16482 405ce1 16428->16482 16429 40e819 11 API calls 16429->16431 16431->16412 16431->16418 16431->16421 16431->16423 16431->16426 16431->16427 16431->16428 16431->16429 16433 40b731 lstrlenA 16431->16433 16434 40b71f lstrcmpA 16431->16434 16435 40b772 GetTickCount 16431->16435 16436 40bd49 InterlockedIncrement 16431->16436 16439 40bc5b InterlockedIncrement 16431->16439 16440 40b7ce InterlockedIncrement 16431->16440 16443 40b912 GetTickCount 16431->16443 16444 40b826 InterlockedIncrement 16431->16444 16445 40b932 GetTickCount 16431->16445 16446 40bcdc closesocket 16431->16446 16448 405ce1 22 API calls 16431->16448 16449 4038f0 6 API calls 16431->16449 16451 40ab81 lstrcpynA InterlockedIncrement 16431->16451 16454 40bba6 InterlockedIncrement 16431->16454 16456 40bc4c closesocket 16431->16456 16457 40a7c1 22 API calls 16431->16457 16459 40ba71 wsprintfA 16431->16459 16461 40ef1e lstrlenA 16431->16461 16462 405ded 12 API calls 16431->16462 16463 40a688 GetTickCount 16431->16463 16464 403e10 16431->16464 16467 403e4f 16431->16467 16470 40384f 16431->16470 16490 40a7a3 inet_ntoa 16431->16490 16497 40abee 16431->16497 16509 401feb GetTickCount 16431->16509 16530 403cfb 16431->16530 16533 40b3c5 16431->16533 16564 40ab81 16431->16564 16433->16431 16434->16431 16434->16433 16435->16431 16576 40a628 16436->16576 16439->16431 16492 40acd7 16440->16492 16443->16431 16444->16435 16445->16431 16447 40bc6d InterlockedIncrement 16445->16447 16446->16431 16447->16431 16448->16431 16449->16431 16451->16431 16454->16431 16456->16431 16457->16431 16510 40a7c1 16459->16510 16461->16431 16462->16431 16463->16431 16465 4030fa 4 API calls 16464->16465 16466 403e1d 16465->16466 16466->16431 16468 4030fa 4 API calls 16467->16468 16469 403e5c 16468->16469 16469->16431 16471 4030fa 4 API calls 16470->16471 16472 403863 16471->16472 16473 4038b9 16472->16473 16474 403889 16472->16474 16481 4038b2 16472->16481 16585 4035f9 16473->16585 16579 403718 16474->16579 16479 403718 6 API calls 16479->16481 16480 4035f9 6 API calls 16480->16481 16481->16431 16483 405cf4 16482->16483 16484 405cec 16482->16484 16486 404bd1 4 API calls 16483->16486 16591 404bd1 GetTickCount 16484->16591 16487 405d02 16486->16487 16596 405472 16487->16596 16491 40a7b9 16490->16491 16491->16431 16493 40f315 14 API calls 16492->16493 16494 40aceb 16493->16494 16495 40acff 16494->16495 16496 40f315 14 API calls 16494->16496 16495->16431 16496->16495 16498 40abfb 16497->16498 16502 40ac65 16498->16502 16659 402f22 16498->16659 16500 40f315 14 API calls 16500->16502 16501 40ac8a 16501->16431 16502->16500 16502->16501 16503 40ac6f 16502->16503 16505 40ab81 2 API calls 16503->16505 16504 40ac23 16504->16502 16507 402684 2 API calls 16504->16507 16506 40ac81 16505->16506 16667 4038f0 16506->16667 16507->16504 16509->16431 16511 40a87d lstrlenA send 16510->16511 16517 40a7df 16510->16517 16512 40a899 16511->16512 16513 40a8bf 16511->16513 16514 40a8a5 wsprintfA 16512->16514 16529 40a89e 16512->16529 16515 40a8c4 send 16513->16515 16522 40a8f2 16513->16522 16514->16529 16519 40a8d8 wsprintfA 16515->16519 16515->16522 16516 40a978 recv 16516->16522 16523 40a982 16516->16523 16517->16511 16518 40a7fa wsprintfA 16517->16518 16521 40a80a 16517->16521 16517->16522 16518->16521 16519->16529 16520 40a9b0 wsprintfA 16520->16529 16521->16511 16522->16516 16522->16520 16522->16523 16524 4030b5 2 API calls 16523->16524 16523->16529 16525 40ab05 16524->16525 16526 40e819 11 API calls 16525->16526 16527 40ab17 16526->16527 16528 40a7a3 inet_ntoa 16527->16528 16528->16529 16529->16431 16531 4030fa 4 API calls 16530->16531 16532 403d0b 16531->16532 16532->16431 16534 405ce1 22 API calls 16533->16534 16535 40b3e6 16534->16535 16536 405ce1 22 API calls 16535->16536 16537 40b404 16536->16537 16538 40ef7c 3 API calls 16537->16538 16544 40b440 16537->16544 16540 40b42b 16538->16540 16539 40ef7c 3 API calls 16541 40b458 wsprintfA 16539->16541 16542 40ef7c 3 API calls 16540->16542 16543 40ef7c 3 API calls 16541->16543 16542->16544 16545 40b480 16543->16545 16544->16539 16546 40ef7c 3 API calls 16545->16546 16547 40b493 16546->16547 16548 40ef7c 3 API calls 16547->16548 16549 40b4bb 16548->16549 16681 40ad89 GetLocalTime SystemTimeToFileTime 16549->16681 16553 40b4cc 16554 40ef7c 3 API calls 16553->16554 16555 40b4dd 16554->16555 16556 40b211 7 API calls 16555->16556 16557 40b4ec 16556->16557 16558 40ef7c 3 API calls 16557->16558 16559 40b4fd 16558->16559 16560 40b211 7 API calls 16559->16560 16561 40b509 16560->16561 16562 40ef7c 3 API calls 16561->16562 16563 40b51a 16562->16563 16563->16431 16565 40abe9 GetTickCount 16564->16565 16567 40ab8c 16564->16567 16569 40a51d 16565->16569 16566 40aba8 lstrcpynA 16566->16567 16567->16565 16567->16566 16568 40abe1 InterlockedIncrement 16567->16568 16568->16567 16570 40a4c7 4 API calls 16569->16570 16571 40a52c 16570->16571 16572 40a542 GetTickCount 16571->16572 16574 40a539 GetTickCount 16571->16574 16572->16574 16575 40a56c 16574->16575 16575->16431 16577 40a4c7 4 API calls 16576->16577 16578 40a633 16577->16578 16578->16431 16580 40f04e 4 API calls 16579->16580 16582 40372a 16580->16582 16581 403847 16581->16479 16581->16481 16582->16581 16583 4037b3 GetCurrentThreadId 16582->16583 16583->16582 16584 4037c8 GetCurrentThreadId 16583->16584 16584->16582 16586 40f04e 4 API calls 16585->16586 16588 40360c 16586->16588 16587 4036f1 16587->16480 16587->16481 16588->16587 16589 4036da GetCurrentThreadId 16588->16589 16589->16587 16590 4036e5 GetCurrentThreadId 16589->16590 16590->16587 16592 404bff InterlockedExchange 16591->16592 16593 404c08 16592->16593 16594 404bec GetTickCount 16592->16594 16593->16483 16594->16593 16595 404bf7 Sleep 16594->16595 16595->16592 16615 404763 16596->16615 16598 40548a 16599 405b58 16598->16599 16609 40558d lstrcpynA 16598->16609 16610 405a9f lstrcpyA 16598->16610 16611 405935 lstrcpynA 16598->16611 16612 405472 13 API calls 16598->16612 16613 404ae6 8 API calls 16598->16613 16614 4058e7 lstrcpyA 16598->16614 16619 404ae6 16598->16619 16623 40ef7c lstrlenA lstrlenA lstrlenA 16598->16623 16625 404699 16599->16625 16602 404763 lstrlenA 16603 405b6e 16602->16603 16646 404f9f 16603->16646 16605 405b79 16605->16431 16607 405549 lstrlenA 16607->16598 16609->16598 16610->16598 16611->16598 16612->16598 16613->16598 16614->16598 16617 40477a 16615->16617 16616 404859 16616->16598 16617->16616 16618 40480d lstrlenA 16617->16618 16618->16617 16620 404af3 16619->16620 16622 404b03 16619->16622 16621 40ebed 8 API calls 16620->16621 16621->16622 16622->16607 16624 40efb4 16623->16624 16624->16598 16651 4045b3 16625->16651 16628 4045b3 7 API calls 16629 4046c6 16628->16629 16630 4045b3 7 API calls 16629->16630 16631 4046d8 16630->16631 16632 4045b3 7 API calls 16631->16632 16633 4046ea 16632->16633 16634 4045b3 7 API calls 16633->16634 16635 4046ff 16634->16635 16636 4045b3 7 API calls 16635->16636 16637 404711 16636->16637 16638 4045b3 7 API calls 16637->16638 16639 404723 16638->16639 16640 40ef7c 3 API calls 16639->16640 16641 404735 16640->16641 16642 40ef7c 3 API calls 16641->16642 16643 40474a 16642->16643 16644 40ef7c 3 API calls 16643->16644 16645 40475c 16644->16645 16645->16602 16647 404fac 16646->16647 16649 404fb0 16646->16649 16647->16605 16648 404ffd 16648->16605 16649->16648 16650 404fd5 IsBadCodePtr 16649->16650 16650->16649 16652 4045c1 16651->16652 16653 4045c8 16651->16653 16654 40ebcc 4 API calls 16652->16654 16655 4045e1 16653->16655 16656 40ebcc 4 API calls 16653->16656 16654->16653 16657 404691 16655->16657 16658 40ef7c 3 API calls 16655->16658 16656->16655 16657->16628 16658->16655 16674 402d21 GetModuleHandleA 16659->16674 16662 402fcf GetProcessHeap HeapFree 16666 402f44 16662->16666 16663 402f85 16663->16662 16663->16663 16664 402f4f 16665 402f6b GetProcessHeap HeapFree 16664->16665 16665->16666 16666->16504 16668 403900 16667->16668 16669 403980 16667->16669 16670 4030fa 4 API calls 16668->16670 16669->16501 16673 40390a 16670->16673 16671 40391b GetCurrentThreadId 16671->16673 16672 403939 GetCurrentThreadId 16672->16673 16673->16669 16673->16671 16673->16672 16675 402d46 LoadLibraryA 16674->16675 16676 402d5b GetProcAddress 16674->16676 16675->16676 16678 402d54 16675->16678 16676->16678 16680 402d6b 16676->16680 16677 402d97 GetProcessHeap HeapAlloc 16677->16678 16677->16680 16678->16663 16678->16664 16678->16666 16679 402db5 lstrcpynA 16679->16680 16680->16677 16680->16678 16680->16679 16682 40adbf 16681->16682 16706 40ad08 gethostname 16682->16706 16685 4030b5 2 API calls 16686 40add3 16685->16686 16687 40a7a3 inet_ntoa 16686->16687 16689 40ade4 16686->16689 16687->16689 16688 40ae85 wsprintfA 16690 40ef7c 3 API calls 16688->16690 16689->16688 16691 40ae36 wsprintfA wsprintfA 16689->16691 16692 40aebb 16690->16692 16693 40ef7c 3 API calls 16691->16693 16694 40ef7c 3 API calls 16692->16694 16693->16689 16695 40aed2 16694->16695 16696 40b211 16695->16696 16697 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16696->16697 16698 40b2af GetLocalTime 16696->16698 16699 40b2d2 16697->16699 16698->16699 16700 40b2d9 SystemTimeToFileTime 16699->16700 16701 40b31c GetTimeZoneInformation 16699->16701 16702 40b2ec 16700->16702 16703 40b33a wsprintfA 16701->16703 16704 40b312 FileTimeToSystemTime 16702->16704 16703->16553 16704->16701 16707 40ad71 16706->16707 16712 40ad26 lstrlenA 16706->16712 16708 40ad85 16707->16708 16709 40ad79 lstrcpyA 16707->16709 16708->16685 16709->16708 16711 40ad68 lstrlenA 16711->16707 16712->16707 16712->16711 16714 40f428 14 API calls 16713->16714 16715 40198a 16714->16715 16716 401990 closesocket 16715->16716 16717 401998 16715->16717 16716->16717 16717->16305 16719 402d21 6 API calls 16718->16719 16720 402f01 16719->16720 16721 402f0f 16720->16721 16734 402df2 GetModuleHandleA 16720->16734 16723 402684 2 API calls 16721->16723 16725 402f1f 16721->16725 16724 402f1d 16723->16724 16724->16308 16725->16308 16727 401c80 16726->16727 16728 401d1c 16727->16728 16729 401cc2 wsprintfA 16727->16729 16733 401d79 16727->16733 16728->16728 16731 401d47 wsprintfA 16728->16731 16730 402684 2 API calls 16729->16730 16730->16727 16732 402684 2 API calls 16731->16732 16732->16733 16733->16317 16735 402e10 LoadLibraryA 16734->16735 16736 402e0b 16734->16736 16737 402e17 16735->16737 16736->16735 16736->16737 16738 402ef1 16737->16738 16739 402e28 GetProcAddress 16737->16739 16738->16721 16739->16738 16740 402e3e GetProcessHeap HeapAlloc 16739->16740 16742 402e62 16740->16742 16741 402ede GetProcessHeap HeapFree 16741->16738 16742->16738 16742->16741 16743 402e7f htons inet_addr 16742->16743 16744 402ea5 gethostbyname 16742->16744 16746 402ceb 16742->16746 16743->16742 16743->16744 16744->16742 16747 402cf2 16746->16747 16749 402d1c 16747->16749 16750 402d0e Sleep 16747->16750 16751 402a62 GetProcessHeap HeapAlloc 16747->16751 16749->16742 16750->16747 16750->16749 16752 402a92 16751->16752 16753 402a99 socket 16751->16753 16752->16747 16754 402cd3 GetProcessHeap HeapFree 16753->16754 16755 402ab4 16753->16755 16754->16752 16755->16754 16763 402abd 16755->16763 16756 402adb htons 16771 4026ff 16756->16771 16758 402b04 select 16758->16763 16759 402ca4 16760 402cb3 GetProcessHeap HeapFree closesocket 16759->16760 16760->16752 16761 402b3f recv 16761->16763 16762 402b66 htons 16762->16759 16762->16763 16763->16756 16763->16758 16763->16759 16763->16760 16763->16761 16763->16762 16764 402b87 htons 16763->16764 16767 402bf3 GetProcessHeap HeapAlloc 16763->16767 16768 402c17 htons 16763->16768 16770 402c4d GetProcessHeap HeapFree 16763->16770 16778 402923 16763->16778 16790 402904 16763->16790 16764->16759 16764->16763 16767->16763 16786 402871 16768->16786 16770->16763 16772 40271d 16771->16772 16773 402717 16771->16773 16775 40272b GetTickCount htons 16772->16775 16774 40ebcc 4 API calls 16773->16774 16774->16772 16776 4027cc htons htons sendto 16775->16776 16777 40278a 16775->16777 16776->16763 16777->16776 16779 402944 16778->16779 16780 40293d 16778->16780 16794 402816 htons 16779->16794 16780->16763 16782 402871 htons 16785 402950 16782->16785 16783 4029bd htons htons htons 16783->16780 16784 4029f6 GetProcessHeap HeapAlloc 16783->16784 16784->16780 16784->16785 16785->16780 16785->16782 16785->16783 16787 4028e3 16786->16787 16789 402889 16786->16789 16787->16763 16788 4028c3 htons 16788->16787 16788->16789 16789->16787 16789->16788 16791 402908 16790->16791 16793 402921 16790->16793 16792 402909 GetProcessHeap HeapFree 16791->16792 16792->16792 16792->16793 16793->16763 16795 40286b 16794->16795 16796 402836 16794->16796 16795->16785 16796->16795 16797 40285c htons 16796->16797 16797->16795 16797->16796 16799 406bc0 16798->16799 16800 406bbc 16798->16800 16801 40ebcc 4 API calls 16799->16801 16803 406bd4 16799->16803 16800->16338 16802 406be4 16801->16802 16802->16803 16804 406c07 CreateFileA 16802->16804 16805 406bfc 16802->16805 16803->16338 16806 406c34 WriteFile 16804->16806 16807 406c2a 16804->16807 16808 40ec2e codecvt 4 API calls 16805->16808 16810 406c49 CloseHandle DeleteFileA 16806->16810 16811 406c5a CloseHandle 16806->16811 16809 40ec2e codecvt 4 API calls 16807->16809 16808->16803 16809->16803 16810->16807 16812 40ec2e codecvt 4 API calls 16811->16812 16812->16803 17071 75de30 17072 75de3e 17071->17072 17073 75e5de 3 API calls 17072->17073 17074 75de56 17073->17074 16813 75de3e 16814 75de4d 16813->16814 16817 75e5de 16814->16817 16818 75e5f9 16817->16818 16819 75e602 CreateToolhelp32Snapshot 16818->16819 16820 75e61e Module32First 16818->16820 16819->16818 16819->16820 16821 75e62d 16820->16821 16823 75de56 16820->16823 16824 75e29d 16821->16824 16825 75e2c8 16824->16825 16826 75e311 16825->16826 16827 75e2d9 VirtualAlloc 16825->16827 16826->16826 16827->16826 16828 417afc 16833 41782a 16828->16833 16830 417b04 16832 41782a 31 API calls 16830->16832 16856 4175c3 GlobalAlloc 16830->16856 16832->16830 16834 417837 16833->16834 16835 4178b5 9 API calls 16834->16835 16840 417947 16834->16840 16836 41792f 16835->16836 16836->16840 16837 417965 GetCommProperties SetLastError 16839 417982 GetProcessDefaultLayout 16837->16839 16837->16840 16838 417956 GlobalAlloc AddAtomA 16838->16837 16839->16840 16840->16837 16840->16838 16841 417995 ReleaseActCtx 16840->16841 16842 41799c GetConsoleAliasesA 16840->16842 16843 4179bc FoldStringW 16840->16843 16844 4179d4 16840->16844 16841->16842 16842->16840 16843->16840 16848 417a04 SetConsoleTitleA LocalFree 16844->16848 16854 417a18 16844->16854 16846 417a4d LoadLibraryA 16858 417600 16846->16858 16848->16854 16852 417aac 16863 4177eb 16852->16863 16857 4175c3 GlobalAlloc 16854->16857 16855 417ab1 16855->16830 16856->16830 16857->16846 16859 41763f 16858->16859 16860 41764b GetModuleHandleW GetProcAddress 16859->16860 16861 417721 16859->16861 16860->16859 16862 4175e2 VirtualProtect 16861->16862 16862->16852 16870 417746 16863->16870 16865 417804 16866 417820 16865->16866 16867 41780e UnhandledExceptionFilter FindFirstVolumeA 16865->16867 16875 41779d 16866->16875 16867->16866 16871 417763 16870->16871 16872 41775b CreateJobObjectW 16870->16872 16873 417792 16871->16873 16874 417777 OpenJobObjectW BuildCommDCBW LoadLibraryA 16871->16874 16872->16871 16873->16865 16874->16873 16876 4177d2 16875->16876 16877 4177a8 16875->16877 16876->16855 16877->16876 16878 4177c3 SleepEx 16877->16878 16878->16877

                                                                                            Executed Functions

                                                                                            Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                                            • API String ID: 2089075347-2824936573
                                                                                            • Opcode ID: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 603121095b7679364f468b5179938349acae34033f0d3c12a89c9af7faf008a0
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                            Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 561 409326-409348 call 401910 GetVersionExA 564 409358-40935c 561->564 565 40934a-409356 561->565 566 409360-40937d GetModuleHandleA GetModuleFileNameA 564->566 565->566 567 409385-4093a2 566->567 568 40937f 566->568 569 4093a4-4093d7 call 402544 wsprintfA 567->569 570 4093d9-409412 call 402544 wsprintfA 567->570 568->567 575 409415-40942c call 40ee2a 569->575 570->575 578 4094a3-4094b3 call 406edd 575->578 579 40942e-409432 575->579 584 4094b9-4094f9 call 402544 RegOpenKeyExA 578->584 585 40962f-409632 578->585 579->578 581 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 579->581 581->578 595 409502-40952e call 402544 RegQueryValueExA 584->595 596 4094fb-409500 584->596 587 409634-409637 585->587 590 409639-40964a call 401820 587->590 591 40967b-409682 587->591 606 40964c-409662 590->606 607 40966d-409679 590->607 598 409683 call 4091eb 591->598 616 409530-409537 595->616 617 409539-409565 call 402544 RegQueryValueExA 595->617 600 40957a-40957f 596->600 610 409688-409690 598->610 604 409581-409584 600->604 605 40958a-40958d 600->605 604->587 604->605 605->591 613 409593-40959a 605->613 614 409664-40966b 606->614 615 40962b-40962d 606->615 607->598 611 409692 610->611 612 409698-4096a0 610->612 611->612 619 4096a2-4096a9 612->619 620 40961a-40961f 613->620 621 40959c-4095a1 613->621 614->615 615->619 622 40956e-409577 RegCloseKey 616->622 617->622 629 409567 617->629 627 409625 620->627 621->620 628 4095a3-4095c0 call 40f0e4 621->628 622->600 627->615 634 4095c2-4095db call 4018e0 628->634 635 40960c-409618 628->635 629->622 634->619 638 4095e1-4095f9 634->638 635->627 638->619 639 4095ff-409607 638->639 639->619
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop$runas
                                                                                            • API String ID: 3696105349-2220793183
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 678 406a60-406a89 CreateFileA 679 406b8c-406ba1 GetLastError 678->679 680 406a8f-406ac3 GetDiskFreeSpaceA 678->680 683 406ba3-406ba6 679->683 681 406ac5-406adc call 40eb0e 680->681 682 406b1d-406b27 call 406987 680->682 681->682 690 406ade 681->690 686 406b2c-406b34 682->686 688 406b56-406b63 CloseHandle 686->688 689 406b36-406b54 GetLastError CloseHandle 686->689 692 406b65-406b7d GetLastError CloseHandle 688->692 693 406b86-406b8a 688->693 691 406b7f-406b80 DeleteFileA 689->691 694 406ae0-406ae5 690->694 695 406ae7-406afb call 40eca5 690->695 691->693 692->691 693->683 694->695 696 406afd-406aff 694->696 695->682 696->682 699 406b01 696->699 700 406b03-406b08 699->700 701 406b0a-406b17 call 40eca5 699->701 700->682 700->701 701->682
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3188212458-2980165447
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            Function 0075E5DE Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 875 75e5de-75e5f7 876 75e5f9-75e5fb 875->876 877 75e602-75e60e CreateToolhelp32Snapshot 876->877 878 75e5fd 876->878 879 75e610-75e616 877->879 880 75e61e-75e62b Module32First 877->880 878->877 879->880 885 75e618-75e61c 879->885 881 75e634-75e63c 880->881 882 75e62d-75e62e call 75e29d 880->882 886 75e633 882->886 885->876 885->880 886->881
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0075E606
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 0075E626
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_75d000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: ce29e37832e691e89dcb5b12f8c7cb04db4c3fdd9accde7fac70928b22ef9fb5
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: E1F096311007146BD7243BF59C8DBEEB6ECEF59766F100528FA52D10C0EBB4ED494A61
                                                                                            Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 891 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                              • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                                              • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                                            • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                                            • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                                            Function 0041782A Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212stringmemorylibraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 41782a-417844 266 417846-41784b 264->266 267 417861 266->267 268 41784d-41785f 266->268 269 417867-41786d 267->269 268->269 270 417880-417886 269->270 271 41786f-417876 269->271 270->266 272 417888 270->272 271->270 273 41788a-41788f 272->273 274 417891-417897 273->274 275 41789d-4178a3 273->275 274->275 275->273 276 4178a5-4178af 275->276 277 4178b5-41792d lstrcatW InterlockedExchangeAdd WriteConsoleA lstrcpynW GetAtomNameA SetFileApisToANSI SetVolumeMountPointA GetModuleFileNameW EnumDateFormatsW 276->277 278 417947-417948 276->278 280 417939-417946 277->280 281 41792f-417932 277->281 279 41794a-417954 278->279 282 417965-417980 GetCommProperties SetLastError 279->282 283 417956-41795f GlobalAlloc AddAtomA 279->283 280->278 281->280 284 417982-417983 GetProcessDefaultLayout 282->284 285 417989-417993 282->285 283->282 284->285 288 417995-417996 ReleaseActCtx 285->288 289 41799c-4179b1 GetConsoleAliasesA 285->289 288->289 290 4179b3-4179ba 289->290 291 4179c7-4179ce 289->291 290->291 293 4179bc-4179c1 FoldStringW 290->293 291->279 294 4179d4-4179de 291->294 293->291 295 4179e0-417a02 294->295 296 417a48-417a56 call 4175c3 294->296 302 417a22-417a45 295->302 303 417a04-417a18 SetConsoleTitleA LocalFree 295->303 300 417a58-417a8a 296->300 301 417a9b-417aa7 LoadLibraryA call 417600 call 4175e2 296->301 304 417a96-417a99 300->304 305 417a8c 300->305 312 417aac-417ab3 call 4177eb 301->312 302->296 303->302 304->300 304->301 305->304 316 417ab4-417ab9 312->316 318 417ac0-417ac6 316->318 319 417abb call 4175d7 316->319 318->316 321 417ac8 318->321 319->318 323 417ad2-417ad8 321->323 324 417ae6-417aed 323->324 325 417ada-417ae4 323->325 324->323 326 417aef-417afb 324->326 325->324 325->326
                                                                                            APIs
                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 004178BD
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004178CB
                                                                                            • WriteConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 004178E2
                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 004178F1
                                                                                            • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 004178FA
                                                                                            • SetFileApisToANSI.KERNEL32 ref: 00417900
                                                                                            • SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 00417908
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417917
                                                                                            • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00417920
                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00417958
                                                                                            • AddAtomA.KERNEL32(00000000), ref: 0041795F
                                                                                            • GetCommProperties.KERNELBASE(00000000,?), ref: 0041796D
                                                                                            • SetLastError.KERNEL32(00000000), ref: 00417974
                                                                                            • GetProcessDefaultLayout.USER32(00000000), ref: 00417983
                                                                                            • ReleaseActCtx.KERNEL32(00000000), ref: 00417996
                                                                                            • GetConsoleAliasesA.KERNEL32(?,00000000,00000000), ref: 004179A5
                                                                                            • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004179C1
                                                                                            • SetConsoleTitleA.KERNEL32(00000000), ref: 00417A05
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00417A0C
                                                                                            • LoadLibraryA.KERNELBASE(00419458), ref: 00417AA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150586425.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: Console$AtomFileName$AliasesAllocApisCommDateDefaultEnumErrorExchangeFoldFormatsFreeGlobalInterlockedLastLayoutLibraryLoadLocalModuleMountPointProcessPropertiesReleaseStringTitleVolumeWritelstrcatlstrcpyn
                                                                                            • String ID: k`$tl_$}$
                                                                                            • API String ID: 1756273361-211918992
                                                                                            • Opcode ID: 3697615f451d7fc26fb8104d22a62db024d6b7e65e0f42aee9dd171e956c996e
                                                                                            • Instruction ID: b72458c26081517cb692f213dc5e595fb7550a1c7ca338c38081d81411803abd
                                                                                            • Opcode Fuzzy Hash: 3697615f451d7fc26fb8104d22a62db024d6b7e65e0f42aee9dd171e956c996e
                                                                                            • Instruction Fuzzy Hash: 76617E71909524ABD725AB66EC48DDF7F7CEF0A395B10403EF106D2161CB388A85CBAD
                                                                                            Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 328 4073ff-407419 329 40741b 328->329 330 40741d-407422 328->330 329->330 331 407424 330->331 332 407426-40742b 330->332 331->332 333 407430-407435 332->333 334 40742d 332->334 335 407437 333->335 336 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 333->336 334->333 335->336 341 407487-40749d call 40ee2a 336->341 342 4077f9-4077fe call 40ee2a 336->342 347 407703-40770e RegEnumKeyA 341->347 348 407801 342->348 349 4074a2-4074b1 call 406cad 347->349 350 407714-40771d RegCloseKey 347->350 351 407804-407808 348->351 354 4074b7-4074cc call 40f1a5 349->354 355 4076ed-407700 349->355 350->348 354->355 358 4074d2-4074f8 RegOpenKeyExA 354->358 355->347 359 407727-40772a 358->359 360 4074fe-407530 call 402544 RegQueryValueExA 358->360 361 407755-407764 call 40ee2a 359->361 362 40772c-407740 call 40ef00 359->362 360->359 369 407536-40753c 360->369 373 4076df-4076e2 361->373 370 407742-407745 RegCloseKey 362->370 371 40774b-40774e 362->371 372 40753f-407544 369->372 370->371 375 4077ec-4077f7 RegCloseKey 371->375 372->372 374 407546-40754b 372->374 373->355 376 4076e4-4076e7 RegCloseKey 373->376 374->361 377 407551-40756b call 40ee95 374->377 375->351 376->355 377->361 380 407571-407593 call 402544 call 40ee95 377->380 385 407753 380->385 386 407599-4075a0 380->386 385->361 387 4075a2-4075c6 call 40ef00 call 40ed03 386->387 388 4075c8-4075d7 call 40ed03 386->388 393 4075d8-4075da 387->393 388->393 395 4075dc 393->395 396 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 393->396 395->396 406 407626-40762b 396->406 406->406 407 40762d-407634 406->407 408 407637-40763c 407->408 408->408 409 40763e-407642 408->409 410 407644-407656 call 40ed77 409->410 411 40765c-407673 call 40ed23 409->411 410->411 416 407769-40777c call 40ef00 410->416 417 407680 411->417 418 407675-40767e 411->418 423 4077e3-4077e6 RegCloseKey 416->423 420 407683-40768e call 406cad 417->420 418->420 425 407722-407725 420->425 426 407694-4076bf call 40f1a5 call 406c96 420->426 423->375 427 4076dd 425->427 432 4076c1-4076c7 426->432 433 4076d8 426->433 427->373 432->433 434 4076c9-4076d2 432->434 433->427 434->433 435 40777e-407797 GetFileAttributesExA 434->435 436 407799 435->436 437 40779a-40779f 435->437 436->437 438 4077a1 437->438 439 4077a3-4077a8 437->439 438->439 440 4077c4-4077c8 439->440 441 4077aa-4077c0 call 40ee08 439->441 442 4077d7-4077dc 440->442 443 4077ca-4077d6 call 40ef00 440->443 441->440 447 4077e0-4077e2 442->447 448 4077de 442->448 443->442 447->423 448->447
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                            Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 450 40704c-407071 451 407073 450->451 452 407075-40707a 450->452 451->452 453 40707c 452->453 454 40707e-407083 452->454 453->454 455 407085 454->455 456 407087-40708c 454->456 455->456 457 407090-4070ca call 402544 RegOpenKeyExA 456->457 458 40708e 456->458 461 4070d0-4070f6 call 406dc2 457->461 462 4071b8-4071c8 call 40ee2a 457->462 458->457 467 40719b-4071a9 RegEnumValueA 461->467 468 4071cb-4071cf 462->468 469 4070fb-4070fd 467->469 470 4071af-4071b2 RegCloseKey 467->470 471 40716e-407194 469->471 472 4070ff-407102 469->472 470->462 471->467 472->471 473 407104-407107 472->473 473->471 474 407109-40710d 473->474 474->471 475 40710f-407133 call 402544 call 40eed1 474->475 480 4071d0-407203 call 402544 call 40ee95 call 40ee2a 475->480 481 407139-407145 call 406cad 475->481 496 407205-407212 RegCloseKey 480->496 497 407227-40722e 480->497 487 407147-40715c call 40f1a5 481->487 488 40715e-40716b call 40ee2a 481->488 487->480 487->488 488->471 498 407222-407225 496->498 499 407214-407221 call 40ef00 496->499 500 407230-407256 call 40ef00 call 40ed23 497->500 501 40725b-40728c call 402544 call 40ee95 call 40ee2a 497->501 498->468 499->498 500->501 513 407258 500->513 515 4072b8-4072cb call 40ed77 501->515 516 40728e-40729a RegCloseKey 501->516 513->501 523 4072dd-4072f4 call 40ed23 515->523 524 4072cd-4072d8 RegCloseKey 515->524 517 4072aa-4072b3 516->517 518 40729c-4072a9 call 40ef00 516->518 517->468 518->517 527 407301 523->527 528 4072f6-4072ff 523->528 524->468 529 407304-40730f call 406cad 527->529 528->529 532 407311-40731d RegCloseKey 529->532 533 407335-40735d call 406c96 529->533 534 40732d-407330 532->534 535 40731f-40732c call 40ef00 532->535 540 4073d5-4073e2 RegCloseKey 533->540 541 40735f-407365 533->541 534->517 535->534 543 4073f2-4073f7 540->543 544 4073e4-4073f1 call 40ef00 540->544 541->540 542 407367-407370 541->542 542->540 545 407372-40737c 542->545 544->543 548 40739d-4073a2 545->548 549 40737e-407395 GetFileAttributesExA 545->549 551 4073a4 548->551 552 4073a6-4073a9 548->552 549->548 550 407397 549->550 550->548 551->552 553 4073b9-4073bc 552->553 554 4073ab-4073b8 call 40ef00 552->554 556 4073cb-4073cd 553->556 557 4073be-4073ca call 40ef00 553->557 554->553 556->540 557->556
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.KERNELBASE(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"$PromptOnSecureDesktop
                                                                                            • API String ID: 4293430545-98143240
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 640 40675c-406778 641 406784-4067a2 CreateFileA 640->641 642 40677a-40677e SetFileAttributesA 640->642 643 4067a4-4067b2 CreateFileA 641->643 644 4067b5-4067b8 641->644 642->641 643->644 645 4067c5-4067c9 644->645 646 4067ba-4067bf SetFileAttributesA 644->646 647 406977-406986 645->647 648 4067cf-4067df GetFileSize 645->648 646->645 649 4067e5-4067e7 648->649 650 40696b 648->650 649->650 652 4067ed-40680b ReadFile 649->652 651 40696e-406971 CloseHandle 650->651 651->647 652->650 653 406811-406824 SetFilePointer 652->653 653->650 654 40682a-406842 ReadFile 653->654 654->650 655 406848-406861 SetFilePointer 654->655 655->650 656 406867-406876 655->656 657 4068d5-4068df 656->657 658 406878-40688f ReadFile 656->658 657->651 659 4068e5-4068eb 657->659 660 406891-40689e 658->660 661 4068d2 658->661 662 4068f0-4068fe call 40ebcc 659->662 663 4068ed 659->663 664 4068a0-4068b5 660->664 665 4068b7-4068ba 660->665 661->657 662->650 672 406900-40690b SetFilePointer 662->672 663->662 666 4068bd-4068c3 664->666 665->666 668 4068c5 666->668 669 4068c8-4068ce 666->669 668->669 669->658 671 4068d0 669->671 671->657 673 40695a-406969 call 40ec2e 672->673 674 40690d-406920 ReadFile 672->674 673->651 674->673 675 406922-406958 674->675 675->651
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            Function 0211003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 704 211003c-2110047 705 2110049 704->705 706 211004c-2110263 call 2110a3f call 2110e0f call 2110d90 VirtualAlloc 704->706 705->706 721 2110265-2110289 call 2110a69 706->721 722 211028b-2110292 706->722 727 21102ce-21103c2 VirtualProtect call 2110cce call 2110ce7 721->727 724 21102a1-21102b0 722->724 726 21102b2-21102cc 724->726 724->727 726->724 733 21103d1-21103e0 727->733 734 21103e2-2110437 call 2110ce7 733->734 735 2110439-21104b8 VirtualFree 733->735 734->733 737 21105f4-21105fe 735->737 738 21104be-21104cd 735->738 741 2110604-211060d 737->741 742 211077f-2110789 737->742 740 21104d3-21104dd 738->740 740->737 746 21104e3-2110505 LoadLibraryA 740->746 741->742 747 2110613-2110637 741->747 744 21107a6-21107b0 742->744 745 211078b-21107a3 742->745 748 21107b6-21107cb 744->748 749 211086e-21108be LoadLibraryA 744->749 745->744 750 2110517-2110520 746->750 751 2110507-2110515 746->751 752 211063e-2110648 747->752 753 21107d2-21107d5 748->753 756 21108c7-21108f9 749->756 754 2110526-2110547 750->754 751->754 752->742 755 211064e-211065a 752->755 757 2110824-2110833 753->757 758 21107d7-21107e0 753->758 759 211054d-2110550 754->759 755->742 760 2110660-211066a 755->760 762 2110902-211091d 756->762 763 21108fb-2110901 756->763 761 2110839-211083c 757->761 764 21107e2 758->764 765 21107e4-2110822 758->765 766 21105e0-21105ef 759->766 767 2110556-211056b 759->767 768 211067a-2110689 760->768 761->749 769 211083e-2110847 761->769 763->762 764->757 765->753 766->740 772 211056d 767->772 773 211056f-211057a 767->773 770 2110750-211077a 768->770 771 211068f-21106b2 768->771 776 2110849 769->776 777 211084b-211086c 769->777 770->752 778 21106b4-21106ed 771->778 779 21106ef-21106fc 771->779 772->766 774 211059b-21105bb 773->774 775 211057c-2110599 773->775 787 21105bd-21105db 774->787 775->787 776->749 777->761 778->779 781 211074b 779->781 782 21106fe-2110748 779->782 781->768 782->781 787->759
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0211024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 74c52d792651154b35292d0624a265a8ac5351d2dd942f5d0c11e8719098d6e9
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: 95525874E01229DFDB64CF58C984BA8BBB1BF09304F1580E9E94DAB351DB30AA85CF14
                                                                                            Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                            • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                            • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                              • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                              • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                              • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                              • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                              • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4131120076-2980165447
                                                                                            • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                                            • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                                            • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                                            Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 803 404000-404008 804 40400b-40402a CreateFileA 803->804 805 404057 804->805 806 40402c-404035 GetLastError 804->806 809 404059-40405c 805->809 807 404052 806->807 808 404037-40403a 806->808 811 404054-404056 807->811 808->807 810 40403c-40403f 808->810 809->811 810->809 812 404041-404050 Sleep 810->812 812->804 812->807
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 408151869-2980165447
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                            Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 813 406987-4069b7 814 4069e0 813->814 815 4069b9-4069be 813->815 817 4069e4-4069fd WriteFile 814->817 815->814 816 4069c0-4069d0 815->816 818 4069d2 816->818 819 4069d5-4069de 816->819 820 406a4d-406a51 817->820 821 4069ff-406a02 817->821 818->819 819->817 823 406a53-406a56 820->823 824 406a59 820->824 821->820 822 406a04-406a08 821->822 826 406a0a-406a0d 822->826 827 406a3c-406a3e 822->827 823->824 825 406a5b-406a5f 824->825 828 406a10-406a2e WriteFile 826->828 827->825 829 406a40-406a4b 828->829 830 406a30-406a33 828->830 829->825 830->829 831 406a35-406a3a 830->831 831->827 831->828
                                                                                            APIs
                                                                                            • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 833 4091eb-409208 834 409308 833->834 835 40920e-40921c call 40ed03 833->835 837 40930b-40930f 834->837 839 40921e-40922c call 40ed03 835->839 840 40923f-409249 835->840 839->840 846 40922e-409230 839->846 842 409250-409270 call 40ee08 840->842 843 40924b 840->843 849 409272-40927f 842->849 850 4092dd-4092e1 842->850 843->842 848 409233-409238 846->848 848->848 855 40923a-40923c 848->855 851 409281-409285 849->851 852 40929b-40929e 849->852 853 4092e3-4092e5 850->853 854 4092e7-4092e8 850->854 851->851 856 409287 851->856 858 4092a0 852->858 859 40928e-409293 852->859 853->854 857 4092ea-4092ef 853->857 854->850 855->840 856->852 862 4092f1-4092f6 Sleep 857->862 863 4092fc-409302 857->863 864 4092a8-4092ab 858->864 860 409295-409298 859->860 861 409289-40928c 859->861 860->864 865 40929a 860->865 861->859 861->865 862->863 863->834 863->835 866 4092a2-4092a5 864->866 867 4092ad-4092b0 864->867 865->852 868 4092b2 866->868 869 4092a7 866->869 867->868 870 4092bd 867->870 872 4092b5-4092b9 868->872 869->864 871 4092bf-4092db ShellExecuteA 870->871 871->850 873 409310-409324 871->873 872->872 874 4092bb 872->874 873->837 874->871
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                                            • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-0
                                                                                            • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                                            • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                                            • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                                            Function 02110E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 888 2110e0f-2110e24 SetErrorMode * 2 889 2110e26 888->889 890 2110e2b-2110e2c 888->890 889->890
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,02110223,?,?), ref: 02110E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,02110223,?,?), ref: 02110E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: f41980ae68ce685da741fb8abaf3e2b422b08bc76916466801f808e01ad358d5
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: C9D0123154512877DB002A95DC09BCD7B1CDF09B66F108021FB0DD9080C770954046E5
                                                                                            Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            Function 004175E2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualProtect.KERNELBASE(00000040,?), ref: 004175F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150586425.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 544645111-0
                                                                                            • Opcode ID: 4e90e5151ba5019126abd3050a43543751f9b5068c80efb2043434d2877197fe
                                                                                            • Instruction ID: aa73c9f825d5df17848c24f377238b424e705aacf1c0d2419f86f1d3d7c4eb2b
                                                                                            • Opcode Fuzzy Hash: 4e90e5151ba5019126abd3050a43543751f9b5068c80efb2043434d2877197fe
                                                                                            • Instruction Fuzzy Hash: ABC08CB1200209BFCB018B85FC01E863B6CE305384F004071F302A00B0C2B2E9049B1C
                                                                                            Function 0075E29D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0075E2EE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_75d000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: 15a2667ae4da40aefa902450df974e0364af27d424f3b71206e92b41dcf494ba
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: C8112D79A00208EFDB01DF98C985E98BBF5AF08351F158094F9889B362E375EA50DB80
                                                                                            Function 004175C3 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417A4D), ref: 004175CB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150586425.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocGlobal
                                                                                            • String ID:
                                                                                            • API String ID: 3761449716-0
                                                                                            • Opcode ID: 1b8ec44056b00309cc5f266c182984128dcf6dbdfddfd59655b0be00dbed23e0
                                                                                            • Instruction ID: 274654774a60fdf00fd51e05caba7627b891178c4aca089a58273a46cc3454b5
                                                                                            • Opcode Fuzzy Hash: 1b8ec44056b00309cc5f266c182984128dcf6dbdfddfd59655b0be00dbed23e0
                                                                                            • Instruction Fuzzy Hash: CFB011B00002008FCB800FA8EC08B023EA2A30A383F028038E200882B0CBB20008AF2A

                                                                                            Non-executed Functions

                                                                                            Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0040CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0040CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                                            • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                                            • wsprintfA.USER32 ref: 0040CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                                            • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                                            • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                                            • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                                            • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                                            • closesocket.WS2_32(?), ref: 0040D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                                            • ExitProcess.KERNEL32 ref: 0040D583
                                                                                            • wsprintfA.USER32 ref: 0040D81F
                                                                                              • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                                            • closesocket.WS2_32(?), ref: 0040DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-3791576231
                                                                                            • Opcode ID: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                                            • Opcode Fuzzy Hash: 9e4fe3788f012a04d44cc6c5e4c1fd3e816f3d6647e3ed2456f4b6deaabaf357
                                                                                            • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                                            Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-3716895483
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2404124870-2980165447
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            Function 021165E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 021165F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02116610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02116631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02116652
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 4ef987e59a1ff26dc06246e9f977253eda83deec6426c855d9175ddd8c08fd96
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: BF115171640258BFDB219F65DC45F9B3FACEB057A5F114034FA08A7250D7B2DD00CAA4
                                                                                            Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                                            • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                                              • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                                              • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                                            • String ID:
                                                                                            • API String ID: 3754425949-0
                                                                                            • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                                            • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                                            • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                                            Function 0211092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: .$GetProcAddress.$l
                                                                                            • API String ID: 0-2784972518
                                                                                            • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction ID: d486d75307bc883e2e3f020181736d47453b96a2fc3586c5d122d2491ae3b294
                                                                                            • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                            • Instruction Fuzzy Hash: DD316CB6900609DFDB10CF99C880AAEBBF5FF48324F15405AD845AB314D771EA85CFA4
                                                                                            Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                                            • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                                            • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                                            Function 0075DEBB Relevance: .1, Instructions: 61COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151473629.000000000075D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0075D000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_75d000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction ID: 6728cd2c3d15268954ffd0c871168b7df9a110a906aabce516f229df2b96af7c
                                                                                            • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                            • Instruction Fuzzy Hash: 5311CE72340100AFDB60DF55DC81FE273EAEB89320B298069ED05CB346E6BAEC01C760
                                                                                            Function 02110D90 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction ID: 7475680157ac40bf35106480223050aa579ca0c61c8a9dcb87d03faee0e78f5d
                                                                                            • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                            • Instruction Fuzzy Hash: 8101F272F516008FDF21CF20C804BAA33E5EB8A206F1540B8DD0A97285E370A8818B80
                                                                                            Function 02119EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 02119E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 02119FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 02119FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0211A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0211A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0211A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0211A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0211A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0211A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02119F13
                                                                                              • Part of subcall function 02117029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02117081
                                                                                              • Part of subcall function 02116F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\slknjncf,02117043), ref: 02116F4E
                                                                                              • Part of subcall function 02116F30: GetProcAddress.KERNEL32(00000000), ref: 02116F55
                                                                                              • Part of subcall function 02116F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02116F7B
                                                                                              • Part of subcall function 02116F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02116F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0211A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0211A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0211A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0211A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0211A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0211A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0211A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0211A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0211A2F4
                                                                                            • wsprintfA.USER32 ref: 0211A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0211A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0211A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0211A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0211A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0211A1D1
                                                                                              • Part of subcall function 02119966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0211999D
                                                                                              • Part of subcall function 02119966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 021199BD
                                                                                              • Part of subcall function 02119966: RegCloseKey.ADVAPI32(?), ref: 021199C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0211A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0211A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0211A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: 0154da514c3152c6b5df5e571ca0d76625c2efa43efcb352798cec8611ca36bb
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: C2F13DB1C81259AEDB21DBA08C48FEF7BBDAF08304F1444B6E619E2141E7759A85CF64
                                                                                            Function 02117CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02117D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02117D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02117D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02117DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02117DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02117DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02117DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02117DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02117E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02117E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02117E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02117E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 2186345fc2f4605a4f8cc8b661bdaa0307699769d3fed5b78921a335f5bab0a5
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 8AA16B71940219AFDF118FA0DC88FEFBBB9FB08344F14817AE515E6290D7758A86CB64
                                                                                            Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2976863881-1403908072
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            Function 02117A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02117A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02117ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02117ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02117B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02117B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02117B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02117B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02117B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02117B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02117B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02117B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02117B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 02117BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02117BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 02117C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 02117C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02117CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02117CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02117CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02117CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02117CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: 5a11677dd3c85ad7b3143c76904d567348eb541fb547e28b5de58cd20f423a34
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 20814D7194021EAFDB21CFA4DD84FEEFBB8AF08304F14807AE515E6290D7759682CB64
                                                                                            Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: PromptOnSecureDesktop$localcfg
                                                                                            • API String ID: 237177642-1678164370
                                                                                            • Opcode ID: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: f0e8bc001febcaf3aa79265d78dfa7c2bcbced2000b5ff9bfcb5f44e60df388c
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            Function 0211858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0211865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0211867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 021186A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 021186B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 237177642-3108538426
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: 8b0f43a4cb7df1068df41915be87caf1b8df0e445546388eb78585e3bb5b31b1
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: A9C180B298024DBEFB11ABA4DD84EEF7BBDEB04304F158076F604E6050E7B14A95CB65
                                                                                            Function 021114E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 02111601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 021117D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: bb3494c23ade77732a3fa984f461aaf3a5501cd07dfdff4acaa14d017d61697e
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: 97F19BB1548345AFD720CF64C888BAAFBE5FB89304F00893DF69A97390D7B49944CB56
                                                                                            Function 02117666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 021176D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02117757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0211778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 021178B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0211794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0211796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0211797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 021179AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02117A56
                                                                                              • Part of subcall function 0211F40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,0211772A,?), ref: 0211F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 021179F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 02117A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "$PromptOnSecureDesktop
                                                                                            • API String ID: 3433985886-3108538426
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: bf4f03007374c572a31eab37934ddf3c783a9372a32533073f763af889c03ec7
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: D3C18371980259AFEB119FA4DC44FEEBBBAEF49310F1440B5E504E6290EB719A85CB60
                                                                                            Function 02112CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02112CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02112D07
                                                                                            • htons.WS2_32(00000000), ref: 02112D42
                                                                                            • select.WS2_32 ref: 02112D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02112DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02112E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: 18c8a4d240f5242d44ddb80f624d2cc27cfd2fd958ea3d98e4d33b9098e68a3e
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: 17612371944329AFC7209F64DC08BABBBF8FB88745F114829FD8897150D7B5D880CBA6
                                                                                            Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            Function 0211958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 021195A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 021195D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 021195DC
                                                                                            • wsprintfA.USER32 ref: 02119635
                                                                                            • wsprintfA.USER32 ref: 02119673
                                                                                            • wsprintfA.USER32 ref: 021196F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02119758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0211978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 021197D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3696105349-2980165447
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: a6eefa88b6990bb88f83fac7d43d349ccd4df375857031b8b060df06346c2f76
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: F5A17AB298021CAFEB21DFA0DC55FDA3BADAF04740F104036FA25A6151E7B5D584CFA4
                                                                                            Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-142018493
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            Function 02111FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 0211202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0211204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0211206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02112071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02112082
                                                                                            • GetTickCount.KERNEL32 ref: 02112230
                                                                                              • Part of subcall function 02111E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 02111E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: e4536f2b713a8083d0c74e1900197b967647b149d88a40dca1872c7be1c30be3
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: BF51A4B0584348AFE330AF759C85F6BBAECEB45704F00493DFD9A82142D7B9A584CB65
                                                                                            Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            Function 02113059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02113068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02113078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 02113095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 021130B6
                                                                                            • htons.WS2_32(00000035), ref: 021130EF
                                                                                            • inet_addr.WS2_32(?), ref: 021130FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0211310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0211314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 09e5bc238644634283621fdcf1ba7c2213b126a001b061382a7024b7a3138cee
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: FB31E831A40706ABDF119BB89C48BAE7BB8EF05364F1441B5F928E32D4DB74D941CB58
                                                                                            Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                                            • API String ID: 1082366364-2834986871
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D$PromptOnSecureDesktop
                                                                                            • API String ID: 2981417381-1403908072
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            Function 02116778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 021167C3
                                                                                            • htonl.WS2_32(?), ref: 021167DF
                                                                                            • htonl.WS2_32(?), ref: 021167EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 021168F1
                                                                                            • ExitProcess.KERNEL32 ref: 021169BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: ab1c98b078e450a9ef7aba094bec2ee6ee20633ccee4bed8bdd1cb82b65f9d0a
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: C4616E71A40208AFDB609FB4DC45FEA77E9FB08300F14806AFA6DD2161EB759990CF54
                                                                                            Function 0211F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(0211CC84), ref: 0211F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0211F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0211F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: 24dc360c9e807cb2185880de8b3bd182d116ba95a2cf0cf44208fd732b7ac229
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 94316BB2940218ABDB10DFA5DC889EE7BBCEF88310F114566F915D3150E7708A82CBE4
                                                                                            Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            Function 02112F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 02112FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02112FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02112FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02113000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 02113007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02113032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: ed424b154117ef4f780252bfcc0ffe660aaadd3e209ca99cad413e6f5fb0f528
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 4A217171D8162ABBCB219B55DC48AEEBBBCEF08B50F004471F915E7140D7B49A8187E4
                                                                                            Function 02116F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\slknjncf,02117043), ref: 02116F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02116F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02116F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02116F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\slknjncf
                                                                                            • API String ID: 1082366364-1174970947
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: f9fc1bf7b74666a5a4c08ca7ca5f020773a48652831ec8949f1a5e8727e36620
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: C721CF217C13917EF72257319C88FBB2A4D8B52764F1880B5F844E65D0EBFA84D682AD
                                                                                            Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3609698214-2980165447
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            Function 021192CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 021192E2
                                                                                            • wsprintfA.USER32 ref: 02119350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02119375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 02119389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 02119394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0211939B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: fe60e77b524ca238f9ea20aa62e8f13c66ac0b61b70ef991b1697743ac0af2be
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: A41142B5A802147FE7246B71EC0DFEF3A6EDBC9B11F008075BB19E5090EBB44A558A64
                                                                                            Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2439722600-2980165447
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            Function 021199E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02119A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 02119A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 02119A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02119A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 02119AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 02119AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: 4985ab0ea22c422999c698da581c13f9ae816438fc71977e50a91ea7ad8b6c17
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 61213BB1E41229BBDB119BA1DC09EEFBBBCEF04750F404071BA19E1090E7758A44CBA4
                                                                                            Function 02111C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 02111C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 02111C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 02111C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02111C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02111CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 02111D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 02111D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: 0798d870c67d8f4ba796db34a11e341e195b149263edcfe0065e226fa60b7ac4
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: 36317C32E40209BFCF119FA4DC8C9EEFAB9EB45311B24407AE609A2110DBB54E80DB95
                                                                                            Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1586453840-2980165447
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1371578007-2980165447
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            Function 02116CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02116CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02116D22
                                                                                            • GetLastError.KERNEL32 ref: 02116DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 02116DB5
                                                                                            • GetLastError.KERNEL32 ref: 02116DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 02116DE7
                                                                                            • GetLastError.KERNEL32 ref: 02116DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 24a3ff1d4b7369510b83789b6e3c9476924a82645cf307021001db9ab6dc78ab
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 5231F072941289BFCF01DFE49D48ADE7F7EEB48300F148175E691E3210D7728A858B61
                                                                                            Function 021193AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 021193C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 021193CD
                                                                                            • CharToOemA.USER32(?,?), ref: 021193DB
                                                                                            • wsprintfA.USER32 ref: 02119410
                                                                                              • Part of subcall function 021192CB: GetTempPathA.KERNEL32(00000400,?), ref: 021192E2
                                                                                              • Part of subcall function 021192CB: wsprintfA.USER32 ref: 02119350
                                                                                              • Part of subcall function 021192CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02119375
                                                                                              • Part of subcall function 021192CB: lstrlen.KERNEL32(?,?,00000000), ref: 02119389
                                                                                              • Part of subcall function 021192CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02119394
                                                                                              • Part of subcall function 021192CB: CloseHandle.KERNEL32(00000000), ref: 0211939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02119448
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 9b50427ccb5f6c0c7dcde37c2640e38327e8040ee4370f9f1138422defada56b
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: E1015EF69401587BDB21A7A19D89EDF3B7CDB95701F0040B2BB49E2080EBB496C58F75
                                                                                            Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3857584221-2980165447
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            Function 0211AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: 305a89ae52afd04c26ae7b22bfa1e221615364faf4d89ec3a1d3ab093bd199e4
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: C3712871AC5348AADF318B54DC85FEE3F6AAF01719F244036F904A6090EF7295C4CB59
                                                                                            Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            Function 0211E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0211DF6C: GetCurrentThreadId.KERNEL32 ref: 0211DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0211E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02116128), ref: 0211E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0211E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 3214e9baade64a8d833af09ae005d935350ac2b9148c888c93dbc00066441403
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 28319E31A8071A9FDF758FA4C884BAA7BE8EB05724F10893AE95587554E370E880CB91
                                                                                            Function 02116E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: 403608243e60941c3241e87a28aec1e335d3874d0e14a0e309ae188d467b6681
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: 3C219072146115FFDB149BB0FC48EDF3FADDB48265B218535F502D1090EB71DA009674
                                                                                            Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            Function 0211C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0211C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0211C74B), ref: 0211C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0211C747), ref: 0211C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0211C747,00413588,02118A77), ref: 0211C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: dc0261ebe9041dce56b2c0f2f3c2e064a60d35b16e4005de8678d2e5338a219b
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: D5514DB1A81B418FD7648F69C5D462ABBE9FB48304B50693FE18BC7B90D774E440CB91
                                                                                            Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 124786226-2980165447
                                                                                            • Opcode ID: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: f41c48beccc796d99ac39a3e9a8e7a8285e468a1565ebf528982a8b7ec716e81
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            Function 0211E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0211E50A,00000000,00000000,00000000,00020106,00000000,0211E50A,00000000,000000E4), ref: 0211E319
                                                                                            • RegSetValueExA.ADVAPI32(0211E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0211E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0211E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0211E3BF
                                                                                            • RegCloseKey.ADVAPI32(0211E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0211E50A), ref: 0211E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 85b21dc2360638dfec968806f8ceadea4e0c8354c89ace2467421c025694a492
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: E0212971A40219ABDB209FA5EC89EEF7F69EF08760F048071E905E6160E7718A55DBA0
                                                                                            Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 2667537340-2980165447
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            Function 021171C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 021171E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02117228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 02117286
                                                                                            • wsprintfA.USER32 ref: 0211729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: 955527549d04b45e9423f79f80a1c4fa324c2c9b23116f573ec1f667d6641df8
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 62312972A40208BFDB01DFA8DC45BDA7BACEF04314F14C066F959DB240EB75D6498B94
                                                                                            Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            Function 0211B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0211B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0211B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0211B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0211B590
                                                                                            • wsprintfA.USER32 ref: 0211B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 77e761f3dc0e7bcee362c433fd65df9100416afdfac0cea8af93e91fcb25c52f
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 705100B1D4021DAACF58DFD5D8885EEBBB9BF48304F10816AF505B6150E7B84AC9CF98
                                                                                            Function 021162D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02116303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0211632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 021163B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02116405
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 4a2b8b4f19e5a092cd852781486dd0649e60d30020d7abb988c026a49e10dd06
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 5F415971A50249EFDB14CF58C884BAEB7B8EF04358F198179E869D7290E772E941CB90
                                                                                            Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            Function 0211E795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0211DF6C: GetCurrentThreadId.KERNEL32 ref: 0211DFBA
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,0211A6AC), ref: 0211E7BF
                                                                                            • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,0211A6AC), ref: 0211E7EA
                                                                                            • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,0211A6AC), ref: 0211E819
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCurrentHandleReadSizeThread
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1396056608-2980165447
                                                                                            • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction ID: b36c7586f844b4e0cb524a2bbbe8758b72f46330e9c553c354eabfb5e69b2c2f
                                                                                            • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                                            • Instruction Fuzzy Hash: 3921D3B1A803107EE22077A1AC05FAB3E5DDF65B60F140438FE09A51D2FBB5D5508AB5
                                                                                            Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E558
                                                                                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 3683885500-2980165447
                                                                                            • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                                            • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                                            • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                                            Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            Function 02117665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 021176D9
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0211796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0211797E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseEnumOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 1332880857-2980165447
                                                                                            • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction ID: 0f958bc3ccd77a0737fc51d33825aa86f0c0effddbfd14cec4378468c636fe9b
                                                                                            • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                                            • Instruction Fuzzy Hash: CB11CA70A80209AFEB128FA9AC44EAFBB79AB91314F140165F514E62D0E3B08941CBA0
                                                                                            Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            Function 02119966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0211999D
                                                                                            • RegDeleteValueA.ADVAPI32(?,00000000), ref: 021199BD
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 021199C6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction ID: 5ac6ebf0f2cffb62b0e3e5a390e1df4b7e86fb9e27533644fa211cecd9cbd685
                                                                                            • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                                            • Instruction Fuzzy Hash: AEF0F6B2680218BFF7106B90EC06FDB3A2DDB94B10F100070FA05B5081F7F59A9086B9
                                                                                            Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                                            • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                                            • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseDeleteOpenValue
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 849931509-2980165447
                                                                                            • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                                            • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                                            • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                                            Function 021128EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 24a383a197850e8cb8ca4a7f2ede52c2438982db4286e563ad80a97fcb5738a7
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: B7E0C7306042318FCB008F2CF848ACA3BE4EF0A230F0081A4F880C32A0C734DCC0AB91
                                                                                            Function 021169C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 021169E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 02116A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 02116A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 02116BD8
                                                                                              • Part of subcall function 0211EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02111DCF,?), ref: 0211EEA8
                                                                                              • Part of subcall function 0211EE95: HeapFree.KERNEL32(00000000), ref: 0211EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: 6ea4aa32cc91b056074d79b22ddd41ba9ffbc3abcb67c6c67480e3bb64f4c418
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: E071297194025DEFDF20DFA4CC80AEEBBB9FB04358F10857AE915A6190D7319E92CB64
                                                                                            Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            Function 0211417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 021141AB
                                                                                            • GetLastError.KERNEL32 ref: 021141B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 021141C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 021141D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: db58ba61548bee03f1e00bd70add9e56f41375ed9f83632625069503e33b575f
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: DE01257691111AABDF12DF94ED84BEE3BACEB18759F008061F901F2050D770AA618BB6
                                                                                            Function 021141F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0211421F
                                                                                            • GetLastError.KERNEL32 ref: 02114229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0211423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0211424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 7235b0a77e26a1e14b37692d25d91790ef232336a40d45c06554179d713a86fa
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: CB01C472951209AFDF01DF90EE84BEF7BACEB08756F108461F901E2050D770EA948BB6
                                                                                            Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            Function 0211E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0211E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: c20084644a85c9bda6eaa1d17801f6339dd946f3d0988f935589827db67af61e
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: A0F06D327407029BCB20CFA5D884A82B7E9FF09325B448A3AE958C3060D374A4D8CB51
                                                                                            Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            Function 00417746 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041775D
                                                                                            • OpenJobObjectW.KERNEL32(00000000,00000000,00000000), ref: 0041777A
                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 00417785
                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 0041778C
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150586425.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                                                            • String ID:
                                                                                            • API String ID: 2043902199-0
                                                                                            • Opcode ID: 41d5079eb8e4714b47d2246b00cdcaccaaa861bf5368716e78538d3f36d7b98f
                                                                                            • Instruction ID: 095df02e26e998a7a84f1c3eb50187d412f7e49c4adf42353831b328159b4c08
                                                                                            • Opcode Fuzzy Hash: 41d5079eb8e4714b47d2246b00cdcaccaaa861bf5368716e78538d3f36d7b98f
                                                                                            • Instruction Fuzzy Hash: 5AE06D31406628AB87107B65ED8C8CB7F7CEF0A395B018038F90591151DB385A49CFED
                                                                                            Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            Function 0211E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,021144E2,00000000,00000000,00000000), ref: 0211E470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0211E484
                                                                                              • Part of subcall function 0211E2FC: RegCreateKeyExA.ADVAPI32(80000001,0211E50A,00000000,00000000,00000000,00020106,00000000,0211E50A,00000000,000000E4), ref: 0211E319
                                                                                              • Part of subcall function 0211E2FC: RegSetValueExA.ADVAPI32(0211E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0211E38E
                                                                                              • Part of subcall function 0211E2FC: RegDeleteValueA.ADVAPI32(0211E50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0211E3BF
                                                                                              • Part of subcall function 0211E2FC: RegCloseKey.ADVAPI32(0211E50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0211E50A), ref: 0211E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 46d33f88eb854a94bf7abb3fef39ece7ad8b8e603bcd0dbca6dcf80c96710ecb
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 3441A4B6D80214BEEB206ED18C46FEB3B6DEF14764F148035FE0994091F7B58650DBA5
                                                                                            Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                                              • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                              • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                                              • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                                              • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 4151426672-2980165447
                                                                                            • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                                            • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                                            • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                                            Function 02118330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 021183C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02118477
                                                                                              • Part of subcall function 021169C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 021169E5
                                                                                              • Part of subcall function 021169C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02116A26
                                                                                              • Part of subcall function 021169C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02116A3A
                                                                                              • Part of subcall function 0211EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02111DCF,?), ref: 0211EEA8
                                                                                              • Part of subcall function 0211EE95: HeapFree.KERNEL32(00000000), ref: 0211EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 359188348-2980165447
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 013635da65aede58c4f5ffdb633447762c02b9b6d7ef5ac5ebb590b74948cfc7
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 314182B2981108BFEB20EBA49D81EFF777DEB04344F1584B6E904D7550FBB05A948B64
                                                                                            Function 0211E631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0211E859,00000000,00020119,0211E859,PromptOnSecureDesktop), ref: 0211E64D
                                                                                            • RegCloseKey.ADVAPI32(0211E859,?,?,?,?,000000C8,000000E4), ref: 0211E787
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseOpen
                                                                                            • String ID: PromptOnSecureDesktop
                                                                                            • API String ID: 47109696-2980165447
                                                                                            • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction ID: b0b08dee227cdcfbaf09ada01cd1024a7d902270e5e04eb4217b069f2fba7e79
                                                                                            • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                                            • Instruction Fuzzy Hash: A941D7B2D4021DBFEF11AFD4DC85EEEBB7AFB04304F144476EA10A6160E3719A559BA0
                                                                                            Function 0211AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0211AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0211B00D
                                                                                              • Part of subcall function 0211AF6F: gethostname.WS2_32(?,00000080), ref: 0211AF83
                                                                                              • Part of subcall function 0211AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0211AFE6
                                                                                              • Part of subcall function 0211331C: gethostname.WS2_32(?,00000080), ref: 0211333F
                                                                                              • Part of subcall function 0211331C: gethostbyname.WS2_32(?), ref: 02113349
                                                                                              • Part of subcall function 0211AA0A: inet_ntoa.WS2_32(00000000), ref: 0211AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 482a3f37b3acb41e28c684bfdf96fabeac0b14a572efd91a0bffbb3e0e0f099e
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: 40412CB294430CAFDB25AFA0DC45EEE3BADFF08304F14442AB92892151EB75E6558F54
                                                                                            Function 02119452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02119536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0211955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: fc036604b763f512676bfc6b59ad8a95d14a5984667321cadcfe4b716acc5f6e
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 0A4126B19883856FFB768B68D8AD7B63FE49B02314F1800F7D4B2A71A2D7B44981C751
                                                                                            Function 0211BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0211B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0211BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0211BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0211BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0211BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0211BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0211BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 3f575ee70dbf5b5ff145685fb6a039762fa040b909a7e5dde7c9599bdea59740
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 40316D71548248DFDF25DFA4DC84AEDB7B9EB48708F20406AFA2482160EB75D785CF54
                                                                                            Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            Function 00417600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(004B0090), ref: 004176CC
                                                                                            • GetProcAddress.KERNEL32(00000000,0041D260), ref: 00417709
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150586425.0000000000415000.00000020.00000001.01000000.00000003.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_415000_SecuriteInfo.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID:
                                                                                            • API String ID: 1646373207-3916222277
                                                                                            • Opcode ID: 0ee48c241e3865e6fe63af5d06c40b519bae7ee708b63501a55aea399d733086
                                                                                            • Instruction ID: 7f6e8be651a19b3b842f85655ecd7c60ad803230ea63c21e717a852f1ecd4fcc
                                                                                            • Opcode Fuzzy Hash: 0ee48c241e3865e6fe63af5d06c40b519bae7ee708b63501a55aea399d733086
                                                                                            • Instruction Fuzzy Hash: 9131516595C3C0DDF301D7A8BC067A33BA19B11B55F1491BADA948B2F1D3FA4544C32E
                                                                                            Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            Function 0211709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 021170BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 021170F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: 359dea2a164eed136a14cae33b58cd7c44f7c065539e37a3c447adc982e93904
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 08112AB2944118EBDB11CBE4DC84ADEB7BCAB08305F2441B6E501E6294D7709B89CBA0
                                                                                            Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            Function 02113189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 02112F88: GetModuleHandleA.KERNEL32(?), ref: 02112FA1
                                                                                              • Part of subcall function 02112F88: LoadLibraryA.KERNEL32(?), ref: 02112FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 021131DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 021131E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2151815463.0000000002110000.00000040.00001000.00020000.00000000.sdmp, Offset: 02110000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_2110000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 159e28ea9f37958aa06575efc1d035c119e0f4d87c7402e2b5594bbff48fe114
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 40519E7194025AEFCB059F64D884AFAB775FF05304F2441B9ECA6C7214E732DA19CB94
                                                                                            Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000000.00000002.2150499402.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                            • Associated: 00000000.00000002.2150499402.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:3%
                                                                                            Dynamic/Decrypted Code Coverage:2%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:1612
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 14892 409961 RegisterServiceCtrlHandlerA 14893 40997d 14892->14893 14900 4099cb 14892->14900 14902 409892 14893->14902 14895 40999a 14896 4099ba 14895->14896 14897 409892 SetServiceStatus 14895->14897 14898 409892 SetServiceStatus 14896->14898 14896->14900 14899 4099aa 14897->14899 14898->14900 14899->14896 14905 4098f2 14899->14905 14903 4098c2 SetServiceStatus 14902->14903 14903->14895 14907 4098f6 14905->14907 14908 409904 Sleep 14907->14908 14910 409917 14907->14910 14913 404280 CreateEventA 14907->14913 14908->14907 14909 409915 14908->14909 14909->14910 14912 409947 14910->14912 14940 40977c 14910->14940 14912->14896 14914 4042a5 14913->14914 14915 40429d 14913->14915 14954 403ecd 14914->14954 14915->14907 14917 4042b0 14958 404000 14917->14958 14920 4043c1 CloseHandle 14920->14915 14921 4042ce 14964 403f18 WriteFile 14921->14964 14926 4043ba CloseHandle 14926->14920 14927 404318 14928 403f18 4 API calls 14927->14928 14929 404331 14928->14929 14930 403f18 4 API calls 14929->14930 14931 40434a 14930->14931 14972 40ebcc GetProcessHeap HeapAlloc 14931->14972 14934 403f18 4 API calls 14935 404389 14934->14935 14975 40ec2e 14935->14975 14938 403f8c 4 API calls 14939 40439f CloseHandle CloseHandle 14938->14939 14939->14915 15004 40ee2a 14940->15004 14943 4097c2 14945 4097d4 Wow64GetThreadContext 14943->14945 14944 4097bb 14944->14912 14946 409801 14945->14946 14947 4097f5 14945->14947 15006 40637c 14946->15006 14948 4097f6 TerminateProcess 14947->14948 14948->14944 14950 409816 14950->14948 14951 40981e WriteProcessMemory 14950->14951 14951->14947 14952 40983b Wow64SetThreadContext 14951->14952 14952->14947 14953 409858 ResumeThread 14952->14953 14953->14944 14955 403edc 14954->14955 14957 403ee2 14954->14957 14980 406dc2 14955->14980 14957->14917 14959 40400b CreateFileA 14958->14959 14960 40402c GetLastError 14959->14960 14961 404052 14959->14961 14960->14961 14962 404037 14960->14962 14961->14915 14961->14920 14961->14921 14962->14961 14963 404041 Sleep 14962->14963 14963->14959 14963->14961 14965 403f7c 14964->14965 14966 403f4e GetLastError 14964->14966 14968 403f8c ReadFile 14965->14968 14966->14965 14967 403f5b WaitForSingleObject GetOverlappedResult 14966->14967 14967->14965 14969 403fc2 GetLastError 14968->14969 14971 403ff0 14968->14971 14970 403fcf WaitForSingleObject GetOverlappedResult 14969->14970 14969->14971 14970->14971 14971->14926 14971->14927 14998 40eb74 14972->14998 14976 40ec37 14975->14976 14977 40438f 14975->14977 15001 40eba0 14976->15001 14977->14938 14981 406e24 14980->14981 14982 406dd7 14980->14982 14981->14957 14986 406cc9 14982->14986 14984 406ddc 14984->14981 14984->14984 14985 406e02 GetVolumeInformationA 14984->14985 14985->14981 14987 406cdc GetModuleHandleA GetProcAddress 14986->14987 14988 406dbe 14986->14988 14989 406d12 GetSystemDirectoryA 14987->14989 14990 406cfd 14987->14990 14988->14984 14991 406d27 GetWindowsDirectoryA 14989->14991 14992 406d1e 14989->14992 14990->14989 14994 406d8b 14990->14994 14993 406d42 14991->14993 14992->14991 14992->14994 14996 40ef1e lstrlenA 14993->14996 14994->14988 14997 40ef32 14996->14997 14997->14994 14999 40eb7b GetProcessHeap HeapSize 14998->14999 15000 404350 14998->15000 14999->15000 15000->14934 15002 40eba7 GetProcessHeap HeapSize 15001->15002 15003 40ebbf GetProcessHeap HeapFree 15001->15003 15002->15003 15003->14977 15005 409794 CreateProcessA 15004->15005 15005->14943 15005->14944 15007 406386 15006->15007 15008 40638a GetModuleHandleA VirtualAlloc 15006->15008 15007->14950 15009 4063f5 15008->15009 15010 4063b6 15008->15010 15009->14950 15011 4063be VirtualAllocEx 15010->15011 15011->15009 15012 4063d6 15011->15012 15013 4063df WriteProcessMemory 15012->15013 15013->15009 15042 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 15159 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15042->15159 15044 409a95 15045 409aa3 GetModuleHandleA GetModuleFileNameA 15044->15045 15050 40a3c7 15044->15050 15058 409ac4 15045->15058 15046 40a41c CreateThread WSAStartup 15270 40e52e 15046->15270 16097 40405e CreateEventA 15046->16097 15047 409afd GetCommandLineA 15059 409b22 15047->15059 15048 40a406 DeleteFileA 15048->15050 15051 40a40d 15048->15051 15050->15046 15050->15048 15050->15051 15053 40a3ed GetLastError 15050->15053 15051->15046 15052 40a445 15289 40eaaf 15052->15289 15053->15051 15056 40a3f8 Sleep 15053->15056 15055 40a44d 15293 401d96 15055->15293 15056->15048 15058->15047 15063 409c0c 15059->15063 15069 409b47 15059->15069 15060 40a457 15341 4080c9 15060->15341 15160 4096aa 15063->15160 15073 409b96 lstrlenA 15069->15073 15075 409b58 15069->15075 15070 40a1d2 15076 40a1e3 GetCommandLineA 15070->15076 15071 409c39 15074 40a167 GetModuleHandleA GetModuleFileNameA 15071->15074 15080 409c4b 15071->15080 15073->15075 15078 409c05 ExitProcess 15074->15078 15079 40a189 15074->15079 15075->15078 15081 409bd2 15075->15081 15104 40a205 15076->15104 15079->15078 15089 40a1b2 GetDriveTypeA 15079->15089 15080->15074 15083 404280 30 API calls 15080->15083 15172 40675c 15081->15172 15084 409c5b 15083->15084 15084->15074 15091 40675c 21 API calls 15084->15091 15089->15078 15090 40a1c5 15089->15090 15262 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 15090->15262 15093 409c79 15091->15093 15093->15074 15100 409ca0 GetTempPathA 15093->15100 15101 409e3e 15093->15101 15094 409bff 15094->15078 15096 40a491 15097 40a49f GetTickCount 15096->15097 15098 40a4be Sleep 15096->15098 15103 40a4b7 GetTickCount 15096->15103 15387 40c913 15096->15387 15097->15096 15097->15098 15098->15096 15100->15101 15102 409cba 15100->15102 15107 409e6b GetEnvironmentVariableA 15101->15107 15112 409e04 15101->15112 15210 4099d2 lstrcpyA 15102->15210 15103->15098 15108 40a239 15104->15108 15109 40a285 lstrlenA 15104->15109 15106 40ec2e codecvt 4 API calls 15111 40a15d 15106->15111 15107->15112 15113 409e7d 15107->15113 15168 406ec3 15108->15168 15109->15108 15111->15074 15111->15078 15112->15106 15114 4099d2 16 API calls 15113->15114 15117 409e9d 15114->15117 15115 406dc2 6 API calls 15118 409d5f 15115->15118 15117->15112 15120 409eb0 lstrcpyA lstrlenA 15117->15120 15123 406cc9 5 API calls 15118->15123 15119 40a3c2 15121 4098f2 41 API calls 15119->15121 15122 409ef4 15120->15122 15121->15050 15124 406dc2 6 API calls 15122->15124 15127 409f03 15122->15127 15126 409d72 lstrcpyA lstrcatA lstrcatA 15123->15126 15124->15127 15125 40a39d StartServiceCtrlDispatcherA 15125->15119 15130 409cf6 15126->15130 15128 409f32 RegOpenKeyExA 15127->15128 15129 409f48 RegSetValueExA RegCloseKey 15128->15129 15134 409f70 15128->15134 15129->15134 15217 409326 15130->15217 15131 40a35f 15131->15119 15131->15125 15139 409f9d GetModuleHandleA GetModuleFileNameA 15134->15139 15135 409e0c DeleteFileA 15135->15101 15136 409dde GetFileAttributesExA 15136->15135 15137 409df7 15136->15137 15137->15112 15254 4096ff 15137->15254 15141 409fc2 15139->15141 15142 40a093 15139->15142 15141->15142 15148 409ff1 GetDriveTypeA 15141->15148 15143 40a103 CreateProcessA 15142->15143 15144 40a0a4 wsprintfA 15142->15144 15145 40a13a 15143->15145 15146 40a12a DeleteFileA 15143->15146 15260 402544 15144->15260 15145->15112 15151 4096ff 3 API calls 15145->15151 15146->15145 15148->15142 15150 40a00d 15148->15150 15153 40a02d lstrcatA 15150->15153 15151->15112 15152 40ee2a 15154 40a0ec lstrcatA 15152->15154 15155 40a046 15153->15155 15154->15143 15156 40a052 lstrcatA 15155->15156 15157 40a064 lstrcatA 15155->15157 15156->15157 15157->15142 15158 40a081 lstrcatA 15157->15158 15158->15142 15159->15044 15161 4096b9 15160->15161 15490 4073ff 15161->15490 15163 4096e2 15164 4096e9 15163->15164 15165 4096fa 15163->15165 15510 40704c 15164->15510 15165->15070 15165->15071 15167 4096f7 15167->15165 15169 406ed5 15168->15169 15170 406ecc 15168->15170 15169->15131 15535 406e36 GetUserNameW 15170->15535 15173 406784 CreateFileA 15172->15173 15174 40677a SetFileAttributesA 15172->15174 15175 4067a4 CreateFileA 15173->15175 15176 4067b5 15173->15176 15174->15173 15175->15176 15177 4067c5 15176->15177 15178 4067ba SetFileAttributesA 15176->15178 15179 406977 15177->15179 15180 4067cf GetFileSize 15177->15180 15178->15177 15179->15078 15197 406a60 CreateFileA 15179->15197 15181 4067e5 15180->15181 15196 406922 15180->15196 15183 4067ed ReadFile 15181->15183 15181->15196 15182 40696e CloseHandle 15182->15179 15184 406811 SetFilePointer 15183->15184 15183->15196 15185 40682a ReadFile 15184->15185 15184->15196 15186 406848 SetFilePointer 15185->15186 15185->15196 15187 406867 15186->15187 15186->15196 15188 406878 ReadFile 15187->15188 15189 4068d0 15187->15189 15188->15187 15188->15189 15189->15182 15190 40ebcc 4 API calls 15189->15190 15191 4068f8 15190->15191 15192 406900 SetFilePointer 15191->15192 15191->15196 15193 40695a 15192->15193 15194 40690d ReadFile 15192->15194 15195 40ec2e codecvt 4 API calls 15193->15195 15194->15193 15194->15196 15195->15196 15196->15182 15198 406b8c GetLastError 15197->15198 15199 406a8f GetDiskFreeSpaceA 15197->15199 15200 406b86 15198->15200 15201 406ac5 15199->15201 15208 406ad7 15199->15208 15200->15094 15538 40eb0e 15201->15538 15205 406b56 CloseHandle 15205->15200 15207 406b65 GetLastError CloseHandle 15205->15207 15206 406b36 GetLastError CloseHandle 15209 406b7f DeleteFileA 15206->15209 15207->15209 15542 406987 15208->15542 15209->15200 15211 4099eb 15210->15211 15212 409a2f lstrcatA 15211->15212 15213 40ee2a 15212->15213 15214 409a4b lstrcatA 15213->15214 15215 406a60 13 API calls 15214->15215 15216 409a60 15215->15216 15216->15101 15216->15115 15216->15130 15552 401910 15217->15552 15220 40934a GetModuleHandleA GetModuleFileNameA 15222 40937f 15220->15222 15223 4093a4 15222->15223 15224 4093d9 15222->15224 15225 4093c3 wsprintfA 15223->15225 15226 409401 wsprintfA 15224->15226 15228 409415 15225->15228 15226->15228 15227 4094a0 15554 406edd 15227->15554 15228->15227 15231 406cc9 5 API calls 15228->15231 15230 4094ac 15232 40962f 15230->15232 15233 4094e8 RegOpenKeyExA 15230->15233 15234 409439 15231->15234 15239 409646 15232->15239 15575 401820 15232->15575 15236 409502 15233->15236 15237 4094fb 15233->15237 15241 40ef1e lstrlenA 15234->15241 15240 40951f RegQueryValueExA 15236->15240 15237->15232 15242 40958a 15237->15242 15248 4095d6 15239->15248 15581 4091eb 15239->15581 15243 409530 15240->15243 15244 409539 15240->15244 15245 409462 15241->15245 15242->15239 15246 409593 15242->15246 15247 40956e RegCloseKey 15243->15247 15249 409556 RegQueryValueExA 15244->15249 15250 40947e wsprintfA 15245->15250 15246->15248 15562 40f0e4 15246->15562 15247->15237 15248->15135 15248->15136 15249->15243 15249->15247 15250->15227 15252 4095bb 15252->15248 15569 4018e0 15252->15569 15255 402544 15254->15255 15256 40972d RegOpenKeyExA 15255->15256 15257 409740 15256->15257 15258 409765 15256->15258 15259 40974f RegDeleteValueA RegCloseKey 15257->15259 15258->15112 15259->15258 15261 402554 lstrcatA 15260->15261 15261->15152 15263 402544 15262->15263 15264 40919e wsprintfA 15263->15264 15265 4091bb 15264->15265 15619 409064 GetTempPathA 15265->15619 15268 4091d5 ShellExecuteA 15269 4091e7 15268->15269 15269->15094 15626 40dd05 GetTickCount 15270->15626 15272 40e538 15633 40dbcf 15272->15633 15274 40e544 15275 40e555 GetFileSize 15274->15275 15279 40e5b8 15274->15279 15276 40e5b1 CloseHandle 15275->15276 15277 40e566 15275->15277 15276->15279 15643 40db2e 15277->15643 15652 40e3ca RegOpenKeyExA 15279->15652 15281 40e576 ReadFile 15281->15276 15283 40e58d 15281->15283 15647 40e332 15283->15647 15284 40e5f2 15287 40e629 15284->15287 15288 40e3ca 19 API calls 15284->15288 15287->15052 15288->15287 15290 40eabe 15289->15290 15292 40eaba 15289->15292 15291 40dd05 6 API calls 15290->15291 15290->15292 15291->15292 15292->15055 15294 40ee2a 15293->15294 15295 401db4 GetVersionExA 15294->15295 15296 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15295->15296 15298 401e24 15296->15298 15299 401e16 GetCurrentProcess 15296->15299 15705 40e819 15298->15705 15299->15298 15301 401e3d 15302 40e819 11 API calls 15301->15302 15303 401e4e 15302->15303 15304 401e77 15303->15304 15712 40df70 15303->15712 15721 40ea84 15304->15721 15307 401e6c 15309 40df70 12 API calls 15307->15309 15309->15304 15310 40e819 11 API calls 15311 401e93 15310->15311 15725 40199c inet_addr LoadLibraryA 15311->15725 15314 40e819 11 API calls 15315 401eb9 15314->15315 15316 401ed8 15315->15316 15317 40f04e 4 API calls 15315->15317 15318 40e819 11 API calls 15316->15318 15319 401ec9 15317->15319 15320 401eee 15318->15320 15321 40ea84 30 API calls 15319->15321 15322 401f0a 15320->15322 15738 401b71 15320->15738 15321->15316 15324 40e819 11 API calls 15322->15324 15326 401f23 15324->15326 15325 401efd 15328 40ea84 30 API calls 15325->15328 15327 401f3f 15326->15327 15742 401bdf 15326->15742 15330 40e819 11 API calls 15327->15330 15328->15322 15332 401f5e 15330->15332 15334 401f77 15332->15334 15335 40ea84 30 API calls 15332->15335 15333 40ea84 30 API calls 15333->15327 15749 4030b5 15334->15749 15335->15334 15338 406ec3 2 API calls 15340 401f8e GetTickCount 15338->15340 15340->15060 15342 406ec3 2 API calls 15341->15342 15343 4080eb 15342->15343 15344 4080f9 15343->15344 15345 4080ef 15343->15345 15347 40704c 16 API calls 15344->15347 15797 407ee6 15345->15797 15349 408110 15347->15349 15348 4080f4 15350 40675c 21 API calls 15348->15350 15359 408269 CreateThread 15348->15359 15349->15348 15351 408156 RegOpenKeyExA 15349->15351 15355 408244 15350->15355 15351->15348 15352 40816d RegQueryValueExA 15351->15352 15353 4081f7 15352->15353 15354 40818d 15352->15354 15356 40820d RegCloseKey 15353->15356 15358 40ec2e codecvt 4 API calls 15353->15358 15354->15353 15360 40ebcc 4 API calls 15354->15360 15357 40ec2e codecvt 4 API calls 15355->15357 15355->15359 15356->15348 15357->15359 15365 4081dd 15358->15365 15366 405e6c 15359->15366 16126 40877e 15359->16126 15361 4081a0 15360->15361 15361->15356 15362 4081aa RegQueryValueExA 15361->15362 15362->15353 15363 4081c4 15362->15363 15364 40ebcc 4 API calls 15363->15364 15364->15365 15365->15356 15865 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15366->15865 15368 405e71 15866 40e654 15368->15866 15370 405ec1 15371 403132 15370->15371 15372 40df70 12 API calls 15371->15372 15373 40313b 15372->15373 15374 40c125 15373->15374 15877 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15374->15877 15376 40c12d 15377 40e654 13 API calls 15376->15377 15378 40c2bd 15377->15378 15379 40e654 13 API calls 15378->15379 15380 40c2c9 15379->15380 15381 40e654 13 API calls 15380->15381 15382 40a47a 15381->15382 15383 408db1 15382->15383 15384 408dbc 15383->15384 15385 40e654 13 API calls 15384->15385 15386 408dec Sleep 15385->15386 15386->15096 15388 40c92f 15387->15388 15389 40c93c 15388->15389 15878 40c517 15388->15878 15391 40ca2b 15389->15391 15392 40e819 11 API calls 15389->15392 15391->15096 15393 40c96a 15392->15393 15394 40e819 11 API calls 15393->15394 15395 40c97d 15394->15395 15396 40e819 11 API calls 15395->15396 15397 40c990 15396->15397 15398 40c9aa 15397->15398 15399 40ebcc 4 API calls 15397->15399 15398->15391 15895 402684 15398->15895 15399->15398 15404 40ca26 15902 40c8aa 15404->15902 15407 40ca44 15408 40ca4b closesocket 15407->15408 15409 40ca83 15407->15409 15408->15404 15410 40ea84 30 API calls 15409->15410 15411 40caac 15410->15411 15412 40f04e 4 API calls 15411->15412 15413 40cab2 15412->15413 15414 40ea84 30 API calls 15413->15414 15415 40caca 15414->15415 15416 40ea84 30 API calls 15415->15416 15417 40cad9 15416->15417 15910 40c65c 15417->15910 15420 40cb60 closesocket 15420->15391 15422 40dad2 closesocket 15423 40e318 23 API calls 15422->15423 15423->15391 15424 40df4c 20 API calls 15483 40cb70 15424->15483 15429 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15429->15483 15430 40e654 13 API calls 15430->15483 15436 40cc1c GetTempPathA 15436->15483 15437 40ea84 30 API calls 15437->15483 15438 40d569 closesocket Sleep 15957 40e318 15438->15957 15439 40d815 wsprintfA 15439->15483 15440 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15440->15483 15441 407ead 6 API calls 15441->15483 15442 40c517 23 API calls 15442->15483 15444 40e8a1 30 API calls 15444->15483 15445 40d582 ExitProcess 15446 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15446->15483 15447 40cfe3 GetSystemDirectoryA 15447->15483 15448 40675c 21 API calls 15448->15483 15449 40d027 GetSystemDirectoryA 15449->15483 15450 40cfad GetEnvironmentVariableA 15450->15483 15451 40d105 lstrcatA 15451->15483 15452 40ef1e lstrlenA 15452->15483 15453 40cc9f CreateFileA 15455 40ccc6 WriteFile 15453->15455 15453->15483 15454 40d15b CreateFileA 15456 40d182 WriteFile CloseHandle 15454->15456 15454->15483 15457 40cdcc CloseHandle 15455->15457 15458 40cced CloseHandle 15455->15458 15456->15483 15457->15483 15464 40cd2f 15458->15464 15459 40d149 SetFileAttributesA 15459->15454 15460 40cd16 wsprintfA 15460->15464 15461 40d36e GetEnvironmentVariableA 15461->15483 15462 40d1bf SetFileAttributesA 15462->15483 15463 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15463->15483 15464->15460 15939 407fcf 15464->15939 15465 40d22d GetEnvironmentVariableA 15465->15483 15467 40d3af lstrcatA 15470 40d3f2 CreateFileA 15467->15470 15467->15483 15469 407fcf 64 API calls 15469->15483 15473 40d415 WriteFile CloseHandle 15470->15473 15470->15483 15471 40cd81 WaitForSingleObject CloseHandle CloseHandle 15474 40f04e 4 API calls 15471->15474 15472 40cda5 15475 407ee6 64 API calls 15472->15475 15473->15483 15474->15472 15476 40cdbd DeleteFileA 15475->15476 15476->15483 15477 40d4b1 CreateProcessA 15481 40d4e8 CloseHandle CloseHandle 15477->15481 15477->15483 15478 40d3e0 SetFileAttributesA 15478->15470 15479 40d26e lstrcatA 15480 40d2b1 CreateFileA 15479->15480 15479->15483 15480->15483 15484 40d2d8 WriteFile CloseHandle 15480->15484 15481->15483 15482 40d452 SetFileAttributesA 15482->15483 15483->15422 15483->15424 15483->15429 15483->15430 15483->15436 15483->15437 15483->15438 15483->15439 15483->15440 15483->15441 15483->15442 15483->15444 15483->15446 15483->15447 15483->15448 15483->15449 15483->15450 15483->15451 15483->15452 15483->15453 15483->15454 15483->15459 15483->15461 15483->15462 15483->15463 15483->15465 15483->15467 15483->15469 15483->15470 15483->15477 15483->15478 15483->15479 15483->15480 15483->15482 15485 407ee6 64 API calls 15483->15485 15486 40d29f SetFileAttributesA 15483->15486 15489 40d31d SetFileAttributesA 15483->15489 15918 40c75d 15483->15918 15930 407e2f 15483->15930 15952 407ead 15483->15952 15962 4031d0 15483->15962 15979 403c09 15483->15979 15989 403a00 15483->15989 15993 40e7b4 15483->15993 15996 40c06c 15483->15996 16002 406f5f GetUserNameA 15483->16002 16013 40e854 15483->16013 16023 407dd6 15483->16023 15484->15483 15485->15483 15486->15480 15489->15483 15491 40741b 15490->15491 15492 406dc2 6 API calls 15491->15492 15493 40743f 15492->15493 15494 407469 RegOpenKeyExA 15493->15494 15495 4077f9 15494->15495 15505 407487 ___ascii_stricmp 15494->15505 15495->15163 15496 407703 RegEnumKeyA 15497 407714 RegCloseKey 15496->15497 15496->15505 15497->15495 15498 4074d2 RegOpenKeyExA 15498->15505 15499 40772c 15501 407742 RegCloseKey 15499->15501 15502 40774b 15499->15502 15500 407521 RegQueryValueExA 15500->15505 15501->15502 15503 4077ec RegCloseKey 15502->15503 15503->15495 15504 4076e4 RegCloseKey 15504->15505 15505->15496 15505->15498 15505->15499 15505->15500 15505->15504 15507 40f1a5 lstrlenA 15505->15507 15508 40777e GetFileAttributesExA 15505->15508 15509 407769 15505->15509 15506 4077e3 RegCloseKey 15506->15503 15507->15505 15508->15509 15509->15506 15511 407073 15510->15511 15512 4070b9 RegOpenKeyExA 15511->15512 15513 4070d0 15512->15513 15527 4071b8 15512->15527 15514 406dc2 6 API calls 15513->15514 15517 4070d5 15514->15517 15515 40719b RegEnumValueA 15516 4071af RegCloseKey 15515->15516 15515->15517 15516->15527 15517->15515 15519 4071d0 15517->15519 15533 40f1a5 lstrlenA 15517->15533 15520 407205 RegCloseKey 15519->15520 15521 407227 15519->15521 15520->15527 15522 4072b8 ___ascii_stricmp 15521->15522 15523 40728e RegCloseKey 15521->15523 15524 4072cd RegCloseKey 15522->15524 15525 4072dd 15522->15525 15523->15527 15524->15527 15526 407311 RegCloseKey 15525->15526 15529 407335 15525->15529 15526->15527 15527->15167 15528 4073d5 RegCloseKey 15530 4073e4 15528->15530 15529->15528 15531 40737e GetFileAttributesExA 15529->15531 15532 407397 15529->15532 15531->15532 15532->15528 15534 40f1c3 15533->15534 15534->15517 15536 406e97 15535->15536 15537 406e5f LookupAccountNameW 15535->15537 15536->15169 15537->15536 15539 40eb17 15538->15539 15540 40eb21 15538->15540 15548 40eae4 15539->15548 15540->15208 15544 4069b9 WriteFile 15542->15544 15545 406a3c 15544->15545 15547 4069ff 15544->15547 15545->15205 15545->15206 15546 406a10 WriteFile 15546->15545 15546->15547 15547->15545 15547->15546 15549 40eb02 GetProcAddress 15548->15549 15550 40eaed LoadLibraryA 15548->15550 15549->15540 15550->15549 15551 40eb01 15550->15551 15551->15540 15553 401924 GetVersionExA 15552->15553 15553->15220 15555 406eef AllocateAndInitializeSid 15554->15555 15561 406f55 15554->15561 15556 406f44 15555->15556 15557 406f1c CheckTokenMembership 15555->15557 15560 406e36 2 API calls 15556->15560 15556->15561 15558 406f3b FreeSid 15557->15558 15559 406f2e 15557->15559 15558->15556 15559->15558 15560->15561 15561->15230 15563 40f0f1 15562->15563 15564 40f0ed 15562->15564 15565 40f119 15563->15565 15566 40f0fa lstrlenA SysAllocStringByteLen 15563->15566 15564->15252 15568 40f11c MultiByteToWideChar 15565->15568 15567 40f117 15566->15567 15566->15568 15567->15252 15568->15567 15570 401820 17 API calls 15569->15570 15571 4018f2 15570->15571 15572 4018f9 15571->15572 15586 401280 15571->15586 15572->15248 15574 401908 15574->15248 15598 401000 15575->15598 15577 401839 15578 401851 GetCurrentProcess 15577->15578 15579 40183d 15577->15579 15580 401864 15578->15580 15579->15239 15580->15239 15582 40920e 15581->15582 15585 409308 15581->15585 15583 4092f1 Sleep 15582->15583 15584 4092bf ShellExecuteA 15582->15584 15582->15585 15583->15582 15584->15582 15584->15585 15585->15248 15587 4012e1 15586->15587 15588 4016f9 GetLastError 15587->15588 15595 4013a8 15587->15595 15589 401699 15588->15589 15589->15574 15590 401570 lstrlenW 15590->15595 15591 4015be GetStartupInfoW 15591->15595 15592 4015ff CreateProcessWithLogonW 15593 4016bf GetLastError 15592->15593 15594 40163f WaitForSingleObject 15592->15594 15593->15589 15594->15595 15596 401659 CloseHandle 15594->15596 15595->15589 15595->15590 15595->15591 15595->15592 15597 401668 CloseHandle 15595->15597 15596->15595 15597->15595 15599 40100d LoadLibraryA 15598->15599 15608 401023 15598->15608 15600 401021 15599->15600 15599->15608 15600->15577 15601 4010b5 GetProcAddress 15602 4010d1 GetProcAddress 15601->15602 15603 40127b 15601->15603 15602->15603 15604 4010f0 GetProcAddress 15602->15604 15603->15577 15604->15603 15605 401110 GetProcAddress 15604->15605 15605->15603 15606 401130 GetProcAddress 15605->15606 15606->15603 15607 40114f GetProcAddress 15606->15607 15607->15603 15609 40116f GetProcAddress 15607->15609 15608->15601 15618 4010ae 15608->15618 15609->15603 15610 40118f GetProcAddress 15609->15610 15610->15603 15611 4011ae GetProcAddress 15610->15611 15611->15603 15612 4011ce GetProcAddress 15611->15612 15612->15603 15613 4011ee GetProcAddress 15612->15613 15613->15603 15614 401209 GetProcAddress 15613->15614 15614->15603 15615 401225 GetProcAddress 15614->15615 15615->15603 15616 401241 GetProcAddress 15615->15616 15616->15603 15617 40125c GetProcAddress 15616->15617 15617->15603 15618->15577 15620 40908d 15619->15620 15621 4090e2 wsprintfA 15620->15621 15622 40ee2a 15621->15622 15623 4090fd CreateFileA 15622->15623 15624 40911a lstrlenA WriteFile CloseHandle 15623->15624 15625 40913f 15623->15625 15624->15625 15625->15268 15625->15269 15627 40dd41 InterlockedExchange 15626->15627 15628 40dd20 GetCurrentThreadId 15627->15628 15629 40dd4a 15627->15629 15630 40dd53 GetCurrentThreadId 15628->15630 15631 40dd2e GetTickCount 15628->15631 15629->15630 15630->15272 15631->15629 15632 40dd39 Sleep 15631->15632 15632->15627 15634 40dbf0 15633->15634 15666 40db67 GetEnvironmentVariableA 15634->15666 15636 40dc19 15637 40dcda 15636->15637 15638 40db67 3 API calls 15636->15638 15637->15274 15639 40dc5c 15638->15639 15639->15637 15640 40db67 3 API calls 15639->15640 15641 40dc9b 15640->15641 15641->15637 15642 40db67 3 API calls 15641->15642 15642->15637 15644 40db55 15643->15644 15645 40db3a 15643->15645 15644->15276 15644->15281 15670 40ebed 15645->15670 15679 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15647->15679 15649 40e3be 15649->15276 15650 40e342 15650->15649 15682 40de24 15650->15682 15653 40e528 15652->15653 15654 40e3f4 15652->15654 15653->15284 15655 40e434 RegQueryValueExA 15654->15655 15656 40e458 15655->15656 15657 40e51d RegCloseKey 15655->15657 15658 40e46e RegQueryValueExA 15656->15658 15657->15653 15658->15656 15659 40e488 15658->15659 15659->15657 15660 40db2e 8 API calls 15659->15660 15662 40e499 15660->15662 15661 40e4b9 RegQueryValueExA 15661->15662 15663 40e4e8 15661->15663 15662->15657 15662->15661 15662->15663 15663->15657 15664 40e332 14 API calls 15663->15664 15665 40e513 15664->15665 15665->15657 15667 40db89 lstrcpyA CreateFileA 15666->15667 15668 40dbca 15666->15668 15667->15636 15668->15636 15671 40ec01 15670->15671 15672 40ebf6 15670->15672 15674 40eba0 codecvt 2 API calls 15671->15674 15673 40ebcc 4 API calls 15672->15673 15676 40ebfe 15673->15676 15675 40ec0a GetProcessHeap HeapReAlloc 15674->15675 15677 40eb74 2 API calls 15675->15677 15676->15644 15678 40ec28 15677->15678 15678->15644 15693 40eb41 15679->15693 15683 40de3a 15682->15683 15688 40de4e 15683->15688 15697 40dd84 15683->15697 15686 40de9e 15687 40ebed 8 API calls 15686->15687 15686->15688 15691 40def6 15687->15691 15688->15650 15689 40de76 15701 40ddcf 15689->15701 15691->15688 15692 40ddcf lstrcmpA 15691->15692 15692->15688 15694 40eb4a 15693->15694 15696 40eb54 15693->15696 15695 40eae4 2 API calls 15694->15695 15695->15696 15696->15650 15698 40ddc5 15697->15698 15699 40dd96 15697->15699 15698->15686 15698->15689 15699->15698 15700 40ddad lstrcmpiA 15699->15700 15700->15698 15700->15699 15702 40dddd 15701->15702 15704 40de20 15701->15704 15703 40ddfa lstrcmpA 15702->15703 15702->15704 15703->15702 15704->15688 15706 40dd05 6 API calls 15705->15706 15707 40e821 15706->15707 15708 40dd84 lstrcmpiA 15707->15708 15709 40e82c 15708->15709 15710 40e844 15709->15710 15753 402480 15709->15753 15710->15301 15713 40dd05 6 API calls 15712->15713 15714 40df7c 15713->15714 15715 40dd84 lstrcmpiA 15714->15715 15720 40df89 15715->15720 15716 40dfc4 15716->15307 15717 40ddcf lstrcmpA 15717->15720 15718 40ec2e codecvt 4 API calls 15718->15720 15719 40dd84 lstrcmpiA 15719->15720 15720->15716 15720->15717 15720->15718 15720->15719 15722 40ea98 15721->15722 15762 40e8a1 15722->15762 15724 401e84 15724->15310 15726 4019d5 GetProcAddress GetProcAddress GetProcAddress 15725->15726 15727 4019ce 15725->15727 15728 401ab3 FreeLibrary 15726->15728 15729 401a04 15726->15729 15727->15314 15728->15727 15729->15728 15730 401a14 GetProcessHeap 15729->15730 15730->15727 15732 401a2e HeapAlloc 15730->15732 15732->15727 15733 401a42 15732->15733 15734 401a52 HeapReAlloc 15733->15734 15736 401a62 15733->15736 15734->15736 15735 401aa1 FreeLibrary 15735->15727 15736->15735 15737 401a96 HeapFree 15736->15737 15737->15735 15790 401ac3 LoadLibraryA 15738->15790 15741 401bcf 15741->15325 15743 401ac3 12 API calls 15742->15743 15744 401c09 15743->15744 15745 401c0d GetComputerNameA 15744->15745 15748 401c41 15744->15748 15746 401c45 GetVolumeInformationA 15745->15746 15747 401c1f 15745->15747 15746->15748 15747->15746 15747->15748 15748->15333 15750 40ee2a 15749->15750 15751 4030d0 gethostname gethostbyname 15750->15751 15752 401f82 15751->15752 15752->15338 15752->15340 15756 402419 lstrlenA 15753->15756 15755 402491 15755->15710 15757 402474 15756->15757 15758 40243d lstrlenA 15756->15758 15757->15755 15759 402464 lstrlenA 15758->15759 15760 40244e lstrcmpiA 15758->15760 15759->15757 15759->15758 15760->15759 15761 40245c 15760->15761 15761->15757 15761->15759 15763 40dd05 6 API calls 15762->15763 15764 40e8b4 15763->15764 15765 40dd84 lstrcmpiA 15764->15765 15766 40e8c0 15765->15766 15767 40e90a 15766->15767 15768 40e8c8 lstrcpynA 15766->15768 15769 402419 4 API calls 15767->15769 15778 40ea27 15767->15778 15770 40e8f5 15768->15770 15771 40e926 lstrlenA lstrlenA 15769->15771 15783 40df4c 15770->15783 15773 40e96a 15771->15773 15774 40e94c lstrlenA 15771->15774 15777 40ebcc 4 API calls 15773->15777 15773->15778 15774->15773 15775 40e901 15776 40dd84 lstrcmpiA 15775->15776 15776->15767 15779 40e98f 15777->15779 15778->15724 15779->15778 15780 40df4c 20 API calls 15779->15780 15781 40ea1e 15780->15781 15782 40ec2e codecvt 4 API calls 15781->15782 15782->15778 15784 40dd05 6 API calls 15783->15784 15785 40df51 15784->15785 15786 40f04e 4 API calls 15785->15786 15787 40df58 15786->15787 15788 40de24 10 API calls 15787->15788 15789 40df63 15788->15789 15789->15775 15791 401ae2 GetProcAddress 15790->15791 15794 401b68 GetComputerNameA GetVolumeInformationA 15790->15794 15792 401af5 15791->15792 15791->15794 15793 40ebed 8 API calls 15792->15793 15795 401b29 15792->15795 15793->15792 15794->15741 15795->15794 15795->15795 15796 40ec2e codecvt 4 API calls 15795->15796 15796->15794 15798 406ec3 2 API calls 15797->15798 15799 407ef4 15798->15799 15800 4073ff 17 API calls 15799->15800 15809 407fc9 15799->15809 15801 407f16 15800->15801 15801->15809 15810 407809 GetUserNameA 15801->15810 15803 407f63 15804 40ef1e lstrlenA 15803->15804 15803->15809 15805 407fa6 15804->15805 15806 40ef1e lstrlenA 15805->15806 15807 407fb7 15806->15807 15834 407a95 RegOpenKeyExA 15807->15834 15809->15348 15811 40783d LookupAccountNameA 15810->15811 15812 407a8d 15810->15812 15811->15812 15813 407874 GetLengthSid GetFileSecurityA 15811->15813 15812->15803 15813->15812 15814 4078a8 GetSecurityDescriptorOwner 15813->15814 15815 4078c5 EqualSid 15814->15815 15816 40791d GetSecurityDescriptorDacl 15814->15816 15815->15816 15817 4078dc LocalAlloc 15815->15817 15816->15812 15823 407941 15816->15823 15817->15816 15818 4078ef InitializeSecurityDescriptor 15817->15818 15819 407916 LocalFree 15818->15819 15820 4078fb SetSecurityDescriptorOwner 15818->15820 15819->15816 15820->15819 15822 40790b SetFileSecurityA 15820->15822 15821 40795b GetAce 15821->15823 15822->15819 15823->15812 15823->15821 15824 407980 EqualSid 15823->15824 15825 407a3d 15823->15825 15826 4079be EqualSid 15823->15826 15827 40799d DeleteAce 15823->15827 15824->15823 15825->15812 15828 407a43 LocalAlloc 15825->15828 15826->15823 15827->15823 15828->15812 15829 407a56 InitializeSecurityDescriptor 15828->15829 15830 407a62 SetSecurityDescriptorDacl 15829->15830 15831 407a86 LocalFree 15829->15831 15830->15831 15832 407a73 SetFileSecurityA 15830->15832 15831->15812 15832->15831 15833 407a83 15832->15833 15833->15831 15835 407ac4 15834->15835 15836 407acb GetUserNameA 15834->15836 15835->15809 15837 407da7 RegCloseKey 15836->15837 15838 407aed LookupAccountNameA 15836->15838 15837->15835 15838->15837 15839 407b24 RegGetKeySecurity 15838->15839 15839->15837 15840 407b49 GetSecurityDescriptorOwner 15839->15840 15841 407b63 EqualSid 15840->15841 15842 407bb8 GetSecurityDescriptorDacl 15840->15842 15841->15842 15843 407b74 LocalAlloc 15841->15843 15844 407da6 15842->15844 15850 407bdc 15842->15850 15843->15842 15845 407b8a InitializeSecurityDescriptor 15843->15845 15844->15837 15846 407bb1 LocalFree 15845->15846 15847 407b96 SetSecurityDescriptorOwner 15845->15847 15846->15842 15847->15846 15849 407ba6 RegSetKeySecurity 15847->15849 15848 407bf8 GetAce 15848->15850 15849->15846 15850->15844 15850->15848 15851 407c1d EqualSid 15850->15851 15852 407c5f EqualSid 15850->15852 15853 407cd9 15850->15853 15854 407c3a DeleteAce 15850->15854 15851->15850 15852->15850 15853->15844 15855 407d5a LocalAlloc 15853->15855 15856 407cf2 RegOpenKeyExA 15853->15856 15854->15850 15855->15844 15857 407d70 InitializeSecurityDescriptor 15855->15857 15856->15855 15862 407d0f 15856->15862 15858 407d7c SetSecurityDescriptorDacl 15857->15858 15859 407d9f LocalFree 15857->15859 15858->15859 15860 407d8c RegSetKeySecurity 15858->15860 15859->15844 15860->15859 15861 407d9c 15860->15861 15861->15859 15863 407d43 RegSetValueExA 15862->15863 15863->15855 15864 407d54 15863->15864 15864->15855 15865->15368 15867 40dd05 6 API calls 15866->15867 15870 40e65f 15867->15870 15868 40e6a5 15869 40ebcc 4 API calls 15868->15869 15873 40e6f5 15868->15873 15872 40e6b0 15869->15872 15870->15868 15871 40e68c lstrcmpA 15870->15871 15871->15870 15872->15873 15875 40e6b7 15872->15875 15876 40e6e0 lstrcpynA 15872->15876 15874 40e71d lstrcmpA 15873->15874 15873->15875 15874->15873 15875->15370 15876->15873 15877->15376 15879 40c525 15878->15879 15883 40c532 15878->15883 15880 40ec2e codecvt 4 API calls 15879->15880 15879->15883 15880->15883 15881 40c548 15884 40e7ff lstrcmpiA 15881->15884 15892 40c54f 15881->15892 15883->15881 16030 40e7ff 15883->16030 15885 40c615 15884->15885 15886 40ebcc 4 API calls 15885->15886 15885->15892 15886->15892 15887 40c5d1 15890 40ebcc 4 API calls 15887->15890 15889 40e819 11 API calls 15891 40c5b7 15889->15891 15890->15892 15893 40f04e 4 API calls 15891->15893 15892->15389 15894 40c5bf 15893->15894 15894->15881 15894->15887 15896 402692 inet_addr 15895->15896 15897 40268e 15895->15897 15896->15897 15898 40269e gethostbyname 15896->15898 15899 40f428 15897->15899 15898->15897 16033 40f315 15899->16033 15904 40c8d2 15902->15904 15903 40c907 15903->15391 15904->15903 15905 40c517 23 API calls 15904->15905 15905->15903 15906 40f43e 15907 40f473 recv 15906->15907 15908 40f458 15907->15908 15909 40f47c 15907->15909 15908->15907 15908->15909 15909->15407 15911 40c670 15910->15911 15912 40c67d 15910->15912 15913 40ebcc 4 API calls 15911->15913 15914 40ebcc 4 API calls 15912->15914 15916 40c699 15912->15916 15913->15912 15914->15916 15915 40c6f3 15915->15420 15915->15483 15916->15915 15917 40c73c send 15916->15917 15917->15915 15919 40c770 15918->15919 15920 40c77d 15918->15920 15921 40ebcc 4 API calls 15919->15921 15922 40c799 15920->15922 15923 40ebcc 4 API calls 15920->15923 15921->15920 15924 40c7b5 15922->15924 15926 40ebcc 4 API calls 15922->15926 15923->15922 15925 40f43e recv 15924->15925 15927 40c7cb 15925->15927 15926->15924 15928 40f43e recv 15927->15928 15929 40c7d3 15927->15929 15928->15929 15929->15483 16046 407db7 15930->16046 15933 40f04e 4 API calls 15936 407e4c 15933->15936 15934 407e96 15934->15483 15935 40f04e 4 API calls 15935->15934 15937 40f04e 4 API calls 15936->15937 15938 407e70 15936->15938 15937->15938 15938->15934 15938->15935 15940 406ec3 2 API calls 15939->15940 15941 407fdd 15940->15941 15942 4080c2 CreateProcessA 15941->15942 15943 4073ff 17 API calls 15941->15943 15942->15471 15942->15472 15944 407fff 15943->15944 15944->15942 15945 407809 21 API calls 15944->15945 15946 40804d 15945->15946 15946->15942 15947 40ef1e lstrlenA 15946->15947 15948 40809e 15947->15948 15949 40ef1e lstrlenA 15948->15949 15950 4080af 15949->15950 15951 407a95 24 API calls 15950->15951 15951->15942 15953 407db7 2 API calls 15952->15953 15954 407eb8 15953->15954 15955 40f04e 4 API calls 15954->15955 15956 407ece DeleteFileA 15955->15956 15956->15483 15958 40dd05 6 API calls 15957->15958 15959 40e31d 15958->15959 16050 40e177 15959->16050 15961 40e326 15961->15445 15963 4031f3 15962->15963 15965 4031ec 15962->15965 15964 40ebcc 4 API calls 15963->15964 15978 4031fc 15964->15978 15965->15483 15966 403459 15969 40f04e 4 API calls 15966->15969 15967 40349d 15968 40ec2e codecvt 4 API calls 15967->15968 15968->15965 15970 40345f 15969->15970 15971 4030fa 4 API calls 15970->15971 15971->15965 15972 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15972->15978 15973 40344d 15974 40ec2e codecvt 4 API calls 15973->15974 15975 40344b 15974->15975 15975->15966 15975->15967 15977 403141 lstrcmpiA 15977->15978 15978->15965 15978->15972 15978->15973 15978->15975 15978->15977 16076 4030fa GetTickCount 15978->16076 15980 4030fa 4 API calls 15979->15980 15981 403c1a 15980->15981 15982 403ce6 15981->15982 16081 403a72 15981->16081 15982->15483 15985 403a72 9 API calls 15987 403c5e 15985->15987 15986 403a72 9 API calls 15986->15987 15987->15982 15987->15986 15988 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15987->15988 15988->15987 15990 403a10 15989->15990 15991 4030fa 4 API calls 15990->15991 15992 403a1a 15991->15992 15992->15483 15994 40dd05 6 API calls 15993->15994 15995 40e7be 15994->15995 15995->15483 15997 40c105 15996->15997 15998 40c07e wsprintfA 15996->15998 15997->15483 16090 40bfce GetTickCount wsprintfA 15998->16090 16000 40c0ef 16091 40bfce GetTickCount wsprintfA 16000->16091 16003 407047 16002->16003 16004 406f88 LookupAccountNameA 16002->16004 16003->15483 16006 407025 16004->16006 16007 406fcb 16004->16007 16008 406edd 5 API calls 16006->16008 16009 406fdb ConvertSidToStringSidA 16007->16009 16010 40702a wsprintfA 16008->16010 16009->16006 16011 406ff1 16009->16011 16010->16003 16012 407013 LocalFree 16011->16012 16012->16006 16014 40dd05 6 API calls 16013->16014 16015 40e85c 16014->16015 16016 40dd84 lstrcmpiA 16015->16016 16017 40e867 16016->16017 16018 40e885 lstrcpyA 16017->16018 16092 4024a5 16017->16092 16095 40dd69 16018->16095 16024 407db7 2 API calls 16023->16024 16025 407de1 16024->16025 16026 40f04e 4 API calls 16025->16026 16029 407e16 16025->16029 16027 407df2 16026->16027 16028 40f04e 4 API calls 16027->16028 16027->16029 16028->16029 16029->15483 16031 40dd84 lstrcmpiA 16030->16031 16032 40c58e 16031->16032 16032->15881 16032->15887 16032->15889 16034 40ca1d 16033->16034 16035 40f33b 16033->16035 16034->15404 16034->15906 16036 40f347 htons socket 16035->16036 16037 40f382 ioctlsocket 16036->16037 16038 40f374 closesocket 16036->16038 16039 40f3aa connect select 16037->16039 16040 40f39d 16037->16040 16038->16034 16039->16034 16042 40f3f2 __WSAFDIsSet 16039->16042 16041 40f39f closesocket 16040->16041 16041->16034 16042->16041 16043 40f403 ioctlsocket 16042->16043 16045 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 16043->16045 16045->16034 16047 407dc8 InterlockedExchange 16046->16047 16048 407dc0 Sleep 16047->16048 16049 407dd4 16047->16049 16048->16047 16049->15933 16049->15938 16051 40e184 16050->16051 16052 40e2e4 16051->16052 16053 40e223 16051->16053 16066 40dfe2 16051->16066 16052->15961 16053->16052 16055 40dfe2 8 API calls 16053->16055 16059 40e23c 16055->16059 16056 40e1be 16056->16053 16057 40dbcf 3 API calls 16056->16057 16060 40e1d6 16057->16060 16058 40e21a CloseHandle 16058->16053 16059->16052 16070 40e095 RegCreateKeyExA 16059->16070 16060->16053 16060->16058 16061 40e1f9 WriteFile 16060->16061 16061->16058 16063 40e213 16061->16063 16063->16058 16064 40e2a3 16064->16052 16065 40e095 4 API calls 16064->16065 16065->16052 16067 40dffc 16066->16067 16069 40e024 16066->16069 16068 40db2e 8 API calls 16067->16068 16067->16069 16068->16069 16069->16056 16071 40e0c0 16070->16071 16072 40e172 16070->16072 16073 40e13d 16071->16073 16075 40e115 RegSetValueExA 16071->16075 16072->16064 16074 40e14e RegDeleteValueA RegCloseKey 16073->16074 16074->16072 16075->16071 16075->16073 16077 403122 InterlockedExchange 16076->16077 16078 40312e 16077->16078 16079 40310f GetTickCount 16077->16079 16078->15978 16079->16078 16080 40311a Sleep 16079->16080 16080->16077 16082 40f04e 4 API calls 16081->16082 16089 403a83 16082->16089 16083 403ac1 16083->15982 16083->15985 16084 403be6 16086 40ec2e codecvt 4 API calls 16084->16086 16085 403bc0 16085->16084 16087 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 16085->16087 16086->16083 16087->16085 16088 403b66 lstrlenA 16088->16083 16088->16089 16089->16083 16089->16085 16089->16088 16090->16000 16091->15997 16093 402419 4 API calls 16092->16093 16094 4024b6 16093->16094 16094->16018 16096 40dd79 lstrlenA 16095->16096 16096->15483 16098 404084 16097->16098 16099 40407d 16097->16099 16100 403ecd 6 API calls 16098->16100 16101 40408f 16100->16101 16102 404000 3 API calls 16101->16102 16104 404095 16102->16104 16103 404130 16105 403ecd 6 API calls 16103->16105 16104->16103 16109 403f18 4 API calls 16104->16109 16106 404159 CreateNamedPipeA 16105->16106 16107 404167 Sleep 16106->16107 16108 404188 ConnectNamedPipe 16106->16108 16107->16103 16110 404176 CloseHandle 16107->16110 16112 404195 GetLastError 16108->16112 16121 4041ab 16108->16121 16111 4040da 16109->16111 16110->16108 16113 403f8c 4 API calls 16111->16113 16114 40425e DisconnectNamedPipe 16112->16114 16112->16121 16115 4040ec 16113->16115 16114->16108 16116 404127 CloseHandle 16115->16116 16117 404101 16115->16117 16116->16103 16118 403f18 4 API calls 16117->16118 16119 40411c ExitProcess 16118->16119 16120 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 16120->16121 16121->16108 16121->16114 16121->16120 16122 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 16121->16122 16123 40426a CloseHandle CloseHandle 16121->16123 16122->16121 16124 40e318 23 API calls 16123->16124 16125 40427b 16124->16125 16125->16125 16127 408791 16126->16127 16128 40879f 16126->16128 16129 40f04e 4 API calls 16127->16129 16130 4087bc 16128->16130 16132 40f04e 4 API calls 16128->16132 16129->16128 16131 40e819 11 API calls 16130->16131 16133 4087d7 16131->16133 16132->16130 16146 408803 16133->16146 16148 4026b2 gethostbyaddr 16133->16148 16136 4087eb 16138 40e8a1 30 API calls 16136->16138 16136->16146 16138->16146 16141 40e819 11 API calls 16141->16146 16142 4088a0 Sleep 16142->16146 16144 4026b2 2 API calls 16144->16146 16145 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 16145->16146 16146->16141 16146->16142 16146->16144 16146->16145 16147 40e8a1 30 API calls 16146->16147 16153 408cee 16146->16153 16161 40c4d6 16146->16161 16164 40c4e2 16146->16164 16167 402011 16146->16167 16202 408328 16146->16202 16147->16146 16149 4026fb 16148->16149 16150 4026cd 16148->16150 16149->16136 16151 4026e1 inet_ntoa 16150->16151 16152 4026de 16150->16152 16151->16152 16152->16136 16154 408d02 GetTickCount 16153->16154 16155 408dae 16153->16155 16154->16155 16159 408d19 16154->16159 16155->16146 16156 408da1 GetTickCount 16156->16155 16159->16156 16160 408d89 16159->16160 16254 40a677 16159->16254 16257 40a688 16159->16257 16160->16156 16265 40c2dc 16161->16265 16165 40c2dc 141 API calls 16164->16165 16166 40c4ec 16165->16166 16166->16146 16168 402020 16167->16168 16169 40202e 16167->16169 16170 40f04e 4 API calls 16168->16170 16171 40204b 16169->16171 16172 40f04e 4 API calls 16169->16172 16170->16169 16173 40206e GetTickCount 16171->16173 16176 40f04e 4 API calls 16171->16176 16172->16171 16174 402090 16173->16174 16175 4020db GetTickCount 16173->16175 16178 4020d4 GetTickCount 16174->16178 16182 402684 2 API calls 16174->16182 16192 4020ce 16174->16192 16592 401978 16174->16592 16179 402132 GetTickCount GetTickCount 16175->16179 16189 4020e7 16175->16189 16177 402068 16176->16177 16177->16173 16178->16175 16181 40f04e 4 API calls 16179->16181 16180 40212b GetTickCount 16180->16179 16183 402159 16181->16183 16182->16174 16185 4021b4 16183->16185 16187 40e854 13 API calls 16183->16187 16186 40f04e 4 API calls 16185->16186 16191 4021d1 16186->16191 16188 40218e 16187->16188 16193 40e819 11 API calls 16188->16193 16189->16180 16194 401978 15 API calls 16189->16194 16195 402125 16189->16195 16597 402ef8 16189->16597 16196 4021f2 16191->16196 16198 40ea84 30 API calls 16191->16198 16192->16178 16197 40219c 16193->16197 16194->16189 16195->16180 16196->16146 16197->16185 16605 401c5f 16197->16605 16199 4021ec 16198->16199 16200 40f04e 4 API calls 16199->16200 16200->16196 16203 407dd6 6 API calls 16202->16203 16204 40833c 16203->16204 16205 406ec3 2 API calls 16204->16205 16229 408340 16204->16229 16206 40834f 16205->16206 16207 40835c 16206->16207 16211 40846b 16206->16211 16208 4073ff 17 API calls 16207->16208 16231 408373 16208->16231 16209 4085df 16212 408626 GetTempPathA 16209->16212 16218 408762 16209->16218 16230 408638 16209->16230 16210 40675c 21 API calls 16210->16209 16213 4084a7 RegOpenKeyExA 16211->16213 16226 408450 16211->16226 16212->16230 16216 4084c0 RegQueryValueExA 16213->16216 16217 40852f 16213->16217 16215 4086ad 16215->16218 16221 407e2f 6 API calls 16215->16221 16219 408521 RegCloseKey 16216->16219 16220 4084dd 16216->16220 16222 408564 RegOpenKeyExA 16217->16222 16234 4085a5 16217->16234 16225 40ec2e codecvt 4 API calls 16218->16225 16218->16229 16219->16217 16220->16219 16227 40ebcc 4 API calls 16220->16227 16235 4086bb 16221->16235 16223 408573 RegSetValueExA RegCloseKey 16222->16223 16222->16234 16223->16234 16224 40875b DeleteFileA 16224->16218 16225->16229 16226->16209 16226->16210 16228 4084f0 16227->16228 16228->16219 16233 4084f8 RegQueryValueExA 16228->16233 16229->16146 16677 406ba7 IsBadCodePtr 16230->16677 16231->16226 16231->16229 16236 4083ea RegOpenKeyExA 16231->16236 16233->16219 16237 408515 16233->16237 16234->16226 16238 40ec2e codecvt 4 API calls 16234->16238 16235->16224 16241 4086e0 lstrcpyA lstrlenA 16235->16241 16236->16226 16239 4083fd RegQueryValueExA 16236->16239 16240 40ec2e codecvt 4 API calls 16237->16240 16238->16226 16242 40842d RegSetValueExA 16239->16242 16243 40841e 16239->16243 16245 40851d 16240->16245 16246 407fcf 64 API calls 16241->16246 16244 408447 RegCloseKey 16242->16244 16243->16242 16243->16244 16244->16226 16245->16219 16247 408719 CreateProcessA 16246->16247 16248 40873d CloseHandle CloseHandle 16247->16248 16249 40874f 16247->16249 16248->16218 16250 407ee6 64 API calls 16249->16250 16251 408754 16250->16251 16252 407ead 6 API calls 16251->16252 16253 40875a 16252->16253 16253->16224 16260 40a63d 16254->16260 16256 40a685 16256->16159 16258 40a63d GetTickCount 16257->16258 16259 40a696 16258->16259 16259->16159 16261 40a645 16260->16261 16262 40a64d 16260->16262 16261->16256 16263 40a66e 16262->16263 16264 40a65e GetTickCount 16262->16264 16263->16256 16264->16263 16281 40a4c7 GetTickCount 16265->16281 16268 40c300 GetTickCount 16270 40c337 16268->16270 16269 40c326 16269->16270 16271 40c32b GetTickCount 16269->16271 16275 40c363 GetTickCount 16270->16275 16280 40c45e 16270->16280 16271->16270 16272 40c4d2 16272->16146 16273 40c4ab InterlockedIncrement CreateThread 16273->16272 16274 40c4cb CloseHandle 16273->16274 16286 40b535 16273->16286 16274->16272 16276 40c373 16275->16276 16275->16280 16277 40c378 GetTickCount 16276->16277 16278 40c37f 16276->16278 16277->16278 16279 40c43b GetTickCount 16278->16279 16279->16280 16280->16272 16280->16273 16282 40a4f7 InterlockedExchange 16281->16282 16283 40a500 16282->16283 16284 40a4e4 GetTickCount 16282->16284 16283->16268 16283->16269 16283->16280 16284->16283 16285 40a4ef Sleep 16284->16285 16285->16282 16287 40b566 16286->16287 16288 40ebcc 4 API calls 16287->16288 16289 40b587 16288->16289 16290 40ebcc 4 API calls 16289->16290 16327 40b590 16290->16327 16291 40bdcd InterlockedDecrement 16292 40bde2 16291->16292 16294 40ec2e codecvt 4 API calls 16292->16294 16295 40bdea 16294->16295 16297 40ec2e codecvt 4 API calls 16295->16297 16296 40bdb7 Sleep 16296->16327 16298 40bdf2 16297->16298 16300 40be05 16298->16300 16301 40ec2e codecvt 4 API calls 16298->16301 16299 40bdcc 16299->16291 16301->16300 16302 40ebed 8 API calls 16302->16327 16305 40b6b6 lstrlenA 16305->16327 16306 4030b5 2 API calls 16306->16327 16307 40e819 11 API calls 16307->16327 16308 40b6ed lstrcpyA 16361 405ce1 16308->16361 16311 40b731 lstrlenA 16311->16327 16312 40b71f lstrcmpA 16312->16311 16312->16327 16313 40b772 GetTickCount 16313->16327 16314 40bd49 InterlockedIncrement 16455 40a628 16314->16455 16317 40b7ce InterlockedIncrement 16371 40acd7 16317->16371 16318 40bc5b InterlockedIncrement 16318->16327 16321 40b912 GetTickCount 16321->16327 16322 40b826 InterlockedIncrement 16322->16313 16323 40b932 GetTickCount 16325 40bc6d InterlockedIncrement 16323->16325 16323->16327 16324 40bcdc closesocket 16324->16327 16325->16327 16326 4038f0 6 API calls 16326->16327 16327->16291 16327->16296 16327->16299 16327->16302 16327->16305 16327->16306 16327->16307 16327->16308 16327->16311 16327->16312 16327->16313 16327->16314 16327->16317 16327->16318 16327->16321 16327->16322 16327->16323 16327->16324 16327->16326 16331 40bba6 InterlockedIncrement 16327->16331 16332 40a7c1 22 API calls 16327->16332 16334 40bc4c closesocket 16327->16334 16336 405ce1 22 API calls 16327->16336 16337 40ba71 wsprintfA 16327->16337 16339 40ab81 lstrcpynA InterlockedIncrement 16327->16339 16340 40ef1e lstrlenA 16327->16340 16341 405ded 12 API calls 16327->16341 16342 40a688 GetTickCount 16327->16342 16343 403e10 16327->16343 16346 403e4f 16327->16346 16349 40384f 16327->16349 16369 40a7a3 inet_ntoa 16327->16369 16376 40abee 16327->16376 16388 401feb GetTickCount 16327->16388 16409 403cfb 16327->16409 16412 40b3c5 16327->16412 16443 40ab81 16327->16443 16331->16327 16332->16327 16334->16327 16336->16327 16389 40a7c1 16337->16389 16339->16327 16340->16327 16341->16327 16342->16327 16344 4030fa 4 API calls 16343->16344 16345 403e1d 16344->16345 16345->16327 16347 4030fa 4 API calls 16346->16347 16348 403e5c 16347->16348 16348->16327 16350 4030fa 4 API calls 16349->16350 16352 403863 16350->16352 16351 4038b2 16351->16327 16352->16351 16353 4038b9 16352->16353 16354 403889 16352->16354 16464 4035f9 16353->16464 16458 403718 16354->16458 16359 403718 6 API calls 16359->16351 16360 4035f9 6 API calls 16360->16351 16362 405cf4 16361->16362 16363 405cec 16361->16363 16365 404bd1 4 API calls 16362->16365 16470 404bd1 GetTickCount 16363->16470 16366 405d02 16365->16366 16475 405472 16366->16475 16370 40a7b9 16369->16370 16370->16327 16372 40f315 14 API calls 16371->16372 16373 40aceb 16372->16373 16374 40acff 16373->16374 16375 40f315 14 API calls 16373->16375 16374->16327 16375->16374 16377 40abfb 16376->16377 16381 40ac65 16377->16381 16538 402f22 16377->16538 16379 40ac23 16379->16381 16385 402684 2 API calls 16379->16385 16380 40f315 14 API calls 16380->16381 16381->16380 16382 40ac6f 16381->16382 16387 40ac8a 16381->16387 16383 40ab81 2 API calls 16382->16383 16384 40ac81 16383->16384 16546 4038f0 16384->16546 16385->16379 16387->16327 16388->16327 16390 40a87d lstrlenA send 16389->16390 16391 40a7df 16389->16391 16392 40a899 16390->16392 16393 40a8bf 16390->16393 16391->16390 16398 40a7fa wsprintfA 16391->16398 16399 40a80a 16391->16399 16401 40a8f2 16391->16401 16396 40a8a5 wsprintfA 16392->16396 16402 40a89e 16392->16402 16394 40a8c4 send 16393->16394 16393->16401 16397 40a8d8 wsprintfA 16394->16397 16394->16401 16395 40a978 recv 16395->16401 16403 40a982 16395->16403 16396->16402 16397->16402 16398->16399 16399->16390 16400 40a9b0 wsprintfA 16400->16402 16401->16395 16401->16400 16401->16403 16402->16327 16403->16402 16404 4030b5 2 API calls 16403->16404 16405 40ab05 16404->16405 16406 40e819 11 API calls 16405->16406 16407 40ab17 16406->16407 16408 40a7a3 inet_ntoa 16407->16408 16408->16402 16410 4030fa 4 API calls 16409->16410 16411 403d0b 16410->16411 16411->16327 16413 405ce1 22 API calls 16412->16413 16414 40b3e6 16413->16414 16415 405ce1 22 API calls 16414->16415 16417 40b404 16415->16417 16416 40b440 16419 40ef7c 3 API calls 16416->16419 16417->16416 16418 40ef7c 3 API calls 16417->16418 16420 40b42b 16418->16420 16421 40b458 wsprintfA 16419->16421 16422 40ef7c 3 API calls 16420->16422 16423 40ef7c 3 API calls 16421->16423 16422->16416 16424 40b480 16423->16424 16425 40ef7c 3 API calls 16424->16425 16426 40b493 16425->16426 16427 40ef7c 3 API calls 16426->16427 16428 40b4bb 16427->16428 16560 40ad89 GetLocalTime SystemTimeToFileTime 16428->16560 16432 40b4cc 16433 40ef7c 3 API calls 16432->16433 16434 40b4dd 16433->16434 16435 40b211 7 API calls 16434->16435 16436 40b4ec 16435->16436 16437 40ef7c 3 API calls 16436->16437 16438 40b4fd 16437->16438 16439 40b211 7 API calls 16438->16439 16440 40b509 16439->16440 16441 40ef7c 3 API calls 16440->16441 16442 40b51a 16441->16442 16442->16327 16444 40ab8c 16443->16444 16446 40abe9 GetTickCount 16443->16446 16445 40aba8 lstrcpynA 16444->16445 16444->16446 16447 40abe1 InterlockedIncrement 16444->16447 16445->16444 16448 40a51d 16446->16448 16447->16444 16449 40a4c7 4 API calls 16448->16449 16450 40a52c 16449->16450 16451 40a542 GetTickCount 16450->16451 16452 40a539 GetTickCount 16450->16452 16451->16452 16454 40a56c 16452->16454 16454->16327 16456 40a4c7 4 API calls 16455->16456 16457 40a633 16456->16457 16457->16327 16459 40f04e 4 API calls 16458->16459 16461 40372a 16459->16461 16460 403847 16460->16351 16460->16359 16461->16460 16462 4037b3 GetCurrentThreadId 16461->16462 16462->16461 16463 4037c8 GetCurrentThreadId 16462->16463 16463->16461 16465 40f04e 4 API calls 16464->16465 16469 40360c 16465->16469 16466 4036f1 16466->16351 16466->16360 16467 4036da GetCurrentThreadId 16467->16466 16468 4036e5 GetCurrentThreadId 16467->16468 16468->16466 16469->16466 16469->16467 16471 404bff InterlockedExchange 16470->16471 16472 404c08 16471->16472 16473 404bec GetTickCount 16471->16473 16472->16362 16473->16472 16474 404bf7 Sleep 16473->16474 16474->16471 16494 404763 16475->16494 16477 40548a 16478 405b58 16477->16478 16488 40558d lstrcpynA 16477->16488 16489 405a9f lstrcpyA 16477->16489 16490 405472 13 API calls 16477->16490 16491 405935 lstrcpynA 16477->16491 16492 404ae6 8 API calls 16477->16492 16493 4058e7 lstrcpyA 16477->16493 16498 404ae6 16477->16498 16502 40ef7c lstrlenA lstrlenA lstrlenA 16477->16502 16504 404699 16478->16504 16481 404763 lstrlenA 16482 405b6e 16481->16482 16525 404f9f 16482->16525 16484 405b79 16484->16327 16486 405549 lstrlenA 16486->16477 16488->16477 16489->16477 16490->16477 16491->16477 16492->16477 16493->16477 16496 40477a 16494->16496 16495 404859 16495->16477 16496->16495 16497 40480d lstrlenA 16496->16497 16497->16496 16499 404af3 16498->16499 16501 404b03 16498->16501 16500 40ebed 8 API calls 16499->16500 16500->16501 16501->16486 16503 40efb4 16502->16503 16503->16477 16530 4045b3 16504->16530 16507 4045b3 7 API calls 16508 4046c6 16507->16508 16509 4045b3 7 API calls 16508->16509 16510 4046d8 16509->16510 16511 4045b3 7 API calls 16510->16511 16512 4046ea 16511->16512 16513 4045b3 7 API calls 16512->16513 16514 4046ff 16513->16514 16515 4045b3 7 API calls 16514->16515 16516 404711 16515->16516 16517 4045b3 7 API calls 16516->16517 16518 404723 16517->16518 16519 40ef7c 3 API calls 16518->16519 16520 404735 16519->16520 16521 40ef7c 3 API calls 16520->16521 16522 40474a 16521->16522 16523 40ef7c 3 API calls 16522->16523 16524 40475c 16523->16524 16524->16481 16526 404fac 16525->16526 16529 404fb0 16525->16529 16526->16484 16527 404ffd 16527->16484 16528 404fd5 IsBadCodePtr 16528->16529 16529->16527 16529->16528 16531 4045c1 16530->16531 16532 4045c8 16530->16532 16534 40ebcc 4 API calls 16531->16534 16533 4045e1 16532->16533 16535 40ebcc 4 API calls 16532->16535 16536 404691 16533->16536 16537 40ef7c 3 API calls 16533->16537 16534->16532 16535->16533 16536->16507 16537->16533 16553 402d21 GetModuleHandleA 16538->16553 16541 402fcf GetProcessHeap HeapFree 16545 402f44 16541->16545 16542 402f4f 16544 402f6b GetProcessHeap HeapFree 16542->16544 16543 402f85 16543->16541 16543->16543 16544->16545 16545->16379 16547 403900 16546->16547 16551 403980 16546->16551 16548 4030fa 4 API calls 16547->16548 16552 40390a 16548->16552 16549 40391b GetCurrentThreadId 16549->16552 16550 403939 GetCurrentThreadId 16550->16552 16551->16387 16552->16549 16552->16550 16552->16551 16554 402d46 LoadLibraryA 16553->16554 16555 402d5b GetProcAddress 16553->16555 16554->16555 16557 402d54 16554->16557 16555->16557 16559 402d6b 16555->16559 16556 402d97 GetProcessHeap HeapAlloc 16556->16557 16556->16559 16557->16542 16557->16543 16557->16545 16558 402db5 lstrcpynA 16558->16559 16559->16556 16559->16557 16559->16558 16561 40adbf 16560->16561 16585 40ad08 gethostname 16561->16585 16564 4030b5 2 API calls 16565 40add3 16564->16565 16566 40a7a3 inet_ntoa 16565->16566 16573 40ade4 16565->16573 16566->16573 16567 40ae85 wsprintfA 16568 40ef7c 3 API calls 16567->16568 16570 40aebb 16568->16570 16569 40ae36 wsprintfA wsprintfA 16571 40ef7c 3 API calls 16569->16571 16572 40ef7c 3 API calls 16570->16572 16571->16573 16574 40aed2 16572->16574 16573->16567 16573->16569 16575 40b211 16574->16575 16576 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16575->16576 16577 40b2af GetLocalTime 16575->16577 16578 40b2d2 16576->16578 16577->16578 16579 40b2d9 SystemTimeToFileTime 16578->16579 16580 40b31c GetTimeZoneInformation 16578->16580 16581 40b2ec 16579->16581 16582 40b33a wsprintfA 16580->16582 16583 40b312 FileTimeToSystemTime 16581->16583 16582->16432 16583->16580 16586 40ad71 16585->16586 16591 40ad26 lstrlenA 16585->16591 16588 40ad85 16586->16588 16589 40ad79 lstrcpyA 16586->16589 16588->16564 16589->16588 16590 40ad68 lstrlenA 16590->16586 16591->16586 16591->16590 16593 40f428 14 API calls 16592->16593 16594 40198a 16593->16594 16595 401990 closesocket 16594->16595 16596 401998 16594->16596 16595->16596 16596->16174 16598 402d21 6 API calls 16597->16598 16599 402f01 16598->16599 16600 402f0f 16599->16600 16613 402df2 GetModuleHandleA 16599->16613 16602 402684 2 API calls 16600->16602 16604 402f1f 16600->16604 16603 402f1d 16602->16603 16603->16189 16604->16189 16609 401c80 16605->16609 16606 401d1c 16606->16606 16610 401d47 wsprintfA 16606->16610 16607 401cc2 wsprintfA 16608 402684 2 API calls 16607->16608 16608->16609 16609->16606 16609->16607 16611 401d79 16609->16611 16612 402684 2 API calls 16610->16612 16611->16185 16612->16611 16614 402e10 LoadLibraryA 16613->16614 16615 402e0b 16613->16615 16616 402e17 16614->16616 16615->16614 16615->16616 16617 402ef1 16616->16617 16618 402e28 GetProcAddress 16616->16618 16617->16600 16618->16617 16619 402e3e GetProcessHeap HeapAlloc 16618->16619 16620 402e62 16619->16620 16620->16617 16621 402ede GetProcessHeap HeapFree 16620->16621 16622 402e7f htons inet_addr 16620->16622 16623 402ea5 gethostbyname 16620->16623 16625 402ceb 16620->16625 16621->16617 16622->16620 16622->16623 16623->16620 16627 402cf2 16625->16627 16628 402d1c 16627->16628 16629 402d0e Sleep 16627->16629 16630 402a62 GetProcessHeap HeapAlloc 16627->16630 16628->16620 16629->16627 16629->16628 16631 402a92 16630->16631 16632 402a99 socket 16630->16632 16631->16627 16633 402cd3 GetProcessHeap HeapFree 16632->16633 16634 402ab4 16632->16634 16633->16631 16634->16633 16642 402abd 16634->16642 16635 402adb htons 16650 4026ff 16635->16650 16637 402b04 select 16637->16642 16638 402ca4 16639 402cb3 GetProcessHeap HeapFree closesocket 16638->16639 16639->16631 16640 402b3f recv 16640->16642 16641 402b66 htons 16641->16638 16641->16642 16642->16635 16642->16637 16642->16638 16642->16639 16642->16640 16642->16641 16643 402b87 htons 16642->16643 16645 402bf3 GetProcessHeap HeapAlloc 16642->16645 16647 402c17 htons 16642->16647 16649 402c4d GetProcessHeap HeapFree 16642->16649 16657 402923 16642->16657 16669 402904 16642->16669 16643->16638 16643->16642 16645->16642 16665 402871 16647->16665 16649->16642 16651 40271d 16650->16651 16652 402717 16650->16652 16654 40272b GetTickCount htons 16651->16654 16653 40ebcc 4 API calls 16652->16653 16653->16651 16655 4027cc htons htons sendto 16654->16655 16656 40278a 16654->16656 16655->16642 16656->16655 16658 402944 16657->16658 16660 40293d 16657->16660 16673 402816 htons 16658->16673 16660->16642 16661 402871 htons 16664 402950 16661->16664 16662 4029bd htons htons htons 16662->16660 16663 4029f6 GetProcessHeap HeapAlloc 16662->16663 16663->16660 16663->16664 16664->16660 16664->16661 16664->16662 16666 4028e3 16665->16666 16667 402889 16665->16667 16666->16642 16667->16666 16668 4028c3 htons 16667->16668 16668->16666 16668->16667 16670 402921 16669->16670 16671 402908 16669->16671 16670->16642 16672 402909 GetProcessHeap HeapFree 16671->16672 16672->16670 16672->16672 16674 40286b 16673->16674 16675 402836 16673->16675 16674->16664 16675->16674 16676 40285c htons 16675->16676 16676->16674 16676->16675 16678 406bc0 16677->16678 16679 406bbc 16677->16679 16680 40ebcc 4 API calls 16678->16680 16687 406bd4 16678->16687 16679->16215 16681 406be4 16680->16681 16682 406c07 CreateFileA 16681->16682 16683 406bfc 16681->16683 16681->16687 16685 406c34 WriteFile 16682->16685 16686 406c2a 16682->16686 16684 40ec2e codecvt 4 API calls 16683->16684 16684->16687 16689 406c49 CloseHandle DeleteFileA 16685->16689 16690 406c5a CloseHandle 16685->16690 16688 40ec2e codecvt 4 API calls 16686->16688 16687->16215 16688->16687 16689->16686 16691 40ec2e codecvt 4 API calls 16690->16691 16691->16687 15014 620005 15019 62092b GetPEB 15014->15019 15016 620030 15021 62003c 15016->15021 15020 620972 15019->15020 15020->15016 15022 620049 15021->15022 15036 620e0f SetErrorMode SetErrorMode 15022->15036 15027 620265 15028 6202ce VirtualProtect 15027->15028 15030 62030b 15028->15030 15029 620439 VirtualFree 15031 6205f4 LoadLibraryA 15029->15031 15034 6204be 15029->15034 15030->15029 15035 6208c7 15031->15035 15032 6204e3 LoadLibraryA 15032->15034 15034->15031 15034->15032 15037 620223 15036->15037 15038 620d90 15037->15038 15039 620dad 15038->15039 15040 620238 VirtualAlloc 15039->15040 15041 620dbb GetPEB 15039->15041 15040->15027 15041->15040 16743 688fe6 16744 688ff5 16743->16744 16747 689786 16744->16747 16749 6897a1 16747->16749 16748 6897aa CreateToolhelp32Snapshot 16748->16749 16750 6897c6 Module32First 16748->16750 16749->16748 16749->16750 16751 688ffe 16750->16751 16752 6897d5 16750->16752 16754 689445 16752->16754 16755 689470 16754->16755 16756 6894b9 16755->16756 16757 689481 VirtualAlloc 16755->16757 16756->16756 16757->16756 16692 417afc 16697 41782a 16692->16697 16694 417b04 16696 41782a 31 API calls 16694->16696 16720 4175c3 GlobalAlloc 16694->16720 16696->16694 16698 417837 16697->16698 16699 4178b5 9 API calls 16698->16699 16704 417947 16698->16704 16700 41792f 16699->16700 16700->16704 16701 417965 GetCommProperties SetLastError 16703 417982 GetProcessDefaultLayout 16701->16703 16701->16704 16702 417956 GlobalAlloc AddAtomA 16702->16701 16703->16704 16704->16701 16704->16702 16705 417995 ReleaseActCtx 16704->16705 16706 41799c GetConsoleAliasesA 16704->16706 16707 4179bc FoldStringW 16704->16707 16708 4179d4 16704->16708 16705->16706 16706->16704 16707->16704 16711 417a04 SetConsoleTitleA LocalFree 16708->16711 16714 417a18 16708->16714 16710 417a4d LoadLibraryA 16722 417600 16710->16722 16711->16714 16721 4175c3 GlobalAlloc 16714->16721 16717 417aac 16727 4177eb 16717->16727 16719 417ab1 16719->16694 16720->16694 16721->16710 16723 41763f 16722->16723 16724 41764b GetModuleHandleW GetProcAddress 16723->16724 16725 417721 16723->16725 16724->16723 16726 4175e2 VirtualProtect 16725->16726 16726->16717 16734 417746 16727->16734 16729 417804 16730 417820 16729->16730 16731 41780e UnhandledExceptionFilter FindFirstVolumeA 16729->16731 16739 41779d 16730->16739 16731->16730 16735 417763 16734->16735 16736 41775b CreateJobObjectW 16734->16736 16737 417792 16735->16737 16738 417777 OpenJobObjectW BuildCommDCBW LoadLibraryA 16735->16738 16736->16735 16737->16729 16738->16737 16740 4177d2 16739->16740 16741 4177a8 16739->16741 16740->16719 16741->16740 16742 4177c3 SleepEx 16741->16742 16742->16741

                                                                                            Executed Functions

                                                                                            Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                                              • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                              • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                              • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                                            • ExitProcess.KERNEL32 ref: 00409C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                                            • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                                            • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                                            • wsprintfA.USER32 ref: 0040A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                                              • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                                              • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0040A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                                            • DeleteFileA.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe), ref: 0040A407
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                                            • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0040A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                                            • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exe$C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$D$P$\$jcbeaetw
                                                                                            • API String ID: 2089075347-3116346850
                                                                                            • Opcode ID: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                                            • Opcode Fuzzy Hash: 69071e7f72711d21cff6056459b1329949a0fa875525a2a87badba31d3a6a59d
                                                                                            • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                                            Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 551 40637c-406384 552 406386-406389 551->552 553 40638a-4063b4 GetModuleHandleA VirtualAlloc 551->553 554 4063f5-4063f7 553->554 555 4063b6-4063d4 call 40ee08 VirtualAllocEx 553->555 557 40640b-40640f 554->557 555->554 559 4063d6-4063f3 call 4062b7 WriteProcessMemory 555->559 559->554 562 4063f9-40640a 559->562 562->557
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                                            • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                                            • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                                            • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                                            • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                                            Function 0041782A Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212stringmemorylibraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 264 41782a-417844 266 417846-41784b 264->266 267 417861 266->267 268 41784d-41785f 266->268 269 417867-41786d 267->269 268->269 270 417880-417886 269->270 271 41786f-417876 269->271 270->266 272 417888 270->272 271->270 273 41788a-41788f 272->273 274 417891-417897 273->274 275 41789d-4178a3 273->275 274->275 275->273 276 4178a5-4178af 275->276 277 4178b5-41792d lstrcatW InterlockedExchangeAdd WriteConsoleA lstrcpynW GetAtomNameA SetFileApisToANSI SetVolumeMountPointA GetModuleFileNameW EnumDateFormatsW 276->277 278 417947-417948 276->278 279 417939-417946 277->279 280 41792f-417932 277->280 281 41794a-417954 278->281 279->278 280->279 282 417965-417980 GetCommProperties SetLastError 281->282 283 417956-41795f GlobalAlloc AddAtomA 281->283 284 417982-417983 GetProcessDefaultLayout 282->284 285 417989-417993 282->285 283->282 284->285 288 417995-417996 ReleaseActCtx 285->288 289 41799c-4179b1 GetConsoleAliasesA 285->289 288->289 290 4179b3-4179ba 289->290 291 4179c7-4179ce 289->291 290->291 293 4179bc-4179c1 FoldStringW 290->293 291->281 294 4179d4-4179de 291->294 293->291 295 4179e0-417a02 294->295 296 417a48-417a56 call 4175c3 294->296 300 417a22-417a45 295->300 301 417a04-417a18 SetConsoleTitleA LocalFree 295->301 302 417a58-417a8a 296->302 303 417a9b-417aa7 LoadLibraryA call 417600 call 4175e2 296->303 300->296 301->300 305 417a96-417a99 302->305 306 417a8c 302->306 312 417aac-417ab3 call 4177eb 303->312 305->302 305->303 306->305 316 417ab4-417ab9 312->316 318 417ac0-417ac6 316->318 319 417abb call 4175d7 316->319 318->316 321 417ac8 318->321 319->318 323 417ad2-417ad8 321->323 324 417ae6-417aed 323->324 325 417ada-417ae4 323->325 324->323 326 417aef-417afb 324->326 325->324 325->326
                                                                                            APIs
                                                                                            • lstrcatW.KERNEL32(?,00000000), ref: 004178BD
                                                                                            • InterlockedExchangeAdd.KERNEL32(?,00000000), ref: 004178CB
                                                                                            • WriteConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 004178E2
                                                                                            • lstrcpynW.KERNEL32(?,00000000,00000000), ref: 004178F1
                                                                                            • GetAtomNameA.KERNEL32(00000000,00000000,00000000), ref: 004178FA
                                                                                            • SetFileApisToANSI.KERNEL32 ref: 00417900
                                                                                            • SetVolumeMountPointA.KERNEL32(00000000,00000000), ref: 00417908
                                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 00417917
                                                                                            • EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00417920
                                                                                            • GlobalAlloc.KERNEL32(00000000,00000000), ref: 00417958
                                                                                            • AddAtomA.KERNEL32(00000000), ref: 0041795F
                                                                                            • GetCommProperties.KERNELBASE(00000000,?), ref: 0041796D
                                                                                            • SetLastError.KERNEL32(00000000), ref: 00417974
                                                                                            • GetProcessDefaultLayout.USER32(00000000), ref: 00417983
                                                                                            • ReleaseActCtx.KERNEL32(00000000), ref: 00417996
                                                                                            • GetConsoleAliasesA.KERNEL32(?,00000000,00000000), ref: 004179A5
                                                                                            • FoldStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004179C1
                                                                                            • SetConsoleTitleA.KERNEL32(00000000), ref: 00417A05
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00417A0C
                                                                                            • LoadLibraryA.KERNELBASE(00419458), ref: 00417AA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220350402.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_szylttbf.jbxd
                                                                                            Similarity
                                                                                            • API ID: Console$AtomFileName$AliasesAllocApisCommDateDefaultEnumErrorExchangeFoldFormatsFreeGlobalInterlockedLastLayoutLibraryLoadLocalModuleMountPointProcessPropertiesReleaseStringTitleVolumeWritelstrcatlstrcpyn
                                                                                            • String ID: k`$tl_$}$
                                                                                            • API String ID: 1756273361-211918992
                                                                                            • Opcode ID: 3697615f451d7fc26fb8104d22a62db024d6b7e65e0f42aee9dd171e956c996e
                                                                                            • Instruction ID: b72458c26081517cb692f213dc5e595fb7550a1c7ca338c38081d81411803abd
                                                                                            • Opcode Fuzzy Hash: 3697615f451d7fc26fb8104d22a62db024d6b7e65e0f42aee9dd171e956c996e
                                                                                            • Instruction Fuzzy Hash: 76617E71909524ABD725AB66EC48DDF7F7CEF0A395B10403EF106D2161CB388A85CBAD
                                                                                            Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 328 4073ff-407419 329 40741b 328->329 330 40741d-407422 328->330 329->330 331 407424 330->331 332 407426-40742b 330->332 331->332 333 407430-407435 332->333 334 40742d 332->334 335 407437 333->335 336 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 333->336 334->333 335->336 341 407487-40749d call 40ee2a 336->341 342 4077f9-4077fe call 40ee2a 336->342 348 407703-40770e RegEnumKeyA 341->348 347 407801 342->347 351 407804-407808 347->351 349 4074a2-4074b1 call 406cad 348->349 350 407714-40771d RegCloseKey 348->350 354 4074b7-4074cc call 40f1a5 349->354 355 4076ed-407700 349->355 350->347 354->355 358 4074d2-4074f8 RegOpenKeyExA 354->358 355->348 359 407727-40772a 358->359 360 4074fe-407530 call 402544 RegQueryValueExA 358->360 361 407755-407764 call 40ee2a 359->361 362 40772c-407740 call 40ef00 359->362 360->359 368 407536-40753c 360->368 373 4076df-4076e2 361->373 370 407742-407745 RegCloseKey 362->370 371 40774b-40774e 362->371 372 40753f-407544 368->372 370->371 375 4077ec-4077f7 RegCloseKey 371->375 372->372 374 407546-40754b 372->374 373->355 376 4076e4-4076e7 RegCloseKey 373->376 374->361 377 407551-40756b call 40ee95 374->377 375->351 376->355 377->361 380 407571-407593 call 402544 call 40ee95 377->380 385 407753 380->385 386 407599-4075a0 380->386 385->361 387 4075a2-4075c6 call 40ef00 call 40ed03 386->387 388 4075c8-4075d7 call 40ed03 386->388 394 4075d8-4075da 387->394 388->394 396 4075dc 394->396 397 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 394->397 396->397 406 407626-40762b 397->406 406->406 407 40762d-407634 406->407 408 407637-40763c 407->408 408->408 409 40763e-407642 408->409 410 407644-407656 call 40ed77 409->410 411 40765c-407673 call 40ed23 409->411 410->411 416 407769-40777c call 40ef00 410->416 417 407680 411->417 418 407675-40767e 411->418 424 4077e3-4077e6 RegCloseKey 416->424 419 407683-40768e call 406cad 417->419 418->419 425 407722-407725 419->425 426 407694-4076bf call 40f1a5 call 406c96 419->426 424->375 427 4076dd 425->427 432 4076c1-4076c7 426->432 433 4076d8 426->433 427->373 432->433 434 4076c9-4076d2 432->434 433->427 434->433 435 40777e-407797 GetFileAttributesExA 434->435 436 407799 435->436 437 40779a-40779f 435->437 436->437 438 4077a1 437->438 439 4077a3-4077a8 437->439 438->439 440 4077c4-4077c8 439->440 441 4077aa-4077c0 call 40ee08 439->441 443 4077d7-4077dc 440->443 444 4077ca-4077d6 call 40ef00 440->444 441->440 447 4077e0-4077e2 443->447 448 4077de 443->448 444->443 447->424 448->447
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 00407472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 004074F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 00407528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 004076E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 00407717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 00407745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 004077EF
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                                            • Opcode Fuzzy Hash: 58688efdc745e23d79e1c9d42d0b110b33b2b67bc428880df89735915a056cb6
                                                                                            • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                                            Function 0062003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 450 62003c-620047 451 620049 450->451 452 62004c-620263 call 620a3f call 620e0f call 620d90 VirtualAlloc 450->452 451->452 467 620265-620289 call 620a69 452->467 468 62028b-620292 452->468 472 6202ce-6203c2 VirtualProtect call 620cce call 620ce7 467->472 469 6202a1-6202b0 468->469 471 6202b2-6202cc 469->471 469->472 471->469 479 6203d1-6203e0 472->479 480 6203e2-620437 call 620ce7 479->480 481 620439-6204b8 VirtualFree 479->481 480->479 483 6205f4-6205fe 481->483 484 6204be-6204cd 481->484 485 620604-62060d 483->485 486 62077f-620789 483->486 488 6204d3-6204dd 484->488 485->486 490 620613-620637 485->490 492 6207a6-6207b0 486->492 493 62078b-6207a3 486->493 488->483 489 6204e3-620505 LoadLibraryA 488->489 494 620517-620520 489->494 495 620507-620515 489->495 498 62063e-620648 490->498 496 6207b6-6207cb 492->496 497 62086e-6208be LoadLibraryA 492->497 493->492 499 620526-620547 494->499 495->499 500 6207d2-6207d5 496->500 506 6208c7-6208f9 497->506 498->486 501 62064e-62065a 498->501 504 62054d-620550 499->504 502 6207d7-6207e0 500->502 503 620824-620833 500->503 501->486 505 620660-62066a 501->505 509 6207e2 502->509 510 6207e4-620822 502->510 514 620839-62083c 503->514 511 6205e0-6205ef 504->511 512 620556-62056b 504->512 513 62067a-620689 505->513 507 620902-62091d 506->507 508 6208fb-620901 506->508 508->507 509->503 510->500 511->488 515 62056f-62057a 512->515 516 62056d 512->516 517 620750-62077a 513->517 518 62068f-6206b2 513->518 514->497 519 62083e-620847 514->519 521 62059b-6205bb 515->521 522 62057c-620599 515->522 516->511 517->498 523 6206b4-6206ed 518->523 524 6206ef-6206fc 518->524 525 62084b-62086c 519->525 526 620849 519->526 533 6205bd-6205db 521->533 522->533 523->524 527 62074b 524->527 528 6206fe-620748 524->528 525->514 526->497 527->513 528->527 533->504
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0062024D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID: cess$kernel32.dll
                                                                                            • API String ID: 4275171209-1230238691
                                                                                            • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction ID: 42ec4702e70d4e90e99a8a4f860a1c510c2e99c0fd791167ea9c40f41969c617
                                                                                            • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                            • Instruction Fuzzy Hash: FB526874A01229DFDB64CF58D985BA8BBB1BF09304F1480D9E94DAB352DB30AE85DF14
                                                                                            Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 534 40977c-4097b9 call 40ee2a CreateProcessA 537 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 534->537 538 4097bb-4097bd 534->538 542 409801-40981c call 40637c 537->542 543 4097f5 537->543 539 409864-409866 538->539 544 4097f6-4097ff TerminateProcess 542->544 547 40981e-409839 WriteProcessMemory 542->547 543->544 544->538 547->543 548 40983b-409856 Wow64SetThreadContext 547->548 548->543 549 409858-409863 ResumeThread 548->549 549->539
                                                                                            APIs
                                                                                            • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                                            • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                                            • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                                            • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2098669666-2746444292
                                                                                            • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                                            • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                                            • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                                            Function 0040EC54 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0040EC78
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID: 6]*,
                                                                                            • API String ID: 1209300637-3453183305
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 563 404000-404008 564 40400b-40402a CreateFileA 563->564 565 404057 564->565 566 40402c-404035 GetLastError 564->566 569 404059-40405c 565->569 567 404052 566->567 568 404037-40403a 566->568 571 404054-404056 567->571 568->567 570 40403c-40403f 568->570 569->571 570->569 572 404041-404050 Sleep 570->572 572->564 572->567
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                                            • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                                            • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                                            • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                                            • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                                            Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 573 406e36-406e5d GetUserNameW 574 406ebe-406ec2 573->574 575 406e5f-406e95 LookupAccountNameW 573->575 575->574 576 406e97-406e9b 575->576 577 406ebb-406ebd 576->577 578 406e9d-406ea3 576->578 577->574 578->577 579 406ea5-406eaa 578->579 580 406eb7-406eb9 579->580 581 406eac-406eb0 579->581 580->574 581->577 582 406eb2-406eb5 581->582 582->577 582->580
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID:
                                                                                            • API String ID: 2370142434-0
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                                            Function 00689786 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 583 689786-68979f 584 6897a1-6897a3 583->584 585 6897aa-6897b6 CreateToolhelp32Snapshot 584->585 586 6897a5 584->586 587 6897b8-6897be 585->587 588 6897c6-6897d3 Module32First 585->588 586->585 587->588 595 6897c0-6897c4 587->595 589 6897dc-6897e4 588->589 590 6897d5-6897d6 call 689445 588->590 593 6897db 590->593 593->589 595->584 595->588
                                                                                            APIs
                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006897AE
                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 006897CE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2221208662.0000000000688000.00000040.00000020.00020000.00000000.sdmp, Offset: 00688000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_688000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                            • String ID:
                                                                                            • API String ID: 3833638111-0
                                                                                            • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction ID: 508f58dbad769f6589ca7e1bceeacf823e06bda97a27c21d0365b35e30fc9f00
                                                                                            • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                            • Instruction Fuzzy Hash: 95F062312107116FD7203EB59C8DABA76EAAF49765F180628F646915C0DA70E8454B71
                                                                                            Function 00620E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 596 620e0f-620e24 SetErrorMode * 2 597 620e26 596->597 598 620e2b-620e2c 596->598 597->598
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000400,?,?,00620223,?,?), ref: 00620E19
                                                                                            • SetErrorMode.KERNELBASE(00000000,?,?,00620223,?,?), ref: 00620E1E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorMode
                                                                                            • String ID:
                                                                                            • API String ID: 2340568224-0
                                                                                            • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction ID: ca7d39d3f00bb23aeb65542139c9111eb9232972a72a4ee517b453a7e7f206fa
                                                                                            • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                            • Instruction Fuzzy Hash: FCD0123114512877D7002A94DC09BCD7B1CDF05B62F008411FB0DD9581C770994046E5
                                                                                            Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 599 406dc2-406dd5 600 406e33-406e35 599->600 601 406dd7-406df1 call 406cc9 call 40ef00 599->601 606 406df4-406df9 601->606 606->606 607 406dfb-406e00 606->607 608 406e02-406e22 GetVolumeInformationA 607->608 609 406e24 607->609 608->609 610 406e2e 608->610 609->610 610->600
                                                                                            APIs
                                                                                              • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                              • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                              • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                              • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                                            • String ID:
                                                                                            • API String ID: 1823874839-0
                                                                                            • Opcode ID: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                                            • Opcode Fuzzy Hash: 5af76653529245223ce54de3b2201f43486e795cc7c2b0fcdaec7285886f4086
                                                                                            • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                                            Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 611 409892-4098c0 612 4098c2-4098c5 611->612 613 4098d9 611->613 612->613 614 4098c7-4098d7 612->614 615 4098e0-4098f1 SetServiceStatus 613->615 614->615
                                                                                            APIs
                                                                                            • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ServiceStatus
                                                                                            • String ID:
                                                                                            • API String ID: 3969395364-0
                                                                                            • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                                            • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                                            • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                                            Function 004175E2 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 616 4175e2-4175ff VirtualProtect
                                                                                            APIs
                                                                                            • VirtualProtect.KERNELBASE(00000040,?), ref: 004175F8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220350402.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_szylttbf.jbxd
                                                                                            Similarity
                                                                                            • API ID: ProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 544645111-0
                                                                                            • Opcode ID: 4e90e5151ba5019126abd3050a43543751f9b5068c80efb2043434d2877197fe
                                                                                            • Instruction ID: aa73c9f825d5df17848c24f377238b424e705aacf1c0d2419f86f1d3d7c4eb2b
                                                                                            • Opcode Fuzzy Hash: 4e90e5151ba5019126abd3050a43543751f9b5068c80efb2043434d2877197fe
                                                                                            • Instruction Fuzzy Hash: ABC08CB1200209BFCB018B85FC01E863B6CE305384F004071F302A00B0C2B2E9049B1C
                                                                                            Function 00689445 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 617 689445-68947f call 689758 620 6894cd 617->620 621 689481-6894b4 VirtualAlloc call 6894d2 617->621 620->620 623 6894b9-6894cb 621->623 623->620
                                                                                            APIs
                                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00689496
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2221208662.0000000000688000.00000040.00000020.00020000.00000000.sdmp, Offset: 00688000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_688000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction ID: ecfbeb44421eae7784e3f23dfe3067b76a79be5e84463f8f237ffb1e0bdc6953
                                                                                            • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                            • Instruction Fuzzy Hash: F0113C79A00208EFDB01DF98C985E98BBF5AF08350F098094F9489B362D375EA50DF90
                                                                                            Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 624 4098f2-4098f4 625 4098f6-409902 call 404280 624->625 628 409904-409913 Sleep 625->628 629 409917 625->629 628->625 630 409915 628->630 631 409919-409942 call 402544 call 40977c 629->631 632 40995e-409960 629->632 630->629 636 409947-409957 call 40ee2a 631->636 636->632
                                                                                            APIs
                                                                                              • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3100162736-0
                                                                                            • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                                            • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                                            • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED
                                                                                            Function 004175C3 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GlobalAlloc.KERNELBASE(00000000,00417A4D), ref: 004175CB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220350402.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_szylttbf.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocGlobal
                                                                                            • String ID:
                                                                                            • API String ID: 3761449716-0
                                                                                            • Opcode ID: 1b8ec44056b00309cc5f266c182984128dcf6dbdfddfd59655b0be00dbed23e0
                                                                                            • Instruction ID: 274654774a60fdf00fd51e05caba7627b891178c4aca089a58273a46cc3454b5
                                                                                            • Opcode Fuzzy Hash: 1b8ec44056b00309cc5f266c182984128dcf6dbdfddfd59655b0be00dbed23e0
                                                                                            • Instruction Fuzzy Hash: CFB011B00002008FCB800FA8EC08B023EA2A30A383F028038E200882B0CBB20008AF2A

                                                                                            Non-executed Functions

                                                                                            Function 006265E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 006265F6
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00626610
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 00626631
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00626652
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction ID: 6e8d70b919d2912a5f2b723aa750023fdc702aba04b80f35724d9e53374ef877
                                                                                            • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                                            • Instruction Fuzzy Hash: 21115171600629BFDB219F65EC46F9B3FA9EB057A5F104024F908A7251D6B1DD408BA4
                                                                                            Function 00629EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ExitProcess.KERNEL32 ref: 00629E6D
                                                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00629FE1
                                                                                            • lstrcat.KERNEL32(?,?), ref: 00629FF2
                                                                                            • lstrcat.KERNEL32(?,0041070C), ref: 0062A004
                                                                                            • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0062A054
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0062A09F
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0062A0D6
                                                                                            • lstrcpy.KERNEL32 ref: 0062A12F
                                                                                            • lstrlen.KERNEL32(00000022), ref: 0062A13C
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 00629F13
                                                                                              • Part of subcall function 00627029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 00627081
                                                                                              • Part of subcall function 00626F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\slknjncf,00627043), ref: 00626F4E
                                                                                              • Part of subcall function 00626F30: GetProcAddress.KERNEL32(00000000), ref: 00626F55
                                                                                              • Part of subcall function 00626F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00626F7B
                                                                                              • Part of subcall function 00626F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00626F92
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0062A1A2
                                                                                            • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0062A1C5
                                                                                            • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0062A214
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0062A21B
                                                                                            • GetDriveTypeA.KERNEL32(?), ref: 0062A265
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0062A29F
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0062A2C5
                                                                                            • lstrcat.KERNEL32(?,00000022), ref: 0062A2D9
                                                                                            • lstrcat.KERNEL32(?,00410A34), ref: 0062A2F4
                                                                                            • wsprintfA.USER32 ref: 0062A31D
                                                                                            • lstrcat.KERNEL32(?,00000000), ref: 0062A345
                                                                                            • lstrcat.KERNEL32(?,?), ref: 0062A364
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0062A387
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0062A398
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0062A1D1
                                                                                              • Part of subcall function 00629966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0062999D
                                                                                              • Part of subcall function 00629966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 006299BD
                                                                                              • Part of subcall function 00629966: RegCloseKey.ADVAPI32(?), ref: 006299C6
                                                                                            • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0062A3DB
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0062A3E2
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0062A41D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                                            • String ID: "$"$"$D$P$\
                                                                                            • API String ID: 1653845638-2605685093
                                                                                            • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction ID: cf56528590d5de3b35cdf00c70cbdd8fe06b47d3e27ef0900399007fdd1af3bf
                                                                                            • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                                            • Instruction Fuzzy Hash: 66F164B1C40669AFDF11DBA0DC49EEF77BDAB08304F0484A9F605E2141E7B58A858F65
                                                                                            Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                                            • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                                            • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                                            Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                                            • wsprintfA.USER32 ref: 0040B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                                            Function 00627CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 00627D21
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00627D46
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00627D7D
                                                                                            • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 00627DA2
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00627DC0
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00627DD1
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00627DE5
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00627DF3
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00627E03
                                                                                            • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 00627E12
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00627E19
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00627E35
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$D
                                                                                            • API String ID: 2976863881-36158169
                                                                                            • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction ID: 4ee8455aea944f6e348c348989476da7ec125704da033bd804ab694877bc2556
                                                                                            • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                                            • Instruction Fuzzy Hash: 40A14E71904229AFDB11CFA1ED88FEEBBB9FB08300F148069E545E6250DB759A85CF64
                                                                                            Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                                            • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$D
                                                                                            • API String ID: 2976863881-36158169
                                                                                            • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                                            • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                                            • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                                            Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                                            • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                                            • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                                            Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                                            • wsprintfA.USER32 ref: 0040A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                                            • wsprintfA.USER32 ref: 0040A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                                            • wsprintfA.USER32 ref: 0040A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                                            • Opcode Fuzzy Hash: ab93601b3fbd501b452cd95e20af3b55248dc9460a2857cfbe0e165fe481e7b1
                                                                                            • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                                            Function 00627A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 00627A96
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00627ACD
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00627ADF
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 00627B01
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 00627B1F
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00627B39
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00627B4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00627B58
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00627B68
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00627B77
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00627B7E
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00627B9A
                                                                                            • GetAce.ADVAPI32(?,?,?), ref: 00627BCA
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00627BF1
                                                                                            • DeleteAce.ADVAPI32(?,?), ref: 00627C0A
                                                                                            • EqualSid.ADVAPI32(?,?), ref: 00627C2C
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00627CB1
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00627CBF
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00627CD0
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00627CE0
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00627CEE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: b5ce8a3a4ae40f99efbe3a6cbc28d3f08216b5d2ec21349f88c41ca726efae05
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 68815F71A04529AFDB11CFA5ED44FEEBBB9FF08344F04806AE905E6250D7758A41CF64
                                                                                            Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                                            • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                                            • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                                            • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                                            Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                                            • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                                            • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                                            • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$localcfg
                                                                                            • API String ID: 237177642-1740763546
                                                                                            • Opcode ID: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                                            • Opcode Fuzzy Hash: 9b9e109144e0e2d50cf6e1315f69990f798a8bf7c84e3a195e658084b19d70a6
                                                                                            • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                                            Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-3716895483
                                                                                            • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                                            • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                                            • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                                            Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                                            • GetTickCount.KERNEL32 ref: 00401FC9
                                                                                              • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                                            • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                                            • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                                            Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 835516345-270533642
                                                                                            • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                                            • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                                            • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                                            Function 0062858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0062865A
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0062867B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 006286A8
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 006286B1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: "$C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe
                                                                                            • API String ID: 237177642-3421264840
                                                                                            • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction ID: bb9cd6a8c4855096fda7845a832955f2fc2a96d1cd444fe238c86e16bd6177f2
                                                                                            • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                                            • Instruction Fuzzy Hash: 9CC1B271901569BEEB11ABA4EC85EEF7BBEEB04300F148079F600E3151EB714E948F69
                                                                                            Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 00402A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 00402A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                                            • htons.WS2_32(00000000), ref: 00402ADB
                                                                                            • select.WS2_32 ref: 00402B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                                            • htons.WS2_32(?), ref: 00402B71
                                                                                            • htons.WS2_32(?), ref: 00402B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                                            • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                                            • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                                            Function 006214E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 00621601
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 006217D8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $<$@$D
                                                                                            • API String ID: 1628651668-1974347203
                                                                                            • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction ID: a4b322177bc98c8980436d08bef61a021a3fd0c9a70b9b65288de346579b8ba8
                                                                                            • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                                            • Instruction Fuzzy Hash: BBF1BCB15087519FD320CF64D888BABB7E6FB9A300F00892DF5969B390D7B49984CF56
                                                                                            Function 00627666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 006276D9
                                                                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 00627757
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0062778F
                                                                                            • ___ascii_stricmp.LIBCMT ref: 006278B4
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0062794E
                                                                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0062796D
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 0062797E
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 006279AC
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00627A56
                                                                                              • Part of subcall function 0062F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0062772A,?), ref: 0062F414
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 006279F6
                                                                                            • RegCloseKey.ADVAPI32(?), ref: 00627A4D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction ID: 83735ac5c7da22fe29131c49766629ad1e1653eeb0f2054f61f5d97f8725deab
                                                                                            • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                                            • Instruction Fuzzy Hash: 23C1D271904A29AFEB11DFA4EC45FEE7BBAEF05310F1040A5F504E6291EB719E848F64
                                                                                            Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 004070C2
                                                                                            • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0040719E
                                                                                            • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 004071B2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407208
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004072D0
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 00407314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 004073D8
                                                                                              • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                                            • Opcode Fuzzy Hash: 74e128f8df151d438ab4d1c82f82d45ce79a9eea08151c9b6eb13cdb2253fb65
                                                                                            • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                                            Function 00622CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00622CED
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00622D07
                                                                                            • htons.WS2_32(00000000), ref: 00622D42
                                                                                            • select.WS2_32 ref: 00622D8F
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 00622DB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00622E62
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 127016686-0
                                                                                            • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction ID: d51e7a7e90dd00393f942240da859fb13d96ab061227e900b54a7a6fbeec7256
                                                                                            • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                                            • Instruction Fuzzy Hash: AA61F371504726BBC320AF60EC08BABBBF9FF88741F154819F98497251D7B5D8809FA6
                                                                                            Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                                              • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                              • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                              • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                              • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                                              • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                                            • wsprintfA.USER32 ref: 0040AEA5
                                                                                              • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                                            • wsprintfA.USER32 ref: 0040AE4F
                                                                                            • wsprintfA.USER32 ref: 0040AE5E
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                                            • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                                            • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                                            Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                                            • htons.WS2_32(00000035), ref: 00402E88
                                                                                            • inet_addr.WS2_32(?), ref: 00402E93
                                                                                            • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                                            • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                                            • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                                            Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                            • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                            • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,75920F10,00000000), ref: 0040688B
                                                                                            • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 00406906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,75920F10,00000000), ref: 0040691C
                                                                                            • CloseHandle.KERNEL32(000000FF,?,75920F10,00000000), ref: 00406971
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 2622201749-0
                                                                                            • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                                            • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                                            • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                                            Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                                            • wsprintfA.USER32 ref: 004093CE
                                                                                            • wsprintfA.USER32 ref: 0040940C
                                                                                            • wsprintfA.USER32 ref: 0040948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                                            • Opcode Fuzzy Hash: b115644d8fcf1706915678c94d32f66e2b06ae170b0cb428a55680f7bdd6b1eb
                                                                                            • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                                            Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0040B467
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                                              • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                                            • Opcode Fuzzy Hash: f116c43b1eb536776b1bff8e0c8cac67a078ec341982f46d28ec492e3a392109
                                                                                            • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                                            Function 00621FFD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 0062202D
                                                                                            • GetSystemInfo.KERNEL32(?), ref: 0062204F
                                                                                            • GetModuleHandleA.KERNEL32(00410380,0041038C), ref: 0062206A
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00622071
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00622082
                                                                                            • GetTickCount.KERNEL32 ref: 00622230
                                                                                              • Part of subcall function 00621E46: GetComputerNameA.KERNEL32(?,0000000F), ref: 00621E7C
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: flags_upd$hi_id$localcfg$work_srv
                                                                                            • API String ID: 4207808166-1391650218
                                                                                            • Opcode ID: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction ID: 85dcd30d0fa18f37179991f568de312c07edd71a64c600f7b0bb721043a81fe1
                                                                                            • Opcode Fuzzy Hash: a6853c32b60f2cc87b9b05c4564022504dbed896d64d3d62fe446b684c9c1410
                                                                                            • Instruction Fuzzy Hash: 28512BB0500B54AFE370AF75AC86F677AEDEF54704F00092DF99642242D7B59940CB69
                                                                                            Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00402078
                                                                                            • GetTickCount.KERNEL32 ref: 004020D4
                                                                                            • GetTickCount.KERNEL32 ref: 004020DB
                                                                                            • GetTickCount.KERNEL32 ref: 0040212B
                                                                                            • GetTickCount.KERNEL32 ref: 00402132
                                                                                            • GetTickCount.KERNEL32 ref: 00402142
                                                                                              • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                                              • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,7508EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                                              • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                                              • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                                              • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                                            • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                                            • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                                            Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0040F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                                            • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                                            • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                                            Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                                            • ExitProcess.KERNEL32 ref: 00404121
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                                            • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                                            • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                                            Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                              • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0040C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0040C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0040C363
                                                                                            • GetTickCount.KERNEL32 ref: 0040C378
                                                                                            • GetTickCount.KERNEL32 ref: 0040C44D
                                                                                            • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                                            • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                                            • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                                            Function 00623059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 00623068
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00623078
                                                                                            • GetProcAddress.KERNEL32(00000000,00410408), ref: 00623095
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 006230B6
                                                                                            • htons.WS2_32(00000035), ref: 006230EF
                                                                                            • inet_addr.WS2_32(?), ref: 006230FA
                                                                                            • gethostbyname.WS2_32(?), ref: 0062310D
                                                                                            • HeapFree.KERNEL32(00000000), ref: 0062314D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: iphlpapi.dll
                                                                                            • API String ID: 2869546040-3565520932
                                                                                            • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction ID: 1d813b30b10a32134a73d01bf1cdc8a9fba1a703c76f177ae71f5f5a84f58c3c
                                                                                            • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                                            • Instruction Fuzzy Hash: B731A731A00B36ABDB119BB4AC4CAEE7779EF04760F144125E518E7390DB78DE518F58
                                                                                            Function 0062958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?), ref: 006295A7
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006295D5
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 006295DC
                                                                                            • wsprintfA.USER32 ref: 00629635
                                                                                            • wsprintfA.USER32 ref: 00629673
                                                                                            • wsprintfA.USER32 ref: 006296F4
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 00629758
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0062978D
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 006297D8
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID:
                                                                                            • API String ID: 3696105349-0
                                                                                            • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction ID: 361d2385f7301a4bba166a64323ee31d45b51f5de95e021051f3b75b0c9b7882
                                                                                            • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                                            • Instruction Fuzzy Hash: 88A19FB190062CBFEB21DFA0EC45FDA3BAEEB44340F10402AF90596251E775C984CFA5
                                                                                            Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 3560063639-3847274415
                                                                                            • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                                            • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                                            • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                                            Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                                            • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                                            • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                                            Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                                            • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                                            Function 00626778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 006267C3
                                                                                            • htonl.WS2_32(?), ref: 006267DF
                                                                                            • htonl.WS2_32(?), ref: 006267EE
                                                                                            • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 006268F1
                                                                                            • ExitProcess.KERNEL32 ref: 006269BC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Processhtonl$CurrentExitHugeRead
                                                                                            • String ID: except_info$localcfg
                                                                                            • API String ID: 1150517154-3605449297
                                                                                            • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction ID: db483c27ba6bba87460c7183fcfba4bfefb2bee3526782cbccefdfabb1a506b3
                                                                                            • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                                            • Instruction Fuzzy Hash: DF617E71A40218AFDB609FB4DC45FEA77E9FB08300F24806AFA6DD2161EA7599908F14
                                                                                            Function 0062F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • htons.WS2_32(0062CC84), ref: 0062F5B4
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0062F5CE
                                                                                            • closesocket.WS2_32(00000000), ref: 0062F5DC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction ID: c5cec7c0f91004e46711342e5653f4d8a75e21fa0a27a917be8ef5dd7389a7d6
                                                                                            • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                                            • Instruction Fuzzy Hash: 4B318B72900528ABDB109FA5EC89DEE7BBDEF89350F10417AF905E3150E7708A858FA4
                                                                                            Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                                            • wsprintfA.USER32 ref: 00407036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                                            • Opcode Fuzzy Hash: a4e95b79f46088df25ad898cee238acd61ae00be348fc6b2bdbab1b8b404bd7d
                                                                                            • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                                            Function 00622F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 00622FA1
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 00622FB1
                                                                                            • GetProcAddress.KERNEL32(00000000,004103F0), ref: 00622FC8
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00623000
                                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00623007
                                                                                            • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 00623032
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                                            • String ID: dnsapi.dll
                                                                                            • API String ID: 1242400761-3175542204
                                                                                            • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction ID: 354b11c558ed6c659a592cc63cbef45475a121ebfb5d32476dbbf2e1e94c06da
                                                                                            • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                                            • Instruction Fuzzy Hash: 25213271941A36BBCB219B55EC449EEBBB9FF18B50F104421F905E7240D7B49E818BE4
                                                                                            Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                                            • Opcode Fuzzy Hash: 174e8731fdbdc44ab974895aa40a4ab233de6b35a5efa5658db69bb206ac9e39
                                                                                            • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                                            Function 006299E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00629A18
                                                                                            • GetThreadContext.KERNEL32(?,?), ref: 00629A52
                                                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00629A60
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00629A98
                                                                                            • SetThreadContext.KERNEL32(?,00010002), ref: 00629AB5
                                                                                            • ResumeThread.KERNEL32(?), ref: 00629AC2
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction ID: e820f12697ed6b59226f73d94d03bf4cfe893f97a55acd81fc621d2ebe196282
                                                                                            • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                                            • Instruction Fuzzy Hash: 1D212AB1E01229BBDB119BA1EC09EEF7BBDEF04750F404061BA19E1150EB758A44CFA4
                                                                                            Function 00621C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(004102D8), ref: 00621C18
                                                                                            • LoadLibraryA.KERNEL32(004102C8), ref: 00621C26
                                                                                            • GetProcessHeap.KERNEL32 ref: 00621C84
                                                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 00621C9D
                                                                                            • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 00621CC1
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000), ref: 00621D02
                                                                                            • FreeLibrary.KERNEL32(?), ref: 00621D0B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                                            • String ID:
                                                                                            • API String ID: 2324436984-0
                                                                                            • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction ID: f60f28010b81c4ed7d146f9c18b747f3b19b22b5d12448dab16aabe85fca0cb8
                                                                                            • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                                            • Instruction Fuzzy Hash: 69315235E04229FFCB119FA4EC888EEBAB6EF56301B24447AE501A6210D7B54D80DF54
                                                                                            Function 00626CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00626CE4
                                                                                            • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 00626D22
                                                                                            • GetLastError.KERNEL32 ref: 00626DA7
                                                                                            • CloseHandle.KERNEL32(?), ref: 00626DB5
                                                                                            • GetLastError.KERNEL32 ref: 00626DD6
                                                                                            • DeleteFileA.KERNEL32(?), ref: 00626DE7
                                                                                            • GetLastError.KERNEL32 ref: 00626DFD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3873183294-0
                                                                                            • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction ID: 4cac3b3c8dfdab0e4e102bc681a89b1d953bd73f8fe53c6a48de5b7a03e287ac
                                                                                            • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                                            • Instruction Fuzzy Hash: E431FF76A0065DBFCB019FA4ED44ADEBF7AEF48300F148465F211E3261D7709A458F65
                                                                                            Function 00626F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\slknjncf,00627043), ref: 00626F4E
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00626F55
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00626F7B
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00626F92
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$\\.\pipe\slknjncf
                                                                                            • API String ID: 1082366364-2134968345
                                                                                            • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction ID: ca369a0b3592c72e381bc044ed5946f55819fa3d1f900e87aa69b25753be2071
                                                                                            • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                                            • Instruction Fuzzy Hash: 59216871744B6079F7225731BD8DFFB2E5E8B12710F0880A9F800D5281DAD988DA8BAD
                                                                                            Function 0062AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen
                                                                                            • String ID: $localcfg
                                                                                            • API String ID: 1659193697-2018645984
                                                                                            • Opcode ID: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction ID: 4c0adcb3a3e837be03467dc8cd9055ff9ba6dfdeea5f421156e973fcd4c1fc98
                                                                                            • Opcode Fuzzy Hash: e25caa720acfe6edeb1ed6cfdeeca69567da959aa4b90cf3eb174d19221d8523
                                                                                            • Instruction Fuzzy Hash: 81710971A00B35ABDF218BD4FC85BEE376B9F00705F244876F904A6191DAE19D848F5B
                                                                                            Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                              • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                                            • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                                            • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                                            • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                                            Function 0062E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0062DF6C: GetCurrentThreadId.KERNEL32 ref: 0062DFBA
                                                                                            • lstrcmp.KERNEL32(00410178,00000000), ref: 0062E8FA
                                                                                            • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,00626128), ref: 0062E950
                                                                                            • lstrcmp.KERNEL32(?,00000008), ref: 0062E989
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 2920362961-1846390581
                                                                                            • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction ID: 2d22d5c6ba729824f750cd5985f6d9305eb32a546d9189f9d34b7d3557d569ff
                                                                                            • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                                            • Instruction Fuzzy Hash: 4D31B031A00B259BDB718F24E884BE67BE6EB15720F10853BE59587651D376E8C0CF85
                                                                                            Function 00626E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction ID: edf2acbfa7e2910c7c44fd43cf45ca21678e068ce979f2e5ab41688197600ea0
                                                                                            • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                                            • Instruction Fuzzy Hash: EB215E76109525BFDB109B70FC49EDF3FAEDB49360B228425F542D1091EB71DA409B78
                                                                                            Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                                            • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                                            • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                                            Function 006292CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 006292E2
                                                                                            • wsprintfA.USER32 ref: 00629350
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00629375
                                                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 00629389
                                                                                            • WriteFile.KERNEL32(00000000,?,00000000), ref: 00629394
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0062939B
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction ID: 58b190df47b656413c4b63c768ebf5d1a1e684644d127f0491593526ed3a6a63
                                                                                            • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                                            • Instruction Fuzzy Hash: 061187B17405247BE7606731ED0EFEF3A6EDBC4B10F00C079BB05E5095EEB54A458A68
                                                                                            Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                            • wsprintfA.USER32 ref: 004090E9
                                                                                            • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                                            • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                                            • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                                            Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0040E538,?,75920F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                                            • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                                            • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                                            • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                                            Function 0062C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0062C6B4
                                                                                            • InterlockedIncrement.KERNEL32(0062C74B), ref: 0062C715
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0062C747), ref: 0062C728
                                                                                            • CloseHandle.KERNEL32(00000000,?,0062C747,00413588,00628A77), ref: 0062C733
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1026198776-1857712256
                                                                                            • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction ID: 1924bca72225357bc4002720a05a7cd7b605b78e75f3cd1e872ccfac3ae271bf
                                                                                            • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                                            • Instruction Fuzzy Hash: 1D5169B1A00B518FC7648F69DAC462ABBEAFB48310B50593EE58BC7A90D774F840CF14
                                                                                            Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0040815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 004081BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 00408210
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0040677E
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0040679A
                                                                                              • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 004067B0
                                                                                              • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 004067BF
                                                                                              • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 004067D3
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,75920F10,00000000), ref: 00406807
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040681F
                                                                                              • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0040683E
                                                                                              • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0040685C
                                                                                              • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                                              • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe
                                                                                            • API String ID: 124786226-2476057647
                                                                                            • Opcode ID: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                                            • Opcode Fuzzy Hash: 3deeb1ea8207cc87c011d2a4d6b1370e46491988774d06f984d994a05b286973
                                                                                            • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                                            Function 0062E2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0062E50A,00000000,00000000,00000000,00020106,00000000,0062E50A,00000000,000000E4), ref: 0062E319
                                                                                            • RegSetValueExA.ADVAPI32(0062E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0062E38E
                                                                                            • RegDeleteValueA.ADVAPI32(0062E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Db), ref: 0062E3BF
                                                                                            • RegCloseKey.ADVAPI32(0062E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Db,0062E50A), ref: 0062E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID: Db
                                                                                            • API String ID: 2667537340-3549961961
                                                                                            • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction ID: 413b329a591ff06ba9cbab78379d25b37acce342010e278c7df40c012f1ede8c
                                                                                            • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                                            • Instruction Fuzzy Hash: 52213E71A0022DBBDF209FA5EC89EDE7F7AEF09750F048075F904E6151E6728A54DBA0
                                                                                            Function 006271C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 006271E1
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00627228
                                                                                            • LocalFree.KERNEL32(?,?,?), ref: 00627286
                                                                                            • wsprintfA.USER32 ref: 0062729D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                                            • String ID: |
                                                                                            • API String ID: 2539190677-2343686810
                                                                                            • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction ID: d590bff9bf45c7e99aa70b99ee7c6ca27f8a6818c04f4936b86d87b3be652eef
                                                                                            • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                                            • Instruction Fuzzy Hash: 97312B72904219BBDB01DFA4EC49EDA3BBDEF04354F148066F859DB201EA75D7488F94
                                                                                            Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                                            • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                                            • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                                            Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                                            • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                                            • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                                            • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                                            • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                                            Function 0062B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0062B51A
                                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0062B529
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0062B548
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0062B590
                                                                                            • wsprintfA.USER32 ref: 0062B61E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 4026320513-0
                                                                                            • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction ID: 70b442295583a50f5d29c5ef1cc53c5768f3c7a72f7adb07ed2c58335025befa
                                                                                            • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                                            • Instruction Fuzzy Hash: 8251FFB1D0021DAACF14DFD5D8895EEBBB9EF48304F10816AE505B6150E7B94AC9CF98
                                                                                            Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                                            • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                                            • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                                            • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                                            Function 006262D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 00626303
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 0062632A
                                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 006263B1
                                                                                            • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 00626405
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: HugeRead$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 3498078134-0
                                                                                            • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction ID: 3344bde8fbfc94aeffa7bf396d1285803e50aed1570ee3161105af62a3e6d24d
                                                                                            • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                                            • Instruction Fuzzy Hash: 61415A71A00A29EBDB14CF58E884AA9B7BAFF04354F248169F855D7390E771ED41CF90
                                                                                            Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                                            • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                                            • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                                            Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                                            • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                                            • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                                            Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                                              • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                                              • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                                            • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,00405EC1), ref: 0040E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                                            • lstrcmpA.KERNEL32(?,00000008,?,75920F10,00000000,?,00405EC1), ref: 0040E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: A$ A
                                                                                            • API String ID: 3343386518-686259309
                                                                                            • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                                            • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                                            • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                                            Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040272E
                                                                                            • htons.WS2_32(00000001), ref: 00402752
                                                                                            • htons.WS2_32(0000000F), ref: 004027D5
                                                                                            • htons.WS2_32(00000001), ref: 004027E3
                                                                                            • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                                              • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                                              • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1802437671-0
                                                                                            • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                                            • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                                            • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                                            Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                                            • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                                            • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            Function 006293AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 006293C6
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 006293CD
                                                                                            • CharToOemA.USER32(?,?), ref: 006293DB
                                                                                            • wsprintfA.USER32 ref: 00629410
                                                                                              • Part of subcall function 006292CB: GetTempPathA.KERNEL32(00000400,?), ref: 006292E2
                                                                                              • Part of subcall function 006292CB: wsprintfA.USER32 ref: 00629350
                                                                                              • Part of subcall function 006292CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00629375
                                                                                              • Part of subcall function 006292CB: lstrlen.KERNEL32(?,?,00000000), ref: 00629389
                                                                                              • Part of subcall function 006292CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 00629394
                                                                                              • Part of subcall function 006292CB: CloseHandle.KERNEL32(00000000), ref: 0062939B
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00629448
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction ID: 2cfb44c89ffc5e169543a50f41db7fc89273b7313e1741efa0361d08f2171a3c
                                                                                            • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                                            • Instruction Fuzzy Hash: 850192F69005287BD720A7619D49EDF377CDB85701F0040A5BB09E2080DAB49BC58F75
                                                                                            Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                                            • CharToOemA.USER32(?,?), ref: 00409174
                                                                                            • wsprintfA.USER32 ref: 004091A9
                                                                                              • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                                              • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                                              • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                                              • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                                              • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                                              • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                                            • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                                            • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                                            Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                                            • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                                            • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                                            • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                                            Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 2574300362-1087626847
                                                                                            • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                                            • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                                            • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                                            Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2777991786-2393279970
                                                                                            • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                                            • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                                            • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                                            Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                                            • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                            • String ID: *p@
                                                                                            • API String ID: 3429775523-2474123842
                                                                                            • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                                            • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                                            • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                                            Function 0062EEBB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0062EEC5
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0062EED9
                                                                                            • GetTickCount.KERNEL32 ref: 0062EEDF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID: 6]*,
                                                                                            • API String ID: 1209300637-3453183305
                                                                                            • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                                            • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                                            • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                                            Function 006228EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg$u6A
                                                                                            • API String ID: 1594361348-1940331995
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: e69c8d9bc13b7e13145835170578520d13663a59e3728188cd3a212926d4661f
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 63E01230604922AFDB509B2CF848AD677E6EF4A330F458595F454D72A0C778DCC19B54
                                                                                            Function 006269C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 006269E5
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00626A26
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000), ref: 00626A3A
                                                                                            • CloseHandle.KERNEL32(000000FF), ref: 00626BD8
                                                                                              • Part of subcall function 0062EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00621DCF,?), ref: 0062EEA8
                                                                                              • Part of subcall function 0062EE95: HeapFree.KERNEL32(00000000), ref: 0062EEAF
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 3384756699-0
                                                                                            • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction ID: fe18c1b0cc8a375c4f2f882bbdee66ca67398af16faed58e54507f5127caf153
                                                                                            • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                                            • Instruction Fuzzy Hash: CF710671D00629EFDB109FA4DC809EEBBBAFB04315F1045AAF515E6290D7309E92DF50
                                                                                            Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                                            • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                                            • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                                            Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                                            • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                                            • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                                            • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                                            • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                                            Function 0062417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 006241AB
                                                                                            • GetLastError.KERNEL32 ref: 006241B5
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 006241C6
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 006241D9
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: ba74b553c6f05fa99d626f210380ebff7640525b801ed2135155ff2506547ae7
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: 7201E97651111AABDF01DF90ED88BEE7B6DEB18355F104061F901E2150DB709AA48FB5
                                                                                            Function 006241F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0062421F
                                                                                            • GetLastError.KERNEL32 ref: 00624229
                                                                                            • WaitForSingleObject.KERNEL32(?,?), ref: 0062423A
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0062424D
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 4d6155d4aa5b7197d8b9472ce9998c32c9756ecf53fa069f740af7058cc9c53c
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: E801E57291251AABDF02DF91EE84BEE7BADEB08355F108061F901E2150DB709A548FB6
                                                                                            Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                                            • GetLastError.KERNEL32 ref: 00403F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                                            • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                                            • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                                            Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                                            • GetLastError.KERNEL32 ref: 00403FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                                            • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                                            • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                                            Function 0062E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmp.KERNEL32(?,80000009), ref: 0062E066
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp
                                                                                            • String ID: A$ A$ A
                                                                                            • API String ID: 1534048567-1846390581
                                                                                            • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction ID: ff6e0a761e86794fb533a8cb3306c5980447db65139e3d822af80b11174fa807
                                                                                            • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                                            • Instruction Fuzzy Hash: 78F06831600B119BCB20CF15E8849C2B7EAFB15321B44863BE154C7160D3B5A8A5CF51
                                                                                            Function 00417746 Relevance: 6.0, APIs: 4, Instructions: 27libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateJobObjectW.KERNEL32(00000000,00000000), ref: 0041775D
                                                                                            • OpenJobObjectW.KERNEL32(00000000,00000000,00000000), ref: 0041777A
                                                                                            • BuildCommDCBW.KERNEL32(00000000,?), ref: 00417785
                                                                                            • LoadLibraryA.KERNEL32(00000000), ref: 0041778C
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220350402.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_szylttbf.jbxd
                                                                                            Similarity
                                                                                            • API ID: Object$BuildCommCreateLibraryLoadOpen
                                                                                            • String ID:
                                                                                            • API String ID: 2043902199-0
                                                                                            • Opcode ID: 41d5079eb8e4714b47d2246b00cdcaccaaa861bf5368716e78538d3f36d7b98f
                                                                                            • Instruction ID: 095df02e26e998a7a84f1c3eb50187d412f7e49c4adf42353831b328159b4c08
                                                                                            • Opcode Fuzzy Hash: 41d5079eb8e4714b47d2246b00cdcaccaaa861bf5368716e78538d3f36d7b98f
                                                                                            • Instruction Fuzzy Hash: 5AE06D31406628AB87107B65ED8C8CB7F7CEF0A395B018038F90591151DB385A49CFED
                                                                                            Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                                            • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                                            • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                                            Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404E9E
                                                                                            • GetTickCount.KERNEL32 ref: 00404EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                                            • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                                            • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                                            Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00404BDD
                                                                                            • GetTickCount.KERNEL32 ref: 00404BEC
                                                                                            • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                                            • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                                            • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                                            • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                                            Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 00403103
                                                                                            • GetTickCount.KERNEL32 ref: 0040310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                                            • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                                            • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                                            Function 0062E3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000001,Db,00000000,00000000,00000000), ref: 0062E470
                                                                                            • CloseHandle.KERNEL32(00000001,00000003), ref: 0062E484
                                                                                              • Part of subcall function 0062E2FC: RegCreateKeyExA.ADVAPI32(80000001,0062E50A,00000000,00000000,00000000,00020106,00000000,0062E50A,00000000,000000E4), ref: 0062E319
                                                                                              • Part of subcall function 0062E2FC: RegSetValueExA.ADVAPI32(0062E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0062E38E
                                                                                              • Part of subcall function 0062E2FC: RegDeleteValueA.ADVAPI32(0062E50A,?,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Db), ref: 0062E3BF
                                                                                              • Part of subcall function 0062E2FC: RegCloseKey.ADVAPI32(0062E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,Db,0062E50A), ref: 0062E3C8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                                            • String ID: Db
                                                                                            • API String ID: 4151426672-3549961961
                                                                                            • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction ID: 53f6600335a8a1e9890643ca8790cc688379316ab9bfe115c10526e9e8591008
                                                                                            • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                                            • Instruction Fuzzy Hash: 6741CD71D00624BAEB20AF51AC46FDB3B6DDB04764F148039F909A4192E7B6CA50DEB5
                                                                                            Function 00628330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 006283C6
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 00628477
                                                                                              • Part of subcall function 006269C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 006269E5
                                                                                              • Part of subcall function 006269C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 00626A26
                                                                                              • Part of subcall function 006269C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 00626A3A
                                                                                              • Part of subcall function 0062EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,00621DCF,?), ref: 0062EEA8
                                                                                              • Part of subcall function 0062EE95: HeapFree.KERNEL32(00000000), ref: 0062EEAF
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe
                                                                                            • API String ID: 359188348-2476057647
                                                                                            • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction ID: 3394d3cc52e3d70d1faad01938fe2dc854ae849ff6eb55124a24540ba6711e90
                                                                                            • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                                            • Instruction Fuzzy Hash: 154181B290252ABFEB10EBA0AD81DFF77AEEB04340F14447AF504D7151EAB15A948F64
                                                                                            Function 0062AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0062AFFF
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0062B00D
                                                                                              • Part of subcall function 0062AF6F: gethostname.WS2_32(?,00000080), ref: 0062AF83
                                                                                              • Part of subcall function 0062AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0062AFE6
                                                                                              • Part of subcall function 0062331C: gethostname.WS2_32(?,00000080), ref: 0062333F
                                                                                              • Part of subcall function 0062331C: gethostbyname.WS2_32(?), ref: 00623349
                                                                                              • Part of subcall function 0062AA0A: inet_ntoa.WS2_32(00000000), ref: 0062AA10
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %OUTLOOK_BND_
                                                                                            • API String ID: 1981676241-3684217054
                                                                                            • Opcode ID: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction ID: 7ce1813298ec273132b70ec7078a4754031352e71827dde3c37f58b645ae7b0c
                                                                                            • Opcode Fuzzy Hash: 8e8a8b671ed14d1768aa81df58b4956713f73d3ffbf43b844f6b98d3c95244e6
                                                                                            • Instruction Fuzzy Hash: 6D41517290061CABDB25EFA0EC46EEF3B6DFF08304F14442AF92492152EB75D6548F58
                                                                                            Function 00629452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 00629536
                                                                                            • Sleep.KERNEL32(000001F4), ref: 0062955D
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShellSleep
                                                                                            • String ID:
                                                                                            • API String ID: 4194306370-3916222277
                                                                                            • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction ID: 11e5ef0bf84b98340819868852affe335ad7ce76ce9c06ac2cf0331c9c19b132
                                                                                            • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                                            • Instruction Fuzzy Hash: 90413771E047A56EFB339B24F89C7F63BE69B82314F1440A5D482A7292D6744D82CF31
                                                                                            Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                                            • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: FileWrite
                                                                                            • String ID: ,k@
                                                                                            • API String ID: 3934441357-1053005162
                                                                                            • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                                            • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                                            • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                                            Function 0062BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0062B9D9
                                                                                            • InterlockedIncrement.KERNEL32(00413648), ref: 0062BA3A
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0062BA94
                                                                                            • GetTickCount.KERNEL32 ref: 0062BB79
                                                                                            • GetTickCount.KERNEL32 ref: 0062BB99
                                                                                            • InterlockedIncrement.KERNEL32(?), ref: 0062BE15
                                                                                            • closesocket.WS2_32(00000000), ref: 0062BEB4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountIncrementInterlockedTick$closesocket
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 1869671989-2903620461
                                                                                            • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction ID: 57e6c3f11443a9bad53163ab54ed6bd871def994fb057f1e94ba4b17399d185b
                                                                                            • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                                            • Instruction Fuzzy Hash: 5031DF71400A58DFDF24DFA4EC84AED77BAEF48300F20846AFA6492261DB70DA85CF14
                                                                                            Function 00408CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction ID: 1ef816322ecc1e041cdf399b9b138f6358d408137adc4a714cdb07e14db9ba06
                                                                                            • Opcode Fuzzy Hash: f778bec48d6853c61bba66ff70abee8b380bd23c812c2bd80f901189d0bf267b
                                                                                            • Instruction Fuzzy Hash: 0821C631610115AFCB109F64DE8169ABBB9EF20311B25427FD881F72D1DF38E940875C
                                                                                            Function 00417600 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleW.KERNEL32(004B0090), ref: 004176CC
                                                                                            • GetProcAddress.KERNEL32(00000000,0041D260), ref: 00417709
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220350402.0000000000415000.00000020.00000001.01000000.00000005.sdmp, Offset: 00415000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_415000_szylttbf.jbxd
                                                                                            Similarity
                                                                                            • API ID: AddressHandleModuleProc
                                                                                            • String ID:
                                                                                            • API String ID: 1646373207-3916222277
                                                                                            • Opcode ID: 0ee48c241e3865e6fe63af5d06c40b519bae7ee708b63501a55aea399d733086
                                                                                            • Instruction ID: 7f6e8be651a19b3b842f85655ecd7c60ad803230ea63c21e717a852f1ecd4fcc
                                                                                            • Opcode Fuzzy Hash: 0ee48c241e3865e6fe63af5d06c40b519bae7ee708b63501a55aea399d733086
                                                                                            • Instruction Fuzzy Hash: 9131516595C3C0DDF301D7A8BC067A33BA19B11B55F1491BADA948B2F1D3FA4544C32E
                                                                                            Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                                            • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                                            • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                                            Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                                              • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                                            • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                                            • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                                            Function 0062709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameW.ADVAPI32(?,?), ref: 006270BC
                                                                                            • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 006270F4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountLookupUser
                                                                                            • String ID: |
                                                                                            • API String ID: 2370142434-2343686810
                                                                                            • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction ID: c2bd94d1ef7643e2bd39515755acb7f7a860ceebc4222d79a82c1ba6f46f97db
                                                                                            • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                                            • Instruction Fuzzy Hash: F811FA72904538EBDF11CBD4EC88EDFB7BEAF05711F1841A6E501E6190D6709B989FA0
                                                                                            Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                                              • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2777991786-1857712256
                                                                                            • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                                            • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                                            • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                                            Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                                            • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                                            • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                                            • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                                            Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                                            • Opcode Fuzzy Hash: d53564beee30921141880bc566d8d3609085812ca2ea79526dfe3cb7d65e7849
                                                                                            • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                                            Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 00402693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                                            • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                                            • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                                            Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,7508EA50,80000001,00000000), ref: 0040EAF2
                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                                            • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                                            • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                                            Function 00623189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00622F88: GetModuleHandleA.KERNEL32(?), ref: 00622FA1
                                                                                              • Part of subcall function 00622F88: LoadLibraryA.KERNEL32(?), ref: 00622FB1
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006231DA
                                                                                            • HeapFree.KERNEL32(00000000), ref: 006231E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220998578.0000000000620000.00000040.00001000.00020000.00000000.sdmp, Offset: 00620000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_620000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction ID: 3348a83084be362aafdad686c780dbc9d5ac078bdcc4fbb9a747c94338faf09a
                                                                                            • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                                            • Instruction Fuzzy Hash: 6251AA3190066AEFCB01DF64E8889EAB776FF15300B2441A8EC9687311E736DB59CF94
                                                                                            Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                                              • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 0000000C.00000002.2220329703.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_12_2_400000_szylttbf.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                                            • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                                            • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88

                                                                                            Execution Graph

                                                                                            Execution Coverage:15.3%
                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                            Signature Coverage:0.7%
                                                                                            Total number of Nodes:1807
                                                                                            Total number of Limit Nodes:18
                                                                                            execution_graph 7913 2754c75 7914 2754c83 7913->7914 7915 2754c92 7914->7915 7917 2751940 7914->7917 7918 275ec2e codecvt 4 API calls 7917->7918 7919 2751949 7918->7919 7919->7915 8060 2755d34 IsBadWritePtr 8061 2755d47 8060->8061 8062 2755d4a 8060->8062 8065 2755389 8062->8065 8066 2754bd1 4 API calls 8065->8066 8067 27553a5 8066->8067 8068 2754ae6 8 API calls 8067->8068 8071 27553ad 8068->8071 8069 2755407 8070 2754ae6 8 API calls 8070->8071 8071->8069 8071->8070 8072 275be31 lstrcmpiA 8073 275be55 lstrcmpiA 8072->8073 8079 275be71 8072->8079 8074 275be61 lstrcmpiA 8073->8074 8073->8079 8077 275bfc8 8074->8077 8074->8079 8075 275bf62 lstrcmpiA 8076 275bf77 lstrcmpiA 8075->8076 8080 275bf70 8075->8080 8078 275bf8c lstrcmpiA 8076->8078 8076->8080 8078->8080 8079->8075 8083 275ebcc 4 API calls 8079->8083 8080->8077 8081 275bfc2 8080->8081 8082 275ec2e codecvt 4 API calls 8080->8082 8084 275ec2e codecvt 4 API calls 8081->8084 8082->8080 8085 275beb6 8083->8085 8084->8077 8085->8075 8085->8077 8086 275bf5a 8085->8086 8087 275ebcc 4 API calls 8085->8087 8086->8075 8087->8085 8088 27535a5 8089 27530fa 4 API calls 8088->8089 8091 27535b3 8089->8091 8090 27535ea 8091->8090 8095 275355d 8091->8095 8093 27535da 8093->8090 8094 275355d 4 API calls 8093->8094 8094->8090 8096 275f04e 4 API calls 8095->8096 8097 275356a 8096->8097 8097->8093 7928 2754861 IsBadWritePtr 7929 2754876 7928->7929 7930 2759961 RegisterServiceCtrlHandlerA 7931 275997d 7930->7931 7938 27599cb 7930->7938 7940 2759892 7931->7940 7933 275999a 7934 27599ba 7933->7934 7935 2759892 SetServiceStatus 7933->7935 7936 2759892 SetServiceStatus 7934->7936 7934->7938 7937 27599aa 7935->7937 7936->7938 7937->7934 7939 27598f2 41 API calls 7937->7939 7939->7934 7941 27598c2 SetServiceStatus 7940->7941 7941->7933 8098 2755e21 8099 2755e36 8098->8099 8100 2755e29 8098->8100 8102 27550dc 8100->8102 8103 2754bd1 4 API calls 8102->8103 8104 27550f2 8103->8104 8105 2754ae6 8 API calls 8104->8105 8111 27550ff 8105->8111 8106 2755130 8107 2754ae6 8 API calls 8106->8107 8109 2755138 8107->8109 8108 2754ae6 8 API calls 8110 2755110 lstrcmpA 8108->8110 8113 275516e 8109->8113 8114 2754ae6 8 API calls 8109->8114 8144 275513e 8109->8144 8110->8106 8110->8111 8111->8106 8111->8108 8112 2754ae6 8 API calls 8111->8112 8112->8111 8115 2754ae6 8 API calls 8113->8115 8113->8144 8116 275515e 8114->8116 8117 27551b6 8115->8117 8116->8113 8119 2754ae6 8 API calls 8116->8119 8145 2754a3d 8117->8145 8119->8113 8121 2754ae6 8 API calls 8122 27551c7 8121->8122 8123 2754ae6 8 API calls 8122->8123 8124 27551d7 8123->8124 8125 2754ae6 8 API calls 8124->8125 8126 27551e7 8125->8126 8127 2754ae6 8 API calls 8126->8127 8126->8144 8128 2755219 8127->8128 8129 2754ae6 8 API calls 8128->8129 8130 2755227 8129->8130 8131 2754ae6 8 API calls 8130->8131 8132 275524f lstrcpyA 8131->8132 8133 2754ae6 8 API calls 8132->8133 8138 2755263 8133->8138 8134 2754ae6 8 API calls 8135 2755315 8134->8135 8136 2754ae6 8 API calls 8135->8136 8137 2755323 8136->8137 8139 2754ae6 8 API calls 8137->8139 8138->8134 8141 2755331 8139->8141 8140 2754ae6 8 API calls 8140->8141 8141->8140 8142 2754ae6 8 API calls 8141->8142 8141->8144 8143 2755351 lstrcmpA 8142->8143 8143->8141 8143->8144 8144->8099 8146 2754a53 8145->8146 8147 2754a4a 8145->8147 8149 275ebed 8 API calls 8146->8149 8150 2754a78 8146->8150 8148 275ebed 8 API calls 8147->8148 8148->8146 8149->8150 8152 2754a8e 8150->8152 8153 2754aa3 8150->8153 8151 2754a9b 8151->8121 8152->8151 8154 275ec2e codecvt 4 API calls 8152->8154 8153->8151 8155 275ebed 8 API calls 8153->8155 8154->8151 8155->8151 7943 2754960 7944 275496d 7943->7944 7946 275497d 7943->7946 7945 275ebed 8 API calls 7944->7945 7945->7946 8156 2755029 8161 2754a02 8156->8161 8162 2754a12 8161->8162 8163 2754a18 8161->8163 8164 275ec2e codecvt 4 API calls 8162->8164 8165 2754a26 8163->8165 8166 275ec2e codecvt 4 API calls 8163->8166 8164->8163 8167 275ec2e codecvt 4 API calls 8165->8167 8168 2754a34 8165->8168 8166->8165 8167->8168 6141 2759a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6257 275ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6141->6257 6143 2759a95 6144 2759aa3 GetModuleHandleA GetModuleFileNameA 6143->6144 6151 275a3cc 6143->6151 6156 2759ac4 6144->6156 6145 275a41c CreateThread WSAStartup 6258 275e52e 6145->6258 7332 275405e CreateEventA 6145->7332 6147 2759afd GetCommandLineA 6149 2759b22 6147->6149 6148 275a406 DeleteFileA 6150 275a40d 6148->6150 6148->6151 6161 2759c0c 6149->6161 6167 2759b47 6149->6167 6150->6145 6151->6145 6151->6148 6151->6150 6154 275a3ed GetLastError 6151->6154 6152 275a445 6277 275eaaf 6152->6277 6154->6150 6157 275a3f8 Sleep 6154->6157 6155 275a44d 6281 2751d96 6155->6281 6156->6147 6157->6148 6159 275a457 6329 27580c9 6159->6329 6521 27596aa 6161->6521 6172 2759b96 lstrlenA 6167->6172 6177 2759b58 6167->6177 6168 275a1d2 6178 275a1e3 GetCommandLineA 6168->6178 6169 2759c39 6173 275a167 GetModuleHandleA GetModuleFileNameA 6169->6173 6527 2754280 CreateEventA 6169->6527 6172->6177 6175 2759c05 ExitProcess 6173->6175 6176 275a189 6173->6176 6176->6175 6185 275a1b2 GetDriveTypeA 6176->6185 6177->6175 6480 275675c 6177->6480 6203 275a205 6178->6203 6185->6175 6187 275a1c5 6185->6187 6628 2759145 GetModuleHandleA GetModuleFileNameA CharToOemA 6187->6628 6188 275675c 21 API calls 6190 2759c79 6188->6190 6190->6173 6197 2759ca0 GetTempPathA 6190->6197 6198 2759e3e 6190->6198 6191 2759bff 6191->6175 6193 275a49f GetTickCount 6194 275a491 6193->6194 6195 275a4be Sleep 6193->6195 6194->6193 6194->6195 6202 275a4b7 GetTickCount 6194->6202 6376 275c913 6194->6376 6195->6194 6197->6198 6199 2759cba 6197->6199 6206 2759e6b GetEnvironmentVariableA 6198->6206 6209 2759e04 6198->6209 6553 27599d2 lstrcpyA 6199->6553 6202->6195 6207 275a285 lstrlenA 6203->6207 6215 275a239 6203->6215 6208 2759e7d 6206->6208 6206->6209 6207->6215 6210 27599d2 16 API calls 6208->6210 6623 275ec2e 6209->6623 6212 2759e9d 6210->6212 6212->6209 6217 2759eb0 lstrcpyA lstrlenA 6212->6217 6213 2759d5f 6567 2756cc9 6213->6567 6636 2756ec3 6215->6636 6216 275a3c2 6640 27598f2 6216->6640 6218 2759ef4 6217->6218 6221 2756dc2 6 API calls 6218->6221 6225 2759f03 6218->6225 6221->6225 6222 275a39d StartServiceCtrlDispatcherA 6222->6216 6223 2759d72 lstrcpyA lstrcatA lstrcatA 6226 2759cf6 6223->6226 6224 275a3c7 6224->6151 6227 2759f32 RegOpenKeyExA 6225->6227 6576 2759326 6226->6576 6229 2759f48 RegSetValueExA RegCloseKey 6227->6229 6232 2759f70 6227->6232 6228 275a35f 6228->6216 6228->6222 6229->6232 6237 2759f9d GetModuleHandleA GetModuleFileNameA 6232->6237 6233 2759e0c DeleteFileA 6233->6198 6234 2759dde GetFileAttributesExA 6234->6233 6236 2759df7 6234->6236 6236->6209 6613 27596ff 6236->6613 6239 2759fc2 6237->6239 6240 275a093 6237->6240 6239->6240 6246 2759ff1 GetDriveTypeA 6239->6246 6241 275a103 CreateProcessA 6240->6241 6242 275a0a4 wsprintfA 6240->6242 6243 275a13a 6241->6243 6244 275a12a DeleteFileA 6241->6244 6619 2752544 6242->6619 6243->6209 6250 27596ff 3 API calls 6243->6250 6244->6243 6246->6240 6248 275a00d 6246->6248 6252 275a02d lstrcatA 6248->6252 6250->6209 6253 275a046 6252->6253 6254 275a064 lstrcatA 6253->6254 6255 275a052 lstrcatA 6253->6255 6254->6240 6256 275a081 lstrcatA 6254->6256 6255->6254 6256->6240 6257->6143 6647 275dd05 GetTickCount 6258->6647 6260 275e538 6655 275dbcf 6260->6655 6262 275e544 6263 275e555 GetFileSize 6262->6263 6267 275e5b8 6262->6267 6264 275e566 6263->6264 6265 275e5b1 CloseHandle 6263->6265 6679 275db2e 6264->6679 6265->6267 6665 275e3ca RegOpenKeyExA 6267->6665 6269 275e576 ReadFile 6269->6265 6271 275e58d 6269->6271 6683 275e332 6271->6683 6274 275e5f2 6275 275e629 6274->6275 6276 275e3ca 19 API calls 6274->6276 6275->6152 6276->6275 6278 275eabe 6277->6278 6280 275eaba 6277->6280 6279 275dd05 6 API calls 6278->6279 6278->6280 6279->6280 6280->6155 6282 275ee2a 6281->6282 6283 2751db4 GetVersionExA 6282->6283 6284 2751dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6283->6284 6286 2751e24 6284->6286 6287 2751e16 GetCurrentProcess 6284->6287 6741 275e819 6286->6741 6287->6286 6289 2751e3d 6290 275e819 11 API calls 6289->6290 6291 2751e4e 6290->6291 6292 2751e77 6291->6292 6782 275df70 6291->6782 6748 275ea84 6292->6748 6295 2751e6c 6297 275df70 12 API calls 6295->6297 6297->6292 6298 275e819 11 API calls 6299 2751e93 6298->6299 6752 275199c inet_addr LoadLibraryA 6299->6752 6302 275e819 11 API calls 6303 2751eb9 6302->6303 6304 2751ed8 6303->6304 6305 275f04e 4 API calls 6303->6305 6306 275e819 11 API calls 6304->6306 6307 2751ec9 6305->6307 6308 2751eee 6306->6308 6309 275ea84 30 API calls 6307->6309 6310 2751f0a 6308->6310 6766 2751b71 6308->6766 6309->6304 6312 275e819 11 API calls 6310->6312 6314 2751f23 6312->6314 6313 2751efd 6315 275ea84 30 API calls 6313->6315 6316 2751f3f 6314->6316 6770 2751bdf 6314->6770 6315->6310 6318 275e819 11 API calls 6316->6318 6320 2751f5e 6318->6320 6322 2751f77 6320->6322 6323 275ea84 30 API calls 6320->6323 6321 275ea84 30 API calls 6321->6316 6778 27530b5 6322->6778 6323->6322 6326 2756ec3 2 API calls 6328 2751f8e GetTickCount 6326->6328 6328->6159 6330 2756ec3 2 API calls 6329->6330 6331 27580eb 6330->6331 6332 27580ef 6331->6332 6333 27580f9 6331->6333 6836 2757ee6 6332->6836 6849 275704c 6333->6849 6336 27580f4 6338 275675c 21 API calls 6336->6338 6348 2758269 CreateThread 6336->6348 6337 2758110 6337->6336 6339 2758156 RegOpenKeyExA 6337->6339 6344 2758244 6338->6344 6340 2758216 6339->6340 6341 275816d RegQueryValueExA 6339->6341 6340->6336 6342 27581f7 6341->6342 6343 275818d 6341->6343 6345 275820d RegCloseKey 6342->6345 6347 275ec2e codecvt 4 API calls 6342->6347 6343->6342 6349 275ebcc 4 API calls 6343->6349 6346 275ec2e codecvt 4 API calls 6344->6346 6344->6348 6345->6340 6346->6348 6354 27581dd 6347->6354 6355 2755e6c 6348->6355 7310 275877e 6348->7310 6350 27581a0 6349->6350 6350->6345 6351 27581aa RegQueryValueExA 6350->6351 6351->6342 6352 27581c4 6351->6352 6353 275ebcc 4 API calls 6352->6353 6353->6354 6354->6345 6951 275ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6355->6951 6357 2755e71 6952 275e654 6357->6952 6359 2755ec1 6360 2753132 6359->6360 6361 275df70 12 API calls 6360->6361 6362 275313b 6361->6362 6363 275c125 6362->6363 6963 275ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6363->6963 6365 275c12d 6366 275e654 13 API calls 6365->6366 6367 275c2bd 6366->6367 6368 275e654 13 API calls 6367->6368 6369 275c2c9 6368->6369 6370 275e654 13 API calls 6369->6370 6371 275a47a 6370->6371 6372 2758db1 6371->6372 6373 2758dbc 6372->6373 6374 275e654 13 API calls 6373->6374 6375 2758dec Sleep 6374->6375 6375->6194 6377 275c92f 6376->6377 6378 275c93c 6377->6378 6975 275c517 6377->6975 6380 275ca2b 6378->6380 6381 275e819 11 API calls 6378->6381 6380->6194 6382 275c96a 6381->6382 6383 275e819 11 API calls 6382->6383 6384 275c97d 6383->6384 6385 275e819 11 API calls 6384->6385 6386 275c990 6385->6386 6387 275c9aa 6386->6387 6388 275ebcc 4 API calls 6386->6388 6387->6380 6964 2752684 6387->6964 6388->6387 6393 275ca26 6992 275c8aa 6393->6992 6396 275ca44 6397 275ca4b closesocket 6396->6397 6398 275ca83 6396->6398 6397->6393 6399 275ea84 30 API calls 6398->6399 6400 275caac 6399->6400 6401 275f04e 4 API calls 6400->6401 6402 275cab2 6401->6402 6403 275ea84 30 API calls 6402->6403 6404 275caca 6403->6404 6405 275ea84 30 API calls 6404->6405 6406 275cad9 6405->6406 6996 275c65c 6406->6996 6409 275cb60 closesocket 6409->6380 6411 275dad2 closesocket 6412 275e318 23 API calls 6411->6412 6413 275dae0 6412->6413 6413->6380 6414 275df4c 20 API calls 6440 275cb70 6414->6440 6419 275e654 13 API calls 6419->6440 6425 275c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6425->6440 6426 275d569 closesocket Sleep 7043 275e318 6426->7043 6427 275d815 wsprintfA 6427->6440 6428 275cc1c GetTempPathA 6428->6440 6429 275ea84 30 API calls 6429->6440 6431 275f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6431->6440 6432 2757ead 6 API calls 6432->6440 6433 275c517 23 API calls 6433->6440 6434 275d582 ExitProcess 6435 275e8a1 30 API calls 6435->6440 6436 275ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6436->6440 6437 275cfe3 GetSystemDirectoryA 6437->6440 6438 275675c 21 API calls 6438->6440 6439 275d027 GetSystemDirectoryA 6439->6440 6440->6411 6440->6414 6440->6419 6440->6425 6440->6426 6440->6427 6440->6428 6440->6429 6440->6431 6440->6432 6440->6433 6440->6435 6440->6436 6440->6437 6440->6438 6440->6439 6441 275cfad GetEnvironmentVariableA 6440->6441 6442 275d105 lstrcatA 6440->6442 6443 275ef1e lstrlenA 6440->6443 6444 275cc9f CreateFileA 6440->6444 6446 2758e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6440->6446 6447 275d15b CreateFileA 6440->6447 6452 275d149 SetFileAttributesA 6440->6452 6453 275d36e GetEnvironmentVariableA 6440->6453 6454 275d1bf SetFileAttributesA 6440->6454 6456 275d22d GetEnvironmentVariableA 6440->6456 6458 275d3af lstrcatA 6440->6458 6460 2757fcf 64 API calls 6440->6460 6461 275d3f2 CreateFileA 6440->6461 6467 275d3e0 SetFileAttributesA 6440->6467 6468 275d26e lstrcatA 6440->6468 6470 275d4b1 CreateProcessA 6440->6470 6471 275d2b1 CreateFileA 6440->6471 6473 275d452 SetFileAttributesA 6440->6473 6475 2757ee6 64 API calls 6440->6475 6476 275d29f SetFileAttributesA 6440->6476 6479 275d31d SetFileAttributesA 6440->6479 7004 275c75d 6440->7004 7016 2757e2f 6440->7016 7038 2757ead 6440->7038 7048 27531d0 6440->7048 7065 2753c09 6440->7065 7075 2753a00 6440->7075 7079 275e7b4 6440->7079 7082 275c06c 6440->7082 7088 2756f5f GetUserNameA 6440->7088 7099 275e854 6440->7099 7109 2757dd6 6440->7109 6441->6440 6442->6440 6443->6440 6444->6440 6445 275ccc6 WriteFile 6444->6445 6448 275cced CloseHandle 6445->6448 6449 275cdcc CloseHandle 6445->6449 6446->6440 6447->6440 6450 275d182 WriteFile CloseHandle 6447->6450 6455 275cd2f 6448->6455 6449->6440 6450->6440 6451 275cd16 wsprintfA 6451->6455 6452->6447 6453->6440 6454->6440 6455->6451 7025 2757fcf 6455->7025 6456->6440 6458->6440 6458->6461 6460->6440 6461->6440 6462 275d415 WriteFile CloseHandle 6461->6462 6462->6440 6463 275cd81 WaitForSingleObject CloseHandle CloseHandle 6465 275f04e 4 API calls 6463->6465 6464 275cda5 6466 2757ee6 64 API calls 6464->6466 6465->6464 6469 275cdbd DeleteFileA 6466->6469 6467->6461 6468->6440 6468->6471 6469->6440 6470->6440 6472 275d4e8 CloseHandle CloseHandle 6470->6472 6471->6440 6474 275d2d8 WriteFile CloseHandle 6471->6474 6472->6440 6473->6440 6474->6440 6475->6440 6476->6471 6479->6440 6481 2756784 CreateFileA 6480->6481 6482 275677a SetFileAttributesA 6480->6482 6483 27567b5 6481->6483 6484 27567a4 CreateFileA 6481->6484 6482->6481 6485 27567c5 6483->6485 6486 27567ba SetFileAttributesA 6483->6486 6484->6483 6487 2756977 6485->6487 6488 27567cf GetFileSize 6485->6488 6486->6485 6487->6175 6508 2756a60 CreateFileA 6487->6508 6489 27567e5 6488->6489 6507 2756965 6488->6507 6491 27567ed ReadFile 6489->6491 6489->6507 6490 275696e FindCloseChangeNotification 6490->6487 6492 2756811 SetFilePointer 6491->6492 6491->6507 6493 275682a ReadFile 6492->6493 6492->6507 6494 2756848 SetFilePointer 6493->6494 6493->6507 6495 2756867 6494->6495 6494->6507 6496 27568d5 6495->6496 6497 2756878 ReadFile 6495->6497 6496->6490 6498 275ebcc 4 API calls 6496->6498 6499 2756891 6497->6499 6501 27568d0 6497->6501 6500 27568f8 6498->6500 6499->6497 6499->6501 6502 2756900 SetFilePointer 6500->6502 6500->6507 6501->6496 6503 275690d ReadFile 6502->6503 6504 275695a 6502->6504 6503->6504 6505 2756922 6503->6505 6506 275ec2e codecvt 4 API calls 6504->6506 6505->6490 6506->6507 6507->6490 6509 2756b8c GetLastError 6508->6509 6510 2756a8f GetDiskFreeSpaceA 6508->6510 6519 2756b86 6509->6519 6511 2756ac5 6510->6511 6520 2756ad7 6510->6520 7194 275eb0e 6511->7194 6515 2756b56 CloseHandle 6518 2756b65 GetLastError CloseHandle 6515->6518 6515->6519 6516 2756b36 GetLastError CloseHandle 6517 2756b7f DeleteFileA 6516->6517 6517->6519 6518->6517 6519->6191 7198 2756987 6520->7198 6522 27596b9 6521->6522 6523 27573ff 17 API calls 6522->6523 6524 27596e2 6523->6524 6525 27596f7 6524->6525 6526 275704c 16 API calls 6524->6526 6525->6168 6525->6169 6526->6525 6528 27542a5 6527->6528 6529 275429d 6527->6529 7204 2753ecd 6528->7204 6529->6173 6529->6188 6531 27542b0 7208 2754000 6531->7208 6533 27543c1 CloseHandle 6533->6529 6534 27542b6 6534->6529 6534->6533 7214 2753f18 WriteFile 6534->7214 6539 27543ba CloseHandle 6539->6533 6540 2754318 6541 2753f18 4 API calls 6540->6541 6542 2754331 6541->6542 6543 2753f18 4 API calls 6542->6543 6544 275434a 6543->6544 6545 275ebcc 4 API calls 6544->6545 6546 2754350 6545->6546 6547 2753f18 4 API calls 6546->6547 6548 2754389 6547->6548 6549 275ec2e codecvt 4 API calls 6548->6549 6550 275438f 6549->6550 6551 2753f8c 4 API calls 6550->6551 6552 275439f CloseHandle CloseHandle 6551->6552 6552->6529 6554 27599eb 6553->6554 6555 2759a2f lstrcatA 6554->6555 6556 275ee2a 6555->6556 6557 2759a4b lstrcatA 6556->6557 6558 2756a60 13 API calls 6557->6558 6559 2759a60 6558->6559 6559->6198 6559->6226 6560 2756dc2 6559->6560 6561 2756dd7 6560->6561 6562 2756e33 6560->6562 6563 2756cc9 5 API calls 6561->6563 6562->6213 6564 2756ddc 6563->6564 6564->6564 6565 2756e24 6564->6565 6566 2756e02 GetVolumeInformationA 6564->6566 6565->6562 6566->6565 6568 2756cdc GetModuleHandleA GetProcAddress 6567->6568 6569 2756d8b 6567->6569 6570 2756d12 GetSystemDirectoryA 6568->6570 6571 2756cfd 6568->6571 6569->6223 6572 2756d27 GetWindowsDirectoryA 6570->6572 6573 2756d1e 6570->6573 6571->6569 6571->6570 6574 2756d42 6572->6574 6573->6569 6573->6572 6575 275ef1e lstrlenA 6574->6575 6575->6569 7222 2751910 6576->7222 6579 275934a GetModuleHandleA GetModuleFileNameA 6581 275937f 6579->6581 6582 27593a4 6581->6582 6583 27593d9 6581->6583 6584 27593c3 wsprintfA 6582->6584 6585 2759401 wsprintfA 6583->6585 6586 2759415 6584->6586 6585->6586 6589 2756cc9 5 API calls 6586->6589 6610 27594a0 6586->6610 6587 2756edd 5 API calls 6588 27594ac 6587->6588 6590 275962f 6588->6590 6591 27594e8 RegOpenKeyExA 6588->6591 6594 2759439 6589->6594 6597 2759646 6590->6597 7237 2751820 6590->7237 6592 2759502 6591->6592 6593 27594fb 6591->6593 6598 275951f RegQueryValueExA 6592->6598 6593->6590 6600 275958a 6593->6600 6599 275ef1e lstrlenA 6594->6599 6605 27595d6 6597->6605 7243 27591eb 6597->7243 6601 2759539 6598->6601 6609 2759530 6598->6609 6603 2759462 6599->6603 6600->6597 6604 2759593 6600->6604 6606 2759556 RegQueryValueExA 6601->6606 6602 275956e RegCloseKey 6602->6593 6607 275947e wsprintfA 6603->6607 6604->6605 7224 275f0e4 6604->7224 6605->6233 6605->6234 6606->6602 6606->6609 6607->6610 6609->6602 6610->6587 6611 27595bb 6611->6605 7231 27518e0 6611->7231 6614 2752544 6613->6614 6615 275972d RegOpenKeyExA 6614->6615 6616 2759765 6615->6616 6617 2759740 6615->6617 6616->6209 6618 275974f RegDeleteValueA RegCloseKey 6617->6618 6618->6616 6620 2752554 lstrcatA 6619->6620 6621 275ee2a 6620->6621 6622 275a0ec lstrcatA 6621->6622 6622->6241 6624 275ec37 6623->6624 6625 275a15d 6623->6625 6626 275eba0 codecvt 2 API calls 6624->6626 6625->6173 6625->6175 6627 275ec3d GetProcessHeap RtlFreeHeap 6626->6627 6627->6625 6629 2752544 6628->6629 6630 275919e wsprintfA 6629->6630 6631 27591bb 6630->6631 7281 2759064 GetTempPathA 6631->7281 6634 27591d5 ShellExecuteA 6635 27591e7 6634->6635 6635->6191 6637 2756ecc 6636->6637 6639 2756ed5 6636->6639 6638 2756e36 2 API calls 6637->6638 6638->6639 6639->6228 6641 27598f6 6640->6641 6642 2754280 30 API calls 6641->6642 6643 2759904 Sleep 6641->6643 6644 2759915 6641->6644 6642->6641 6643->6641 6643->6644 6645 2759947 6644->6645 7288 275977c 6644->7288 6645->6224 6648 275dd41 InterlockedExchange 6647->6648 6649 275dd20 GetCurrentThreadId 6648->6649 6650 275dd4a 6648->6650 6651 275dd53 GetCurrentThreadId 6649->6651 6652 275dd2e GetTickCount 6649->6652 6650->6651 6651->6260 6653 275dd4c 6652->6653 6654 275dd39 Sleep 6652->6654 6653->6651 6654->6648 6656 275dbf0 6655->6656 6688 275db67 GetEnvironmentVariableA 6656->6688 6658 275dc19 6659 275dcda 6658->6659 6660 275db67 3 API calls 6658->6660 6659->6262 6661 275dc5c 6660->6661 6661->6659 6662 275db67 3 API calls 6661->6662 6663 275dc9b 6662->6663 6663->6659 6664 275db67 3 API calls 6663->6664 6664->6659 6666 275e528 6665->6666 6667 275e3f4 6665->6667 6666->6274 6668 275e434 RegQueryValueExA 6667->6668 6669 275e51d RegCloseKey 6668->6669 6670 275e458 6668->6670 6669->6666 6671 275e46e RegQueryValueExA 6670->6671 6671->6670 6672 275e488 6671->6672 6672->6669 6673 275db2e 8 API calls 6672->6673 6674 275e499 6673->6674 6674->6669 6675 275e4b9 RegQueryValueExA 6674->6675 6676 275e4e8 6674->6676 6675->6674 6675->6676 6676->6669 6677 275e332 14 API calls 6676->6677 6678 275e513 6677->6678 6678->6669 6680 275db55 6679->6680 6681 275db3a 6679->6681 6680->6265 6680->6269 6692 275ebed 6681->6692 6710 275f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6683->6710 6685 275e3be 6685->6265 6687 275e342 6687->6685 6713 275de24 6687->6713 6689 275db89 lstrcpyA CreateFileA 6688->6689 6690 275dbca 6688->6690 6689->6658 6690->6658 6693 275ebf6 6692->6693 6694 275ec01 6692->6694 6701 275ebcc GetProcessHeap RtlAllocateHeap 6693->6701 6704 275eba0 6694->6704 6702 275eb74 2 API calls 6701->6702 6703 275ebe8 6702->6703 6703->6680 6705 275eba7 GetProcessHeap HeapSize 6704->6705 6706 275ebbf GetProcessHeap RtlReAllocateHeap 6704->6706 6705->6706 6707 275eb74 6706->6707 6708 275eb7b GetProcessHeap HeapSize 6707->6708 6709 275eb93 6707->6709 6708->6709 6709->6680 6724 275eb41 6710->6724 6712 275f0b7 6712->6687 6714 275de3a 6713->6714 6719 275de4e 6714->6719 6733 275dd84 6714->6733 6717 275de9e 6718 275ebed 8 API calls 6717->6718 6717->6719 6722 275def6 6718->6722 6719->6687 6720 275de76 6737 275ddcf 6720->6737 6722->6719 6723 275ddcf lstrcmpA 6722->6723 6723->6719 6725 275eb4a 6724->6725 6728 275eb61 6724->6728 6729 275eae4 6725->6729 6727 275eb54 6727->6712 6727->6728 6728->6712 6730 275eb02 GetProcAddress 6729->6730 6731 275eaed LoadLibraryA 6729->6731 6730->6727 6731->6730 6732 275eb01 6731->6732 6732->6727 6734 275ddc5 6733->6734 6735 275dd96 6733->6735 6734->6717 6734->6720 6735->6734 6736 275ddad lstrcmpiA 6735->6736 6736->6734 6736->6735 6738 275dddd 6737->6738 6740 275de20 6737->6740 6739 275ddfa lstrcmpA 6738->6739 6738->6740 6739->6738 6740->6719 6742 275dd05 6 API calls 6741->6742 6743 275e821 6742->6743 6744 275dd84 lstrcmpiA 6743->6744 6745 275e82c 6744->6745 6746 275e844 6745->6746 6791 2752480 6745->6791 6746->6289 6749 275ea98 6748->6749 6800 275e8a1 6749->6800 6751 2751e84 6751->6298 6753 27519d5 GetProcAddress GetProcAddress GetProcAddress 6752->6753 6756 27519ce 6752->6756 6754 2751a04 6753->6754 6755 2751ab3 FreeLibrary 6753->6755 6754->6755 6757 2751a14 GetBestInterface GetProcessHeap 6754->6757 6755->6756 6756->6302 6757->6756 6758 2751a2e HeapAlloc 6757->6758 6758->6756 6759 2751a42 GetAdaptersInfo 6758->6759 6760 2751a62 6759->6760 6761 2751a52 HeapReAlloc 6759->6761 6762 2751aa1 FreeLibrary 6760->6762 6763 2751a69 GetAdaptersInfo 6760->6763 6761->6760 6762->6756 6763->6762 6764 2751a75 HeapFree 6763->6764 6764->6762 6828 2751ac3 LoadLibraryA 6766->6828 6769 2751bcf 6769->6313 6771 2751ac3 13 API calls 6770->6771 6772 2751c09 6771->6772 6773 2751c0d GetComputerNameA 6772->6773 6774 2751c5a 6772->6774 6775 2751c45 GetVolumeInformationA 6773->6775 6776 2751c1f 6773->6776 6774->6321 6775->6774 6776->6775 6777 2751c41 6776->6777 6777->6774 6779 275ee2a 6778->6779 6780 27530d0 gethostname gethostbyname 6779->6780 6781 2751f82 6780->6781 6781->6326 6781->6328 6783 275dd05 6 API calls 6782->6783 6784 275df7c 6783->6784 6785 275dd84 lstrcmpiA 6784->6785 6790 275df89 6785->6790 6786 275dfc4 6786->6295 6787 275ddcf lstrcmpA 6787->6790 6788 275ec2e codecvt 4 API calls 6788->6790 6789 275dd84 lstrcmpiA 6789->6790 6790->6786 6790->6787 6790->6788 6790->6789 6794 2752419 lstrlenA 6791->6794 6793 2752491 6793->6746 6795 275243d lstrlenA 6794->6795 6799 2752474 6794->6799 6796 2752464 lstrlenA 6795->6796 6797 275244e lstrcmpiA 6795->6797 6796->6795 6796->6799 6797->6796 6798 275245c 6797->6798 6798->6796 6798->6799 6799->6793 6801 275dd05 6 API calls 6800->6801 6802 275e8b4 6801->6802 6803 275dd84 lstrcmpiA 6802->6803 6804 275e8c0 6803->6804 6805 275e90a 6804->6805 6806 275e8c8 lstrcpynA 6804->6806 6808 2752419 4 API calls 6805->6808 6817 275ea27 6805->6817 6807 275e8f5 6806->6807 6821 275df4c 6807->6821 6809 275e926 lstrlenA lstrlenA 6808->6809 6810 275e94c lstrlenA 6809->6810 6811 275e96a 6809->6811 6810->6811 6815 275ebcc 4 API calls 6811->6815 6811->6817 6813 275e901 6814 275dd84 lstrcmpiA 6813->6814 6814->6805 6816 275e98f 6815->6816 6816->6817 6818 275df4c 20 API calls 6816->6818 6817->6751 6819 275ea1e 6818->6819 6820 275ec2e codecvt 4 API calls 6819->6820 6820->6817 6822 275dd05 6 API calls 6821->6822 6823 275df51 6822->6823 6824 275f04e 4 API calls 6823->6824 6825 275df58 6824->6825 6826 275de24 10 API calls 6825->6826 6827 275df63 6826->6827 6827->6813 6829 2751ae2 GetProcAddress 6828->6829 6835 2751b68 GetComputerNameA GetVolumeInformationA 6828->6835 6832 2751af5 6829->6832 6829->6835 6830 2751b1c GetAdaptersAddresses 6830->6832 6833 2751b29 6830->6833 6831 275ebed 8 API calls 6831->6832 6832->6830 6832->6831 6832->6833 6833->6833 6834 275ec2e codecvt 4 API calls 6833->6834 6833->6835 6834->6835 6835->6769 6837 2756ec3 2 API calls 6836->6837 6838 2757ef4 6837->6838 6848 2757fc9 6838->6848 6872 27573ff 6838->6872 6840 2757f16 6840->6848 6892 2757809 GetUserNameA 6840->6892 6842 2757f63 6842->6848 6916 275ef1e lstrlenA 6842->6916 6845 275ef1e lstrlenA 6846 2757fb7 6845->6846 6918 2757a95 RegOpenKeyExA 6846->6918 6848->6336 6850 2757073 6849->6850 6851 27570b9 RegOpenKeyExA 6850->6851 6852 27570d0 6851->6852 6860 27571b8 6851->6860 6853 2756dc2 6 API calls 6852->6853 6856 27570d5 6853->6856 6854 275719b RegEnumValueA 6855 27571af RegCloseKey 6854->6855 6854->6856 6855->6860 6856->6854 6857 27571d0 6856->6857 6949 275f1a5 lstrlenA 6856->6949 6859 2757205 RegCloseKey 6857->6859 6861 2757227 6857->6861 6859->6860 6860->6337 6862 275728e RegCloseKey 6861->6862 6863 27572b8 ___ascii_stricmp 6861->6863 6862->6860 6864 27572cd RegCloseKey 6863->6864 6865 27572dd 6863->6865 6864->6860 6866 2757311 RegCloseKey 6865->6866 6868 2757335 6865->6868 6866->6860 6867 27573d5 RegCloseKey 6869 27573e4 6867->6869 6868->6867 6870 275737e GetFileAttributesExA 6868->6870 6871 2757397 6868->6871 6870->6871 6871->6867 6873 275741b 6872->6873 6874 2756dc2 6 API calls 6873->6874 6875 275743f 6874->6875 6876 2757469 RegOpenKeyExA 6875->6876 6877 27577f9 6876->6877 6888 2757487 ___ascii_stricmp 6876->6888 6877->6840 6878 2757703 RegEnumKeyA 6879 2757714 RegCloseKey 6878->6879 6878->6888 6879->6877 6880 275f1a5 lstrlenA 6880->6888 6881 27574d2 RegOpenKeyExA 6881->6888 6882 275772c 6884 2757742 RegCloseKey 6882->6884 6885 275774b 6882->6885 6883 2757521 RegQueryValueExA 6883->6888 6884->6885 6886 27577ec RegCloseKey 6885->6886 6886->6877 6887 27576e4 RegCloseKey 6887->6888 6888->6878 6888->6880 6888->6881 6888->6882 6888->6883 6888->6887 6890 275777e GetFileAttributesExA 6888->6890 6891 2757769 6888->6891 6889 27577e3 RegCloseKey 6889->6886 6890->6891 6891->6889 6893 275783d LookupAccountNameA 6892->6893 6894 2757a8d 6892->6894 6893->6894 6895 2757874 GetLengthSid GetFileSecurityA 6893->6895 6894->6842 6895->6894 6896 27578a8 GetSecurityDescriptorOwner 6895->6896 6897 27578c5 EqualSid 6896->6897 6898 275791d GetSecurityDescriptorDacl 6896->6898 6897->6898 6899 27578dc LocalAlloc 6897->6899 6898->6894 6906 2757941 6898->6906 6899->6898 6900 27578ef InitializeSecurityDescriptor 6899->6900 6902 2757916 LocalFree 6900->6902 6903 27578fb SetSecurityDescriptorOwner 6900->6903 6901 275795b GetAce 6901->6906 6902->6898 6903->6902 6904 275790b SetFileSecurityA 6903->6904 6904->6902 6905 2757980 EqualSid 6905->6906 6906->6894 6906->6901 6906->6905 6907 2757a3d 6906->6907 6908 27579be EqualSid 6906->6908 6909 275799d DeleteAce 6906->6909 6907->6894 6910 2757a43 LocalAlloc 6907->6910 6908->6906 6909->6906 6910->6894 6911 2757a56 InitializeSecurityDescriptor 6910->6911 6912 2757a86 LocalFree 6911->6912 6913 2757a62 SetSecurityDescriptorDacl 6911->6913 6912->6894 6913->6912 6914 2757a73 SetFileSecurityA 6913->6914 6914->6912 6915 2757a83 6914->6915 6915->6912 6917 2757fa6 6916->6917 6917->6845 6919 2757ac4 6918->6919 6920 2757acb GetUserNameA 6918->6920 6919->6848 6921 2757da7 RegCloseKey 6920->6921 6922 2757aed LookupAccountNameA 6920->6922 6921->6919 6922->6921 6923 2757b24 RegGetKeySecurity 6922->6923 6923->6921 6924 2757b49 GetSecurityDescriptorOwner 6923->6924 6925 2757b63 EqualSid 6924->6925 6926 2757bb8 GetSecurityDescriptorDacl 6924->6926 6925->6926 6928 2757b74 LocalAlloc 6925->6928 6927 2757da6 6926->6927 6938 2757bdc 6926->6938 6927->6921 6928->6926 6929 2757b8a InitializeSecurityDescriptor 6928->6929 6931 2757b96 SetSecurityDescriptorOwner 6929->6931 6932 2757bb1 LocalFree 6929->6932 6930 2757bf8 GetAce 6930->6938 6931->6932 6933 2757ba6 RegSetKeySecurity 6931->6933 6932->6926 6933->6932 6934 2757c1d EqualSid 6934->6938 6935 2757cd9 6935->6927 6939 2757d5a LocalAlloc 6935->6939 6941 2757cf2 RegOpenKeyExA 6935->6941 6936 2757c5f EqualSid 6936->6938 6937 2757c3a DeleteAce 6937->6938 6938->6927 6938->6930 6938->6934 6938->6935 6938->6936 6938->6937 6939->6927 6940 2757d70 InitializeSecurityDescriptor 6939->6940 6942 2757d7c SetSecurityDescriptorDacl 6940->6942 6943 2757d9f LocalFree 6940->6943 6941->6939 6946 2757d0f 6941->6946 6942->6943 6944 2757d8c RegSetKeySecurity 6942->6944 6943->6927 6944->6943 6945 2757d9c 6944->6945 6945->6943 6947 2757d43 RegSetValueExA 6946->6947 6947->6939 6948 2757d54 6947->6948 6948->6939 6950 275f1c3 6949->6950 6950->6856 6951->6357 6953 275dd05 6 API calls 6952->6953 6954 275e65f 6953->6954 6955 275e6a5 6954->6955 6957 275e68c lstrcmpA 6954->6957 6956 275ebcc 4 API calls 6955->6956 6959 275e6f5 6955->6959 6958 275e6b0 6956->6958 6957->6954 6958->6959 6960 275e6b7 6958->6960 6961 275e6e0 lstrcpynA 6958->6961 6959->6960 6962 275e71d lstrcmpA 6959->6962 6960->6359 6961->6959 6962->6959 6963->6365 6965 2752692 inet_addr 6964->6965 6966 275268e 6964->6966 6965->6966 6967 275269e gethostbyname 6965->6967 6968 275f428 6966->6968 6967->6966 7116 275f315 6968->7116 6971 275f43e 6972 275f473 recv 6971->6972 6973 275f47c 6972->6973 6974 275f458 6972->6974 6973->6396 6974->6972 6974->6973 6976 275c525 6975->6976 6977 275c532 6975->6977 6976->6977 6980 275ec2e codecvt 4 API calls 6976->6980 6978 275c548 6977->6978 7129 275e7ff 6977->7129 6981 275e7ff lstrcmpiA 6978->6981 6989 275c54f 6978->6989 6980->6977 6982 275c615 6981->6982 6983 275ebcc 4 API calls 6982->6983 6982->6989 6983->6989 6985 275c5d1 6987 275ebcc 4 API calls 6985->6987 6986 275e819 11 API calls 6988 275c5b7 6986->6988 6987->6989 6990 275f04e 4 API calls 6988->6990 6989->6378 6991 275c5bf 6990->6991 6991->6978 6991->6985 6994 275c8d2 6992->6994 6993 275c907 6993->6380 6994->6993 6995 275c517 23 API calls 6994->6995 6995->6993 6997 275c670 6996->6997 6998 275c67d 6996->6998 6999 275ebcc 4 API calls 6997->6999 7000 275ebcc 4 API calls 6998->7000 7001 275c699 6998->7001 6999->6998 7000->7001 7002 275c6f3 7001->7002 7003 275c73c send 7001->7003 7002->6409 7002->6440 7003->7002 7005 275c770 7004->7005 7006 275c77d 7004->7006 7007 275ebcc 4 API calls 7005->7007 7008 275c799 7006->7008 7010 275ebcc 4 API calls 7006->7010 7007->7006 7009 275c7b5 7008->7009 7011 275ebcc 4 API calls 7008->7011 7012 275f43e recv 7009->7012 7010->7008 7011->7009 7013 275c7cb 7012->7013 7014 275f43e recv 7013->7014 7015 275c7d3 7013->7015 7014->7015 7015->6440 7132 2757db7 7016->7132 7019 275f04e 4 API calls 7021 2757e4c 7019->7021 7020 275f04e 4 API calls 7022 2757e96 7020->7022 7023 275f04e 4 API calls 7021->7023 7024 2757e70 7021->7024 7022->6440 7023->7024 7024->7020 7024->7022 7026 2756ec3 2 API calls 7025->7026 7027 2757fdd 7026->7027 7028 27573ff 17 API calls 7027->7028 7029 27580c2 CreateProcessA 7027->7029 7030 2757fff 7028->7030 7029->6463 7029->6464 7030->7029 7030->7030 7031 2757809 21 API calls 7030->7031 7032 275804d 7031->7032 7032->7029 7033 275ef1e lstrlenA 7032->7033 7034 275809e 7033->7034 7035 275ef1e lstrlenA 7034->7035 7036 27580af 7035->7036 7037 2757a95 24 API calls 7036->7037 7037->7029 7039 2757db7 2 API calls 7038->7039 7040 2757eb8 7039->7040 7041 275f04e 4 API calls 7040->7041 7042 2757ece DeleteFileA 7041->7042 7042->6440 7044 275dd05 6 API calls 7043->7044 7045 275e31d 7044->7045 7136 275e177 7045->7136 7047 275e326 7047->6434 7049 27531f3 7048->7049 7059 27531ec 7048->7059 7050 275ebcc 4 API calls 7049->7050 7064 27531fc 7050->7064 7051 275344b 7052 275349d 7051->7052 7053 2753459 7051->7053 7054 275ec2e codecvt 4 API calls 7052->7054 7055 275f04e 4 API calls 7053->7055 7054->7059 7056 275345f 7055->7056 7057 27530fa 4 API calls 7056->7057 7057->7059 7058 275ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7058->7064 7059->6440 7060 275344d 7061 275ec2e codecvt 4 API calls 7060->7061 7061->7051 7063 2753141 lstrcmpiA 7063->7064 7064->7051 7064->7058 7064->7059 7064->7060 7064->7063 7162 27530fa GetTickCount 7064->7162 7066 27530fa 4 API calls 7065->7066 7067 2753c1a 7066->7067 7071 2753ce6 7067->7071 7167 2753a72 7067->7167 7070 2753a72 9 API calls 7073 2753c5e 7070->7073 7071->6440 7072 2753a72 9 API calls 7072->7073 7073->7071 7073->7072 7074 275ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7073->7074 7074->7073 7076 2753a10 7075->7076 7077 27530fa 4 API calls 7076->7077 7078 2753a1a 7077->7078 7078->6440 7080 275dd05 6 API calls 7079->7080 7081 275e7be 7080->7081 7081->6440 7083 275c07e wsprintfA 7082->7083 7087 275c105 7082->7087 7176 275bfce GetTickCount wsprintfA 7083->7176 7085 275c0ef 7177 275bfce GetTickCount wsprintfA 7085->7177 7087->6440 7089 2757047 7088->7089 7090 2756f88 LookupAccountNameA 7088->7090 7089->6440 7092 2757025 7090->7092 7094 2756fcb 7090->7094 7178 2756edd 7092->7178 7096 2756fdb ConvertSidToStringSidA 7094->7096 7096->7092 7097 2756ff1 7096->7097 7098 2757013 LocalFree 7097->7098 7098->7092 7100 275dd05 6 API calls 7099->7100 7101 275e85c 7100->7101 7102 275dd84 lstrcmpiA 7101->7102 7103 275e867 7102->7103 7104 275e885 lstrcpyA 7103->7104 7189 27524a5 7103->7189 7192 275dd69 7104->7192 7110 2757db7 2 API calls 7109->7110 7111 2757de1 7110->7111 7112 2757e16 7111->7112 7113 275f04e 4 API calls 7111->7113 7112->6440 7114 2757df2 7113->7114 7114->7112 7115 275f04e 4 API calls 7114->7115 7115->7112 7117 275ca1d 7116->7117 7118 275f33b 7116->7118 7117->6393 7117->6971 7119 275f347 htons socket 7118->7119 7120 275f374 closesocket 7119->7120 7121 275f382 ioctlsocket 7119->7121 7120->7117 7122 275f39d 7121->7122 7123 275f3aa connect select 7121->7123 7124 275f39f closesocket 7122->7124 7123->7117 7125 275f3f2 __WSAFDIsSet 7123->7125 7124->7117 7125->7124 7126 275f403 ioctlsocket 7125->7126 7128 275f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7126->7128 7128->7117 7130 275dd84 lstrcmpiA 7129->7130 7131 275c58e 7130->7131 7131->6978 7131->6985 7131->6986 7133 2757dc8 InterlockedExchange 7132->7133 7134 2757dd4 7133->7134 7135 2757dc0 Sleep 7133->7135 7134->7019 7134->7024 7135->7133 7139 275e184 7136->7139 7137 275e2e4 7137->7047 7138 275e223 7138->7137 7141 275dfe2 8 API calls 7138->7141 7139->7137 7139->7138 7152 275dfe2 7139->7152 7146 275e23c 7141->7146 7142 275e1be 7142->7138 7143 275dbcf 3 API calls 7142->7143 7145 275e1d6 7143->7145 7144 275e21a CloseHandle 7144->7138 7145->7138 7145->7144 7147 275e1f9 WriteFile 7145->7147 7146->7137 7156 275e095 RegCreateKeyExA 7146->7156 7147->7144 7149 275e213 7147->7149 7149->7144 7150 275e2a3 7150->7137 7151 275e095 4 API calls 7150->7151 7151->7137 7153 275dffc 7152->7153 7155 275e024 7152->7155 7154 275db2e 8 API calls 7153->7154 7153->7155 7154->7155 7155->7142 7157 275e172 7156->7157 7158 275e0c0 7156->7158 7157->7150 7159 275e13d 7158->7159 7161 275e115 RegSetValueExA 7158->7161 7160 275e14e RegDeleteValueA RegCloseKey 7159->7160 7160->7157 7161->7158 7161->7159 7163 2753122 InterlockedExchange 7162->7163 7164 275310f GetTickCount 7163->7164 7165 275312e 7163->7165 7164->7165 7166 275311a Sleep 7164->7166 7165->7064 7166->7163 7168 275f04e 4 API calls 7167->7168 7169 2753a83 7168->7169 7172 2753bc0 7169->7172 7173 2753b66 lstrlenA 7169->7173 7174 2753ac1 7169->7174 7170 2753be6 7171 275ec2e codecvt 4 API calls 7170->7171 7171->7174 7172->7170 7175 275ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7172->7175 7173->7169 7173->7174 7174->7070 7174->7071 7175->7172 7176->7085 7177->7087 7179 2756f55 wsprintfA 7178->7179 7180 2756eef AllocateAndInitializeSid 7178->7180 7179->7089 7181 2756f44 7180->7181 7182 2756f1c CheckTokenMembership 7180->7182 7181->7179 7186 2756e36 GetUserNameW 7181->7186 7183 2756f2e 7182->7183 7184 2756f3b FreeSid 7182->7184 7183->7184 7184->7181 7187 2756e5f LookupAccountNameW 7186->7187 7188 2756e97 7186->7188 7187->7188 7188->7179 7190 2752419 4 API calls 7189->7190 7191 27524b6 7190->7191 7191->7104 7193 275dd79 lstrlenA 7192->7193 7193->6440 7195 275eb17 7194->7195 7197 275eb21 7194->7197 7196 275eae4 2 API calls 7195->7196 7196->7197 7197->6520 7200 27569b9 WriteFile 7198->7200 7201 2756a3c 7200->7201 7203 27569ff 7200->7203 7201->6515 7201->6516 7202 2756a10 WriteFile 7202->7201 7202->7203 7203->7201 7203->7202 7205 2753ee2 7204->7205 7206 2753edc 7204->7206 7205->6531 7207 2756dc2 6 API calls 7206->7207 7207->7205 7209 275400b CreateFileA 7208->7209 7210 2754052 7209->7210 7211 275402c GetLastError 7209->7211 7210->6534 7211->7210 7212 2754037 7211->7212 7212->7210 7213 2754041 Sleep 7212->7213 7213->7209 7213->7210 7215 2753f7c 7214->7215 7216 2753f4e GetLastError 7214->7216 7218 2753f8c ReadFile 7215->7218 7216->7215 7217 2753f5b WaitForSingleObject GetOverlappedResult 7216->7217 7217->7215 7219 2753ff0 7218->7219 7220 2753fc2 GetLastError 7218->7220 7219->6539 7219->6540 7220->7219 7221 2753fcf WaitForSingleObject GetOverlappedResult 7220->7221 7221->7219 7223 2751924 GetVersionExA 7222->7223 7223->6579 7225 275f0f1 7224->7225 7226 275f0ed 7224->7226 7227 275f119 7225->7227 7228 275f0fa lstrlenA SysAllocStringByteLen 7225->7228 7226->6611 7229 275f11c MultiByteToWideChar 7227->7229 7228->7229 7230 275f117 7228->7230 7229->7230 7230->6611 7232 2751820 17 API calls 7231->7232 7233 27518f2 7232->7233 7234 27518f9 7233->7234 7248 2751280 7233->7248 7234->6605 7236 2751908 7236->6605 7260 2751000 7237->7260 7239 2751839 7240 2751851 GetCurrentProcess 7239->7240 7241 275183d 7239->7241 7242 2751864 7240->7242 7241->6597 7242->6597 7244 275920e 7243->7244 7247 2759308 7243->7247 7244->7244 7245 27592f1 Sleep 7244->7245 7246 27592bf ShellExecuteA 7244->7246 7244->7247 7245->7244 7246->7244 7246->7247 7247->6605 7249 27512e1 7248->7249 7249->7249 7250 27516f9 GetLastError 7249->7250 7257 27513a8 7249->7257 7251 2751699 7250->7251 7251->7236 7252 2751570 lstrlenW 7252->7257 7253 27515be GetStartupInfoW 7253->7257 7254 27515ff CreateProcessWithLogonW 7255 27516bf GetLastError 7254->7255 7256 275163f WaitForSingleObject 7254->7256 7255->7251 7256->7257 7258 2751659 CloseHandle 7256->7258 7257->7251 7257->7252 7257->7253 7257->7254 7259 2751668 CloseHandle 7257->7259 7258->7257 7259->7257 7261 275100d LoadLibraryA 7260->7261 7270 2751023 7260->7270 7262 2751021 7261->7262 7261->7270 7262->7239 7263 27510b5 GetProcAddress 7264 27510d1 GetProcAddress 7263->7264 7265 275127b 7263->7265 7264->7265 7266 27510f0 GetProcAddress 7264->7266 7265->7239 7266->7265 7267 2751110 GetProcAddress 7266->7267 7267->7265 7268 2751130 GetProcAddress 7267->7268 7268->7265 7269 275114f GetProcAddress 7268->7269 7269->7265 7271 275116f GetProcAddress 7269->7271 7270->7263 7280 27510ae 7270->7280 7271->7265 7272 275118f GetProcAddress 7271->7272 7272->7265 7273 27511ae GetProcAddress 7272->7273 7273->7265 7274 27511ce GetProcAddress 7273->7274 7274->7265 7275 27511ee GetProcAddress 7274->7275 7275->7265 7276 2751209 GetProcAddress 7275->7276 7276->7265 7277 2751225 GetProcAddress 7276->7277 7277->7265 7278 2751241 GetProcAddress 7277->7278 7278->7265 7279 275125c GetProcAddress 7278->7279 7279->7265 7280->7239 7282 275908d 7281->7282 7283 27590e2 wsprintfA 7282->7283 7284 275ee2a 7283->7284 7285 27590fd CreateFileA 7284->7285 7286 275913f 7285->7286 7287 275911a lstrlenA WriteFile CloseHandle 7285->7287 7286->6634 7286->6635 7287->7286 7289 275ee2a 7288->7289 7290 2759794 CreateProcessA 7289->7290 7291 27597c2 7290->7291 7292 27597bb 7290->7292 7293 27597d4 GetThreadContext 7291->7293 7292->6645 7294 27597f5 7293->7294 7295 2759801 7293->7295 7296 27597f6 TerminateProcess 7294->7296 7302 275637c 7295->7302 7296->7292 7298 2759816 7298->7296 7299 275981e WriteProcessMemory 7298->7299 7299->7294 7300 275983b SetThreadContext 7299->7300 7300->7294 7301 2759858 ResumeThread 7300->7301 7301->7292 7303 2756386 7302->7303 7304 275638a GetModuleHandleA VirtualAlloc 7302->7304 7303->7298 7305 27563b6 7304->7305 7309 27563f5 7304->7309 7306 27563be VirtualAllocEx 7305->7306 7307 27563d6 7306->7307 7306->7309 7308 27563df WriteProcessMemory 7307->7308 7308->7309 7309->7298 7311 275879f 7310->7311 7312 2758791 7310->7312 7313 27587bc 7311->7313 7315 275f04e 4 API calls 7311->7315 7314 275f04e 4 API calls 7312->7314 7316 275e819 11 API calls 7313->7316 7314->7311 7315->7313 7317 27587d7 7316->7317 7330 2758803 7317->7330 7465 27526b2 gethostbyaddr 7317->7465 7320 27587eb 7322 275e8a1 30 API calls 7320->7322 7320->7330 7322->7330 7325 275f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7325->7330 7326 275e819 11 API calls 7326->7330 7327 27588a0 Sleep 7327->7330 7329 27526b2 2 API calls 7329->7330 7330->7325 7330->7326 7330->7327 7330->7329 7331 275e8a1 30 API calls 7330->7331 7362 2758cee 7330->7362 7370 275c4d6 7330->7370 7373 275c4e2 7330->7373 7376 2752011 7330->7376 7411 2758328 7330->7411 7331->7330 7333 2754084 7332->7333 7334 275407d 7332->7334 7335 2753ecd 6 API calls 7333->7335 7336 275408f 7335->7336 7337 2754000 3 API calls 7336->7337 7338 2754095 7337->7338 7339 2754130 7338->7339 7340 27540c0 7338->7340 7341 2753ecd 6 API calls 7339->7341 7345 2753f18 4 API calls 7340->7345 7342 2754159 CreateNamedPipeA 7341->7342 7343 2754167 Sleep 7342->7343 7344 2754188 ConnectNamedPipe 7342->7344 7343->7339 7346 2754176 CloseHandle 7343->7346 7348 2754195 GetLastError 7344->7348 7357 27541ab 7344->7357 7347 27540da 7345->7347 7346->7344 7349 2753f8c 4 API calls 7347->7349 7350 275425e DisconnectNamedPipe 7348->7350 7348->7357 7351 27540ec 7349->7351 7350->7344 7352 2754127 CloseHandle 7351->7352 7353 2754101 7351->7353 7352->7339 7354 2753f18 4 API calls 7353->7354 7356 275411c ExitProcess 7354->7356 7355 2753f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7355->7357 7357->7344 7357->7350 7357->7355 7358 2753f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7357->7358 7359 275426a CloseHandle CloseHandle 7357->7359 7358->7357 7360 275e318 23 API calls 7359->7360 7361 275427b 7360->7361 7361->7361 7363 2758d02 GetTickCount 7362->7363 7364 2758dae 7362->7364 7363->7364 7367 2758d19 7363->7367 7364->7330 7365 2758da1 GetTickCount 7365->7364 7367->7365 7369 2758d89 7367->7369 7470 275a677 7367->7470 7473 275a688 7367->7473 7369->7365 7481 275c2dc 7370->7481 7374 275c2dc 142 API calls 7373->7374 7375 275c4ec 7374->7375 7375->7330 7377 2752020 7376->7377 7379 275202e 7376->7379 7378 275f04e 4 API calls 7377->7378 7378->7379 7380 275f04e 4 API calls 7379->7380 7382 275204b 7379->7382 7380->7382 7381 275206e GetTickCount 7384 27520db GetTickCount 7381->7384 7393 2752090 7381->7393 7382->7381 7383 275f04e 4 API calls 7382->7383 7386 2752068 7383->7386 7385 2752132 GetTickCount GetTickCount 7384->7385 7396 27520e7 7384->7396 7389 275f04e 4 API calls 7385->7389 7386->7381 7387 27520d4 GetTickCount 7387->7384 7388 275212b GetTickCount 7388->7385 7391 2752159 7389->7391 7390 2752684 2 API calls 7390->7393 7394 27521b4 7391->7394 7395 275e854 13 API calls 7391->7395 7393->7387 7393->7390 7401 27520ce 7393->7401 7821 2751978 7393->7821 7397 275f04e 4 API calls 7394->7397 7398 275218e 7395->7398 7396->7388 7403 2751978 15 API calls 7396->7403 7404 2752125 7396->7404 7811 2752ef8 7396->7811 7400 27521d1 7397->7400 7402 275e819 11 API calls 7398->7402 7405 27521f2 7400->7405 7407 275ea84 30 API calls 7400->7407 7401->7387 7406 275219c 7402->7406 7403->7396 7404->7388 7405->7330 7406->7394 7826 2751c5f 7406->7826 7408 27521ec 7407->7408 7409 275f04e 4 API calls 7408->7409 7409->7405 7412 2757dd6 6 API calls 7411->7412 7413 275833c 7412->7413 7414 2756ec3 2 API calls 7413->7414 7441 2758340 7413->7441 7415 275834f 7414->7415 7416 275835c 7415->7416 7421 275846b 7415->7421 7417 27573ff 17 API calls 7416->7417 7442 2758373 7417->7442 7418 27585df 7419 2758626 GetTempPathA 7418->7419 7432 2758768 7418->7432 7447 2758671 7418->7447 7433 2758638 7419->7433 7420 275675c 21 API calls 7420->7418 7423 27584a7 RegOpenKeyExA 7421->7423 7438 2758450 7421->7438 7424 27584c0 RegQueryValueExA 7423->7424 7425 275852f 7423->7425 7427 2758521 RegCloseKey 7424->7427 7428 27584dd 7424->7428 7430 2758564 RegOpenKeyExA 7425->7430 7445 27585a5 7425->7445 7426 27586ad 7429 2758762 7426->7429 7431 2757e2f 6 API calls 7426->7431 7427->7425 7428->7427 7435 275ebcc 4 API calls 7428->7435 7429->7432 7434 2758573 RegSetValueExA RegCloseKey 7430->7434 7430->7445 7446 27586bb 7431->7446 7437 275ec2e codecvt 4 API calls 7432->7437 7432->7441 7433->7447 7434->7445 7440 27584f0 7435->7440 7436 275875b DeleteFileA 7436->7429 7437->7441 7438->7418 7438->7420 7440->7427 7444 27584f8 RegQueryValueExA 7440->7444 7441->7330 7442->7438 7442->7441 7443 27583ea RegOpenKeyExA 7442->7443 7443->7438 7448 27583fd RegQueryValueExA 7443->7448 7444->7427 7449 2758515 7444->7449 7445->7438 7450 275ec2e codecvt 4 API calls 7445->7450 7446->7436 7453 27586e0 lstrcpyA lstrlenA 7446->7453 7898 2756ba7 IsBadCodePtr 7447->7898 7451 275842d RegSetValueExA 7448->7451 7457 275841e 7448->7457 7452 275ec2e codecvt 4 API calls 7449->7452 7450->7438 7454 2758447 RegCloseKey 7451->7454 7455 275851d 7452->7455 7456 2757fcf 64 API calls 7453->7456 7454->7438 7455->7427 7458 2758719 CreateProcessA 7456->7458 7457->7451 7457->7454 7459 275873d CloseHandle CloseHandle 7458->7459 7460 275874f 7458->7460 7459->7432 7461 2757ee6 64 API calls 7460->7461 7462 2758754 7461->7462 7463 2757ead 6 API calls 7462->7463 7464 275875a 7463->7464 7464->7436 7466 27526cd 7465->7466 7467 27526fb 7465->7467 7468 27526e1 inet_ntoa 7466->7468 7469 27526de 7466->7469 7467->7320 7468->7469 7469->7320 7476 275a63d 7470->7476 7472 275a685 7472->7367 7474 275a63d GetTickCount 7473->7474 7475 275a696 7474->7475 7475->7367 7477 275a645 7476->7477 7478 275a64d 7476->7478 7477->7472 7479 275a66e 7478->7479 7480 275a65e GetTickCount 7478->7480 7479->7472 7480->7479 7498 275a4c7 GetTickCount 7481->7498 7484 275c47a 7489 275c4d2 7484->7489 7490 275c4ab InterlockedIncrement CreateThread 7484->7490 7485 275c326 7487 275c337 7485->7487 7488 275c32b GetTickCount 7485->7488 7486 275c300 GetTickCount 7486->7487 7487->7484 7492 275c363 GetTickCount 7487->7492 7488->7487 7489->7330 7490->7489 7491 275c4cb CloseHandle 7490->7491 7503 275b535 7490->7503 7491->7489 7492->7484 7493 275c373 7492->7493 7494 275c378 GetTickCount 7493->7494 7495 275c37f 7493->7495 7494->7495 7496 275c43b GetTickCount 7495->7496 7497 275c45e 7496->7497 7497->7484 7499 275a4f7 InterlockedExchange 7498->7499 7500 275a4e4 GetTickCount 7499->7500 7501 275a500 7499->7501 7500->7501 7502 275a4ef Sleep 7500->7502 7501->7484 7501->7485 7501->7486 7502->7499 7504 275b566 7503->7504 7505 275ebcc 4 API calls 7504->7505 7506 275b587 7505->7506 7507 275ebcc 4 API calls 7506->7507 7558 275b590 7507->7558 7508 275bdcd InterlockedDecrement 7509 275bde2 7508->7509 7511 275ec2e codecvt 4 API calls 7509->7511 7512 275bdea 7511->7512 7513 275ec2e codecvt 4 API calls 7512->7513 7515 275bdf2 7513->7515 7514 275bdb7 Sleep 7514->7558 7516 275be05 7515->7516 7518 275ec2e codecvt 4 API calls 7515->7518 7517 275bdcc 7517->7508 7518->7516 7519 275ebed 8 API calls 7519->7558 7522 275b6b6 lstrlenA 7522->7558 7523 27530b5 2 API calls 7523->7558 7524 275b6ed lstrcpyA 7578 2755ce1 7524->7578 7525 275e819 11 API calls 7525->7558 7528 275b731 lstrlenA 7528->7558 7529 275b71f lstrcmpA 7529->7528 7529->7558 7530 275b772 GetTickCount 7530->7558 7531 275bd49 InterlockedIncrement 7672 275a628 7531->7672 7534 275bc5b InterlockedIncrement 7534->7558 7535 275b7ce InterlockedIncrement 7588 275acd7 7535->7588 7536 27538f0 6 API calls 7536->7558 7539 275b912 GetTickCount 7539->7558 7540 275b826 InterlockedIncrement 7540->7530 7541 275b932 GetTickCount 7543 275bc6d InterlockedIncrement 7541->7543 7541->7558 7542 275bcdc closesocket 7542->7558 7543->7558 7544 2755ce1 22 API calls 7544->7558 7548 275bba6 InterlockedIncrement 7548->7558 7550 275bc4c closesocket 7550->7558 7551 275a7c1 22 API calls 7551->7558 7553 275ba71 wsprintfA 7606 275a7c1 7553->7606 7554 2755ded 12 API calls 7554->7558 7556 275ab81 lstrcpynA InterlockedIncrement 7556->7558 7557 275ef1e lstrlenA 7557->7558 7558->7508 7558->7514 7558->7517 7558->7519 7558->7522 7558->7523 7558->7524 7558->7525 7558->7528 7558->7529 7558->7530 7558->7531 7558->7534 7558->7535 7558->7536 7558->7539 7558->7540 7558->7541 7558->7542 7558->7544 7558->7548 7558->7550 7558->7551 7558->7553 7558->7554 7558->7556 7558->7557 7559 275a688 GetTickCount 7558->7559 7560 2753e10 7558->7560 7563 2753e4f 7558->7563 7566 275384f 7558->7566 7586 275a7a3 inet_ntoa 7558->7586 7593 275abee 7558->7593 7605 2751feb GetTickCount 7558->7605 7626 2753cfb 7558->7626 7629 275b3c5 7558->7629 7660 275ab81 7558->7660 7559->7558 7561 27530fa 4 API calls 7560->7561 7562 2753e1d 7561->7562 7562->7558 7564 27530fa 4 API calls 7563->7564 7565 2753e5c 7564->7565 7565->7558 7567 27530fa 4 API calls 7566->7567 7568 2753863 7567->7568 7569 27538b9 7568->7569 7570 2753889 7568->7570 7577 27538b2 7568->7577 7681 27535f9 7569->7681 7675 2753718 7570->7675 7575 2753718 6 API calls 7575->7577 7576 27535f9 6 API calls 7576->7577 7577->7558 7579 2755cf4 7578->7579 7580 2755cec 7578->7580 7582 2754bd1 4 API calls 7579->7582 7687 2754bd1 GetTickCount 7580->7687 7583 2755d02 7582->7583 7692 2755472 7583->7692 7587 275a7b9 7586->7587 7587->7558 7589 275f315 14 API calls 7588->7589 7590 275aceb 7589->7590 7591 275acff 7590->7591 7592 275f315 14 API calls 7590->7592 7591->7558 7592->7591 7594 275abfb 7593->7594 7597 275ac65 7594->7597 7755 2752f22 7594->7755 7596 275f315 14 API calls 7596->7597 7597->7596 7598 275ac8a 7597->7598 7599 275ac6f 7597->7599 7598->7558 7601 275ab81 2 API calls 7599->7601 7600 275ac23 7600->7597 7602 2752684 2 API calls 7600->7602 7603 275ac81 7601->7603 7602->7600 7763 27538f0 7603->7763 7605->7558 7607 275a87d lstrlenA send 7606->7607 7608 275a7df 7606->7608 7609 275a8bf 7607->7609 7610 275a899 7607->7610 7608->7607 7611 275a8f2 7608->7611 7615 275a80a 7608->7615 7617 275a7fa wsprintfA 7608->7617 7609->7611 7613 275a8c4 send 7609->7613 7612 275a8a5 wsprintfA 7610->7612 7625 275a89e 7610->7625 7614 275a978 recv 7611->7614 7618 275a9b0 wsprintfA 7611->7618 7619 275a982 7611->7619 7612->7625 7613->7611 7616 275a8d8 wsprintfA 7613->7616 7614->7611 7614->7619 7615->7607 7616->7625 7617->7615 7618->7625 7620 27530b5 2 API calls 7619->7620 7619->7625 7621 275ab05 7620->7621 7622 275e819 11 API calls 7621->7622 7623 275ab17 7622->7623 7624 275a7a3 inet_ntoa 7623->7624 7624->7625 7625->7558 7627 27530fa 4 API calls 7626->7627 7628 2753d0b 7627->7628 7628->7558 7630 2755ce1 22 API calls 7629->7630 7631 275b3e6 7630->7631 7632 2755ce1 22 API calls 7631->7632 7634 275b404 7632->7634 7633 275b440 7636 275ef7c 3 API calls 7633->7636 7634->7633 7635 275ef7c 3 API calls 7634->7635 7637 275b42b 7635->7637 7638 275b458 wsprintfA 7636->7638 7639 275ef7c 3 API calls 7637->7639 7640 275ef7c 3 API calls 7638->7640 7639->7633 7641 275b480 7640->7641 7642 275ef7c 3 API calls 7641->7642 7643 275b493 7642->7643 7644 275ef7c 3 API calls 7643->7644 7645 275b4bb 7644->7645 7779 275ad89 GetLocalTime SystemTimeToFileTime 7645->7779 7649 275b4cc 7650 275ef7c 3 API calls 7649->7650 7651 275b4dd 7650->7651 7652 275b211 7 API calls 7651->7652 7653 275b4ec 7652->7653 7654 275ef7c 3 API calls 7653->7654 7655 275b4fd 7654->7655 7656 275b211 7 API calls 7655->7656 7657 275b509 7656->7657 7658 275ef7c 3 API calls 7657->7658 7659 275b51a 7658->7659 7659->7558 7661 275abe9 GetTickCount 7660->7661 7663 275ab8c 7660->7663 7665 275a51d 7661->7665 7662 275aba8 lstrcpynA 7662->7663 7663->7661 7663->7662 7664 275abe1 InterlockedIncrement 7663->7664 7664->7663 7666 275a4c7 4 API calls 7665->7666 7667 275a52c 7666->7667 7668 275a542 GetTickCount 7667->7668 7670 275a539 GetTickCount 7667->7670 7668->7670 7671 275a56c 7670->7671 7671->7558 7673 275a4c7 4 API calls 7672->7673 7674 275a633 7673->7674 7674->7558 7676 275f04e 4 API calls 7675->7676 7678 275372a 7676->7678 7677 2753847 7677->7575 7677->7577 7678->7677 7679 27537b3 GetCurrentThreadId 7678->7679 7679->7678 7680 27537c8 GetCurrentThreadId 7679->7680 7680->7678 7682 275f04e 4 API calls 7681->7682 7686 275360c 7682->7686 7683 27536f1 7683->7576 7683->7577 7684 27536da GetCurrentThreadId 7684->7683 7685 27536e5 GetCurrentThreadId 7684->7685 7685->7683 7686->7683 7686->7684 7688 2754bff InterlockedExchange 7687->7688 7689 2754bec GetTickCount 7688->7689 7690 2754c08 7688->7690 7689->7690 7691 2754bf7 Sleep 7689->7691 7690->7579 7691->7688 7711 2754763 7692->7711 7694 2755b58 7721 2754699 7694->7721 7697 2754763 lstrlenA 7698 2755b6e 7697->7698 7742 2754f9f 7698->7742 7700 2755b79 7700->7558 7702 2755549 lstrlenA 7708 275548a 7702->7708 7704 275558d lstrcpynA 7704->7708 7705 2755a9f lstrcpyA 7705->7708 7706 2755935 lstrcpynA 7706->7708 7707 2755472 13 API calls 7707->7708 7708->7694 7708->7704 7708->7705 7708->7706 7708->7707 7709 27558e7 lstrcpyA 7708->7709 7710 2754ae6 8 API calls 7708->7710 7715 2754ae6 7708->7715 7719 275ef7c lstrlenA lstrlenA lstrlenA 7708->7719 7709->7708 7710->7708 7713 275477a 7711->7713 7712 2754859 7712->7708 7713->7712 7714 275480d lstrlenA 7713->7714 7714->7713 7716 2754af3 7715->7716 7718 2754b03 7715->7718 7717 275ebed 8 API calls 7716->7717 7717->7718 7718->7702 7720 275efb4 7719->7720 7720->7708 7747 27545b3 7721->7747 7724 27545b3 7 API calls 7725 27546c6 7724->7725 7726 27545b3 7 API calls 7725->7726 7727 27546d8 7726->7727 7728 27545b3 7 API calls 7727->7728 7729 27546ea 7728->7729 7730 27545b3 7 API calls 7729->7730 7731 27546ff 7730->7731 7732 27545b3 7 API calls 7731->7732 7733 2754711 7732->7733 7734 27545b3 7 API calls 7733->7734 7735 2754723 7734->7735 7736 275ef7c 3 API calls 7735->7736 7737 2754735 7736->7737 7738 275ef7c 3 API calls 7737->7738 7739 275474a 7738->7739 7740 275ef7c 3 API calls 7739->7740 7741 275475c 7740->7741 7741->7697 7743 2754fac 7742->7743 7746 2754fb0 7742->7746 7743->7700 7744 2754ffd 7744->7700 7745 2754fd5 IsBadCodePtr 7745->7746 7746->7744 7746->7745 7748 27545c1 7747->7748 7750 27545c8 7747->7750 7749 275ebcc 4 API calls 7748->7749 7749->7750 7751 275ebcc 4 API calls 7750->7751 7753 27545e1 7750->7753 7751->7753 7752 2754691 7752->7724 7753->7752 7754 275ef7c 3 API calls 7753->7754 7754->7753 7770 2752d21 GetModuleHandleA 7755->7770 7758 2752fcf GetProcessHeap HeapFree 7762 2752f44 7758->7762 7759 2752f4f 7761 2752f6b GetProcessHeap HeapFree 7759->7761 7760 2752f85 7760->7758 7760->7760 7761->7762 7762->7600 7764 2753900 7763->7764 7765 2753980 7763->7765 7766 27530fa 4 API calls 7764->7766 7765->7598 7769 275390a 7766->7769 7767 275391b GetCurrentThreadId 7767->7769 7768 2753939 GetCurrentThreadId 7768->7769 7769->7765 7769->7767 7769->7768 7771 2752d46 LoadLibraryA 7770->7771 7772 2752d5b GetProcAddress 7770->7772 7771->7772 7773 2752d54 7771->7773 7772->7773 7774 2752d6b DnsQuery_A 7772->7774 7773->7759 7773->7760 7773->7762 7774->7773 7775 2752d7d 7774->7775 7775->7773 7776 2752d97 GetProcessHeap HeapAlloc 7775->7776 7776->7773 7777 2752dac 7776->7777 7777->7775 7778 2752db5 lstrcpynA 7777->7778 7778->7777 7780 275adbf 7779->7780 7804 275ad08 gethostname 7780->7804 7783 27530b5 2 API calls 7784 275add3 7783->7784 7785 275a7a3 inet_ntoa 7784->7785 7792 275ade4 7784->7792 7785->7792 7786 275ae85 wsprintfA 7787 275ef7c 3 API calls 7786->7787 7789 275aebb 7787->7789 7788 275ae36 wsprintfA wsprintfA 7790 275ef7c 3 API calls 7788->7790 7791 275ef7c 3 API calls 7789->7791 7790->7792 7793 275aed2 7791->7793 7792->7786 7792->7788 7794 275b211 7793->7794 7795 275b2af GetLocalTime 7794->7795 7796 275b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7794->7796 7797 275b2d2 7795->7797 7796->7797 7798 275b31c GetTimeZoneInformation 7797->7798 7799 275b2d9 SystemTimeToFileTime 7797->7799 7803 275b33a wsprintfA 7798->7803 7800 275b2ec 7799->7800 7801 275b312 FileTimeToSystemTime 7800->7801 7801->7798 7803->7649 7805 275ad71 7804->7805 7810 275ad26 lstrlenA 7804->7810 7807 275ad85 7805->7807 7808 275ad79 lstrcpyA 7805->7808 7807->7783 7808->7807 7809 275ad68 lstrlenA 7809->7805 7810->7805 7810->7809 7812 2752d21 7 API calls 7811->7812 7813 2752f01 7812->7813 7814 2752f14 7813->7814 7815 2752f06 7813->7815 7817 2752684 2 API calls 7814->7817 7834 2752df2 GetModuleHandleA 7815->7834 7819 2752f1d 7817->7819 7819->7396 7820 2752f1f 7820->7396 7822 275f428 14 API calls 7821->7822 7823 275198a 7822->7823 7824 2751990 closesocket 7823->7824 7825 2751998 7823->7825 7824->7825 7825->7393 7827 2751c80 7826->7827 7828 2751d1c 7827->7828 7829 2751cc2 wsprintfA 7827->7829 7833 2751d79 7827->7833 7828->7828 7831 2751d47 wsprintfA 7828->7831 7830 2752684 2 API calls 7829->7830 7830->7827 7832 2752684 2 API calls 7831->7832 7832->7833 7833->7394 7835 2752e10 LoadLibraryA 7834->7835 7836 2752e0b 7834->7836 7837 2752e17 7835->7837 7836->7835 7836->7837 7838 2752ef1 7837->7838 7839 2752e28 GetProcAddress 7837->7839 7838->7814 7838->7820 7839->7838 7840 2752e3e GetProcessHeap HeapAlloc 7839->7840 7843 2752e62 7840->7843 7841 2752ede GetProcessHeap HeapFree 7841->7838 7842 2752e7f htons inet_addr 7842->7843 7844 2752ea5 gethostbyname 7842->7844 7843->7838 7843->7841 7843->7842 7843->7844 7846 2752ceb 7843->7846 7844->7843 7848 2752cf2 7846->7848 7849 2752d1c 7848->7849 7850 2752d0e Sleep 7848->7850 7851 2752a62 GetProcessHeap HeapAlloc 7848->7851 7849->7843 7850->7848 7850->7849 7852 2752a92 7851->7852 7853 2752a99 socket 7851->7853 7852->7848 7854 2752ab4 7853->7854 7855 2752cd3 GetProcessHeap HeapFree 7853->7855 7854->7855 7869 2752abd 7854->7869 7855->7852 7856 2752adb htons 7871 27526ff 7856->7871 7858 2752b04 select 7858->7869 7859 2752ca4 7860 2752cb3 GetProcessHeap HeapFree closesocket 7859->7860 7860->7852 7861 2752b3f recv 7861->7869 7862 2752b66 htons 7862->7859 7862->7869 7863 2752b87 htons 7863->7859 7863->7869 7866 2752bf3 GetProcessHeap HeapAlloc 7866->7869 7867 2752c17 htons 7886 2752871 7867->7886 7869->7856 7869->7858 7869->7859 7869->7860 7869->7861 7869->7862 7869->7863 7869->7866 7869->7867 7870 2752c4d GetProcessHeap HeapFree 7869->7870 7878 2752923 7869->7878 7890 2752904 7869->7890 7870->7869 7872 2752717 7871->7872 7873 275271d 7871->7873 7874 275ebcc 4 API calls 7872->7874 7875 275272b GetTickCount htons 7873->7875 7874->7873 7876 27527cc htons htons sendto 7875->7876 7877 275278a 7875->7877 7876->7869 7877->7876 7879 2752944 7878->7879 7881 275293d 7878->7881 7894 2752816 htons 7879->7894 7881->7869 7882 2752950 7882->7881 7883 2752871 htons 7882->7883 7884 27529bd htons htons htons 7882->7884 7883->7882 7884->7881 7885 27529f6 GetProcessHeap HeapAlloc 7884->7885 7885->7881 7885->7882 7887 27528e3 7886->7887 7889 2752889 7886->7889 7887->7869 7888 27528c3 htons 7888->7887 7888->7889 7889->7887 7889->7888 7891 2752921 7890->7891 7892 2752908 7890->7892 7891->7869 7893 2752909 GetProcessHeap HeapFree 7892->7893 7893->7891 7893->7893 7895 275286b 7894->7895 7896 2752836 7894->7896 7895->7882 7896->7895 7897 275285c htons 7896->7897 7897->7895 7897->7896 7899 2756bbc 7898->7899 7900 2756bc0 7898->7900 7899->7426 7901 275ebcc 4 API calls 7900->7901 7911 2756bd4 7900->7911 7902 2756be4 7901->7902 7903 2756c07 CreateFileA 7902->7903 7904 2756bfc 7902->7904 7902->7911 7905 2756c34 WriteFile 7903->7905 7906 2756c2a 7903->7906 7907 275ec2e codecvt 4 API calls 7904->7907 7909 2756c49 CloseHandle DeleteFileA 7905->7909 7910 2756c5a CloseHandle 7905->7910 7908 275ec2e codecvt 4 API calls 7906->7908 7907->7911 7908->7911 7909->7906 7912 275ec2e codecvt 4 API calls 7910->7912 7911->7426 7912->7911 8169 2758314 8170 275675c 21 API calls 8169->8170 8171 2758324 8170->8171 7951 2758c51 7952 2758c86 7951->7952 7954 2758c5d 7951->7954 7953 2758c8b lstrcmpA 7952->7953 7964 2758c7b 7952->7964 7955 2758c9e 7953->7955 7953->7964 7957 2758c7d 7954->7957 7958 2758c6e 7954->7958 7956 2758cad 7955->7956 7961 275ec2e codecvt 4 API calls 7955->7961 7963 275ebcc 4 API calls 7956->7963 7956->7964 7973 2758bb3 7957->7973 7965 2758be7 7958->7965 7961->7956 7963->7964 7966 2758bf2 7965->7966 7967 2758c2a 7965->7967 7968 2758bb3 6 API calls 7966->7968 7967->7964 7969 2758bf8 7968->7969 7977 2756410 7969->7977 7971 2758c01 7971->7967 7992 2756246 7971->7992 7974 2758be4 7973->7974 7975 2758bbc 7973->7975 7975->7974 7976 2756246 6 API calls 7975->7976 7976->7974 7978 2756421 7977->7978 7979 275641e 7977->7979 7980 275643a 7978->7980 7981 275643e VirtualAlloc 7978->7981 7979->7971 7980->7971 7982 2756472 7981->7982 7983 275645b VirtualAlloc 7981->7983 7984 275ebcc 4 API calls 7982->7984 7983->7982 7991 27564fb 7983->7991 7985 2756479 7984->7985 7985->7991 8002 2756069 7985->8002 7988 27564da 7989 2756246 6 API calls 7988->7989 7988->7991 7989->7991 7991->7971 7993 2756252 7992->7993 8001 27562b3 7992->8001 7996 275628f 7993->7996 7997 2756281 FreeLibrary 7993->7997 8000 2756297 7993->8000 7994 27562a0 VirtualFree 7995 27562ad 7994->7995 7999 275ec2e codecvt 4 API calls 7995->7999 7998 275ec2e codecvt 4 API calls 7996->7998 7997->7993 7998->8000 7999->8001 8000->7994 8000->7995 8001->7967 8003 2756090 IsBadReadPtr 8002->8003 8005 2756089 8002->8005 8003->8005 8008 27560aa 8003->8008 8004 27560c0 LoadLibraryA 8004->8005 8004->8008 8005->7988 8012 2755f3f 8005->8012 8006 275ebcc 4 API calls 8006->8008 8007 275ebed 8 API calls 8007->8008 8008->8004 8008->8005 8008->8006 8008->8007 8009 2756191 IsBadReadPtr 8008->8009 8010 2756155 GetProcAddress 8008->8010 8011 2756141 GetProcAddress 8008->8011 8009->8005 8009->8008 8010->8008 8011->8008 8013 2755fe6 8012->8013 8014 2755f61 8012->8014 8013->7988 8014->8013 8015 2755fbf VirtualProtect 8014->8015 8015->8013 8015->8014 8172 2756511 wsprintfA IsBadReadPtr 8173 275674e 8172->8173 8174 275656a htonl htonl wsprintfA wsprintfA 8172->8174 8175 275e318 23 API calls 8173->8175 8179 27565f3 8174->8179 8176 2756753 ExitProcess 8175->8176 8177 275668a GetCurrentProcess StackWalk64 8178 27566a0 wsprintfA 8177->8178 8177->8179 8180 27566ba 8178->8180 8179->8177 8179->8178 8181 2756652 wsprintfA 8179->8181 8182 2756712 wsprintfA 8180->8182 8183 27566ed wsprintfA 8180->8183 8184 27566da wsprintfA 8180->8184 8181->8179 8185 275e8a1 30 API calls 8182->8185 8183->8180 8184->8183 8186 2756739 8185->8186 8187 275e318 23 API calls 8186->8187 8188 2756741 8187->8188 8016 2755453 8021 275543a 8016->8021 8024 2755048 8021->8024 8025 2754bd1 4 API calls 8024->8025 8026 2755056 8025->8026 8027 275ec2e codecvt 4 API calls 8026->8027 8028 275508b 8026->8028 8027->8028 8029 2754ed3 8034 2754c9a 8029->8034 8035 2754ca9 8034->8035 8037 2754cd8 8034->8037 8036 275ec2e codecvt 4 API calls 8035->8036 8036->8037 8189 2755d93 IsBadWritePtr 8190 2755da8 8189->8190 8192 2755ddc 8189->8192 8191 2755389 12 API calls 8190->8191 8190->8192 8191->8192 8038 27543d2 8039 27543e0 8038->8039 8040 27543ef 8039->8040 8041 2751940 4 API calls 8039->8041 8041->8040 8193 2754e92 GetTickCount 8194 2754ec0 InterlockedExchange 8193->8194 8195 2754ead GetTickCount 8194->8195 8196 2754ec9 8194->8196 8195->8196 8197 2754eb8 Sleep 8195->8197 8197->8194 8198 2755099 8199 2754bd1 4 API calls 8198->8199 8200 27550a2 8199->8200 8042 275195b 8043 2751971 8042->8043 8044 275196b 8042->8044 8045 275ec2e codecvt 4 API calls 8044->8045 8045->8043 8201 2755c05 IsBadWritePtr 8202 2755c24 IsBadWritePtr 8201->8202 8209 2755ca6 8201->8209 8204 2755c32 8202->8204 8202->8209 8203 2755c82 8206 2754bd1 4 API calls 8203->8206 8204->8203 8205 2754bd1 4 API calls 8204->8205 8205->8203 8207 2755c90 8206->8207 8208 2755472 18 API calls 8207->8208 8208->8209 8210 275f304 8213 275f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8210->8213 8212 275f312 8213->8212 8214 2755b84 IsBadWritePtr 8215 2755b99 8214->8215 8216 2755b9d 8214->8216 8217 2754bd1 4 API calls 8216->8217 8218 2755bcc 8217->8218 8219 2755472 18 API calls 8218->8219 8220 2755be5 8219->8220 8221 275f483 WSAStartup 8046 2755e4d 8047 2755048 8 API calls 8046->8047 8048 2755e55 8047->8048 8049 2755e64 8048->8049 8050 2751940 4 API calls 8048->8050 8050->8049 8222 2755e0d 8223 27550dc 17 API calls 8222->8223 8224 2755e20 8223->8224 8225 2754c0d 8226 2754ae6 8 API calls 8225->8226 8227 2754c17 8226->8227 8051 275e749 8052 275dd05 6 API calls 8051->8052 8053 275e751 8052->8053 8054 275e781 lstrcmpA 8053->8054 8055 275e799 8053->8055 8054->8053

                                                                                            Executed Functions

                                                                                            Function 0275C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • closesocket.WS2_32(?), ref: 0275CA4E
                                                                                            • closesocket.WS2_32(?), ref: 0275CB63
                                                                                            • GetTempPathA.KERNEL32(00000120,?), ref: 0275CC28
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0275CCB4
                                                                                            • WriteFile.KERNEL32(0275A4B3,?,-000000E8,?,00000000), ref: 0275CCDC
                                                                                            • CloseHandle.KERNEL32(0275A4B3), ref: 0275CCED
                                                                                            • wsprintfA.USER32 ref: 0275CD21
                                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0275CD77
                                                                                            • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0275CD89
                                                                                            • CloseHandle.KERNEL32(?), ref: 0275CD98
                                                                                            • CloseHandle.KERNEL32(?), ref: 0275CD9D
                                                                                            • DeleteFileA.KERNEL32(?), ref: 0275CDC4
                                                                                            • CloseHandle.KERNEL32(0275A4B3), ref: 0275CDCC
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0275CFB1
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0275CFEF
                                                                                            • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0275D033
                                                                                            • lstrcatA.KERNEL32(?,03F00108), ref: 0275D10C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 0275D155
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0275D171
                                                                                            • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000), ref: 0275D195
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0275D19C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0275D1C8
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0275D231
                                                                                            • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 0275D27C
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0275D2AB
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0275D2C7
                                                                                            • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0275D2EB
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0275D2F2
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0275D326
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0275D372
                                                                                            • lstrcatA.KERNEL32(?,03F00108,?,?,?,?,?,?,?,00000100), ref: 0275D3BD
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0275D3EC
                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0275D408
                                                                                            • WriteFile.KERNEL32(00000000,03F0012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0275D428
                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0275D42F
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0275D45B
                                                                                            • CreateProcessA.KERNEL32(?,02760264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0275D4DE
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0275D4F4
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0275D4FC
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0275D513
                                                                                            • closesocket.WS2_32(?), ref: 0275D56C
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0275D577
                                                                                            • ExitProcess.KERNEL32 ref: 0275D583
                                                                                            • wsprintfA.USER32 ref: 0275D81F
                                                                                              • Part of subcall function 0275C65C: send.WS2_32(00000000,?,00000000), ref: 0275C74B
                                                                                            • closesocket.WS2_32(?), ref: 0275DAD5
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                                            • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                                            • API String ID: 562065436-2997293747
                                                                                            • Opcode ID: fca6085f95f29f16319078b979f44f754f4aaa0ffd707bc77574c1e80aee95a5
                                                                                            • Instruction ID: ad3f4e5ddd65128e335fa362812eec06455460ec9ea93ca3bb9c284da21317be
                                                                                            • Opcode Fuzzy Hash: fca6085f95f29f16319078b979f44f754f4aaa0ffd707bc77574c1e80aee95a5
                                                                                            • Instruction Fuzzy Hash: C2B2C4B2D40329AFEB229FA4DD4DFEEBBB9EB05304F04446AED05A6140D7B09A55CF50
                                                                                            Function 02759A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 02759A7F
                                                                                            • SetErrorMode.KERNELBASE(00000003), ref: 02759A83
                                                                                            • SetUnhandledExceptionFilter.KERNEL32(02756511), ref: 02759A8A
                                                                                              • Part of subcall function 0275EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0275EC5E
                                                                                              • Part of subcall function 0275EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0275EC72
                                                                                              • Part of subcall function 0275EC54: GetTickCount.KERNEL32 ref: 0275EC78
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02759AB3
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02759ABA
                                                                                            • GetCommandLineA.KERNEL32 ref: 02759AFD
                                                                                            • lstrlenA.KERNEL32(?), ref: 02759B99
                                                                                            • ExitProcess.KERNEL32 ref: 02759C06
                                                                                            • GetTempPathA.KERNEL32(000001F4,?), ref: 02759CAC
                                                                                            • lstrcpyA.KERNEL32(?,00000000), ref: 02759D7A
                                                                                            • lstrcatA.KERNEL32(?,?), ref: 02759D8B
                                                                                            • lstrcatA.KERNEL32(?,0276070C), ref: 02759D9D
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02759DED
                                                                                            • DeleteFileA.KERNEL32(00000022), ref: 02759E38
                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02759E6F
                                                                                            • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02759EC8
                                                                                            • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02759ED5
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02759F3B
                                                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02759F5E
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02759F6A
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02759FAD
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02759FB4
                                                                                            • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02759FFE
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0275A038
                                                                                            • lstrcatA.KERNEL32(00000022,02760A34), ref: 0275A05E
                                                                                            • lstrcatA.KERNEL32(00000022,00000022), ref: 0275A072
                                                                                            • lstrcatA.KERNEL32(00000022,02760A34), ref: 0275A08D
                                                                                            • wsprintfA.USER32 ref: 0275A0B6
                                                                                            • lstrcatA.KERNEL32(00000022,00000000), ref: 0275A0DE
                                                                                            • lstrcatA.KERNEL32(00000022,?), ref: 0275A0FD
                                                                                            • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0275A120
                                                                                            • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0275A131
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0275A174
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 0275A17B
                                                                                            • GetDriveTypeA.KERNEL32(00000022), ref: 0275A1B6
                                                                                            • GetCommandLineA.KERNEL32 ref: 0275A1E5
                                                                                              • Part of subcall function 027599D2: lstrcpyA.KERNEL32(?,?,00000100,027622F8,00000000,?,02759E9D,?,00000022,?,?,?,?,?,?,?), ref: 027599DF
                                                                                              • Part of subcall function 027599D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02759E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02759A3C
                                                                                              • Part of subcall function 027599D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02759E9D,?,00000022,?,?,?), ref: 02759A52
                                                                                            • lstrlenA.KERNEL32(?), ref: 0275A288
                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0275A3B7
                                                                                            • GetLastError.KERNEL32 ref: 0275A3ED
                                                                                            • Sleep.KERNEL32(000003E8), ref: 0275A400
                                                                                            • DeleteFileA.KERNELBASE(027633D8), ref: 0275A407
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0275405E,00000000,00000000,00000000), ref: 0275A42C
                                                                                            • WSAStartup.WS2_32(00001010,?), ref: 0275A43A
                                                                                            • CreateThread.KERNELBASE(00000000,00000000,0275877E,00000000,00000000,00000000), ref: 0275A469
                                                                                            • Sleep.KERNELBASE(00000BB8), ref: 0275A48A
                                                                                            • GetTickCount.KERNEL32 ref: 0275A49F
                                                                                            • GetTickCount.KERNEL32 ref: 0275A4B7
                                                                                            • Sleep.KERNELBASE(00001A90), ref: 0275A4C3
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                                            • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$D$P$\$jcbeaetw
                                                                                            • API String ID: 2089075347-2075815589
                                                                                            • Opcode ID: 3049e8fde86c4b78e52d790792fcee9d6b7fd6a65c012ebb1db66de43c9c20af
                                                                                            • Instruction ID: b08388ce32216ae52e1ea68f9d751d384698afec4c69cebbce6c774f26f6cbbe
                                                                                            • Opcode Fuzzy Hash: 3049e8fde86c4b78e52d790792fcee9d6b7fd6a65c012ebb1db66de43c9c20af
                                                                                            • Instruction Fuzzy Hash: 585264B1D40369EFDF129BA4CC4DEEEBBBDBB04304F1445A5EA09E2141E7B19A448F61
                                                                                            Function 0275199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 905 275199c-27519cc inet_addr LoadLibraryA 906 27519d5-27519fe GetProcAddress * 3 905->906 907 27519ce-27519d0 905->907 909 2751a04-2751a06 906->909 910 2751ab3-2751ab6 FreeLibrary 906->910 908 2751abf-2751ac2 907->908 909->910 911 2751a0c-2751a0e 909->911 912 2751abc 910->912 911->910 913 2751a14-2751a28 GetBestInterface GetProcessHeap 911->913 914 2751abe 912->914 913->912 915 2751a2e-2751a40 HeapAlloc 913->915 914->908 915->912 916 2751a42-2751a50 GetAdaptersInfo 915->916 917 2751a62-2751a67 916->917 918 2751a52-2751a60 HeapReAlloc 916->918 919 2751aa1-2751aad FreeLibrary 917->919 920 2751a69-2751a73 GetAdaptersInfo 917->920 918->917 919->912 922 2751aaf-2751ab1 919->922 920->919 921 2751a75 920->921 923 2751a77-2751a80 921->923 922->914 924 2751a82-2751a86 923->924 925 2751a8a-2751a91 923->925 924->923 926 2751a88 924->926 927 2751a96-2751a9b HeapFree 925->927 928 2751a93 925->928 926->927 927->919 928->927
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(123.45.67.89), ref: 027519B1
                                                                                            • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02751E9E), ref: 027519BF
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 027519E2
                                                                                            • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 027519ED
                                                                                            • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 027519F9
                                                                                            • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02751E9E), ref: 02751A1B
                                                                                            • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02751E9E), ref: 02751A1D
                                                                                            • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02751E9E), ref: 02751A36
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,02751E9E,?,?,?,?,00000001,02751E9E), ref: 02751A4A
                                                                                            • HeapReAlloc.KERNEL32(?,00000000,00000000,02751E9E,?,?,?,?,00000001,02751E9E), ref: 02751A5A
                                                                                            • GetAdaptersInfo.IPHLPAPI(00000000,02751E9E,?,?,?,?,00000001,02751E9E), ref: 02751A6E
                                                                                            • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02751E9E), ref: 02751A9B
                                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02751E9E), ref: 02751AA4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                                            • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                                            • API String ID: 293628436-270533642
                                                                                            • Opcode ID: 3b9a14642817a1f801beb607184c7c8d02513b9813f0ba3fcf42720777083a28
                                                                                            • Instruction ID: c982e97bfb088ffb0ef796ae5587d2a917896f653ed7919897dc601014b9cf0d
                                                                                            • Opcode Fuzzy Hash: 3b9a14642817a1f801beb607184c7c8d02513b9813f0ba3fcf42720777083a28
                                                                                            • Instruction Fuzzy Hash: 33314172D40269AFDB129FE4CC8CABEFBB5FF45616B544969F905A2100D7B04E40CBA4
                                                                                            Function 02757A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 696 2757a95-2757ac2 RegOpenKeyExA 697 2757ac4-2757ac6 696->697 698 2757acb-2757ae7 GetUserNameA 696->698 699 2757db4-2757db6 697->699 700 2757da7-2757db3 RegCloseKey 698->700 701 2757aed-2757b1e LookupAccountNameA 698->701 700->699 701->700 702 2757b24-2757b43 RegGetKeySecurity 701->702 702->700 703 2757b49-2757b61 GetSecurityDescriptorOwner 702->703 704 2757b63-2757b72 EqualSid 703->704 705 2757bb8-2757bd6 GetSecurityDescriptorDacl 703->705 704->705 708 2757b74-2757b88 LocalAlloc 704->708 706 2757da6 705->706 707 2757bdc-2757be1 705->707 706->700 707->706 709 2757be7-2757bf2 707->709 708->705 710 2757b8a-2757b94 InitializeSecurityDescriptor 708->710 709->706 711 2757bf8-2757c08 GetAce 709->711 712 2757b96-2757ba4 SetSecurityDescriptorOwner 710->712 713 2757bb1-2757bb2 LocalFree 710->713 714 2757cc6 711->714 715 2757c0e-2757c1b 711->715 712->713 716 2757ba6-2757bab RegSetKeySecurity 712->716 713->705 717 2757cc9-2757cd3 714->717 718 2757c1d-2757c2f EqualSid 715->718 719 2757c4f-2757c52 715->719 716->713 717->711 720 2757cd9-2757cdc 717->720 721 2757c36-2757c38 718->721 722 2757c31-2757c34 718->722 723 2757c54-2757c5e 719->723 724 2757c5f-2757c71 EqualSid 719->724 720->706 725 2757ce2-2757ce8 720->725 721->719 726 2757c3a-2757c4d DeleteAce 721->726 722->718 722->721 723->724 727 2757c86 724->727 728 2757c73-2757c84 724->728 729 2757d5a-2757d6e LocalAlloc 725->729 730 2757cea-2757cf0 725->730 726->717 731 2757c8b-2757c8e 727->731 728->731 729->706 734 2757d70-2757d7a InitializeSecurityDescriptor 729->734 730->729 735 2757cf2-2757d0d RegOpenKeyExA 730->735 732 2757c90-2757c96 731->732 733 2757c9d-2757c9f 731->733 732->733 736 2757ca7-2757cc3 733->736 737 2757ca1-2757ca5 733->737 738 2757d7c-2757d8a SetSecurityDescriptorDacl 734->738 739 2757d9f-2757da0 LocalFree 734->739 735->729 740 2757d0f-2757d16 735->740 736->714 737->714 737->736 738->739 741 2757d8c-2757d9a RegSetKeySecurity 738->741 739->706 742 2757d19-2757d1e 740->742 741->739 743 2757d9c 741->743 742->742 744 2757d20-2757d52 call 2752544 RegSetValueExA 742->744 743->739 744->729 747 2757d54 744->747 747->729
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02757ABA
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 02757ADF
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,0276070C,?,?,?), ref: 02757B16
                                                                                            • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02757B3B
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02757B59
                                                                                            • EqualSid.ADVAPI32(?,00000022), ref: 02757B6A
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02757B7E
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02757B8C
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02757B9C
                                                                                            • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02757BAB
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02757BB2
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,02757FC9,?,00000000), ref: 02757BCE
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$D
                                                                                            • API String ID: 2976863881-36158169
                                                                                            • Opcode ID: 9a451131bbc4e0af53f93cd42a67bece9fa875e7b4148d8cee331cf653d36b9f
                                                                                            • Instruction ID: c251eda07d9b20dcd3cd8ec6b022eb96ed1e1cb8eb8ff0f8b01b6b35ffe40160
                                                                                            • Opcode Fuzzy Hash: 9a451131bbc4e0af53f93cd42a67bece9fa875e7b4148d8cee331cf653d36b9f
                                                                                            • Instruction Fuzzy Hash: 41A13AB1E40229AFEF159FA1DC88EEEFBBDFB44304F048469E905E2140E7759A55CB60
                                                                                            Function 02757809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 748 2757809-2757837 GetUserNameA 749 275783d-275786e LookupAccountNameA 748->749 750 2757a8e-2757a94 748->750 749->750 751 2757874-27578a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 27578a8-27578c3 GetSecurityDescriptorOwner 751->752 753 27578c5-27578da EqualSid 752->753 754 275791d-275793b GetSecurityDescriptorDacl 752->754 753->754 757 27578dc-27578ed LocalAlloc 753->757 755 2757941-2757946 754->755 756 2757a8d 754->756 755->756 758 275794c-2757955 755->758 756->750 757->754 759 27578ef-27578f9 InitializeSecurityDescriptor 757->759 758->756 760 275795b-275796b GetAce 758->760 761 2757916-2757917 LocalFree 759->761 762 27578fb-2757909 SetSecurityDescriptorOwner 759->762 764 2757971-275797e 760->764 765 2757a2a 760->765 761->754 762->761 763 275790b-2757910 SetFileSecurityA 762->763 763->761 766 2757980-2757992 EqualSid 764->766 767 27579ae-27579b1 764->767 768 2757a2d-2757a37 765->768 769 2757994-2757997 766->769 770 2757999-275799b 766->770 772 27579b3-27579bd 767->772 773 27579be-27579d0 EqualSid 767->773 768->760 771 2757a3d-2757a41 768->771 769->766 769->770 770->767 774 275799d-27579ac DeleteAce 770->774 771->756 775 2757a43-2757a54 LocalAlloc 771->775 772->773 776 27579e5 773->776 777 27579d2-27579e3 773->777 774->768 775->756 779 2757a56-2757a60 InitializeSecurityDescriptor 775->779 778 27579ea-27579ed 776->778 777->778 780 27579ef-27579f5 778->780 781 27579f8-27579fb 778->781 782 2757a86-2757a87 LocalFree 779->782 783 2757a62-2757a71 SetSecurityDescriptorDacl 779->783 780->781 784 2757a03-2757a0e 781->784 785 27579fd-2757a01 781->785 782->756 783->782 786 2757a73-2757a81 SetFileSecurityA 783->786 787 2757a10-2757a17 784->787 788 2757a19-2757a24 784->788 785->765 785->784 786->782 789 2757a83 786->789 790 2757a27 787->790 788->790 789->782 790->765
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,?), ref: 0275782F
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02757866
                                                                                            • GetLengthSid.ADVAPI32(?), ref: 02757878
                                                                                            • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0275789A
                                                                                            • GetSecurityDescriptorOwner.ADVAPI32(?,02757F63,?), ref: 027578B8
                                                                                            • EqualSid.ADVAPI32(?,02757F63), ref: 027578D2
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 027578E3
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 027578F1
                                                                                            • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02757901
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02757910
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02757917
                                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02757933
                                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 02757963
                                                                                            • EqualSid.ADVAPI32(?,02757F63), ref: 0275798A
                                                                                            • DeleteAce.ADVAPI32(?,00000000), ref: 027579A3
                                                                                            • EqualSid.ADVAPI32(?,02757F63), ref: 027579C5
                                                                                            • LocalAlloc.KERNEL32(00000040,00000014), ref: 02757A4A
                                                                                            • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02757A58
                                                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02757A69
                                                                                            • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02757A79
                                                                                            • LocalFree.KERNEL32(00000000), ref: 02757A87
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                                            • String ID: D
                                                                                            • API String ID: 3722657555-2746444292
                                                                                            • Opcode ID: 99f947808959be8f80bedc7f46024cc6771522da5d3fb9c9ec9d80b2754c0fe3
                                                                                            • Instruction ID: 0108fbef21307461fa7c49aed5623d047aef8c927475a174d092b0925dc153dc
                                                                                            • Opcode Fuzzy Hash: 99f947808959be8f80bedc7f46024cc6771522da5d3fb9c9ec9d80b2754c0fe3
                                                                                            • Instruction Fuzzy Hash: 8B813A71D0022AABDB25CFA4CD48FEEFBB8BF08344F14856AE905E2140D7759A55CBA4
                                                                                            Function 02758328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 791 2758328-275833e call 2757dd6 794 2758340-2758343 791->794 795 2758348-2758356 call 2756ec3 791->795 796 275877b-275877d 794->796 799 275835c-2758378 call 27573ff 795->799 800 275846b-2758474 795->800 810 2758464-2758466 799->810 811 275837e-2758384 799->811 802 27585c2-27585ce 800->802 803 275847a-2758480 800->803 805 2758615-2758620 802->805 806 27585d0-27585da call 275675c 802->806 803->802 807 2758486-27584ba call 2752544 RegOpenKeyExA 803->807 808 27586a7-27586b0 call 2756ba7 805->808 809 2758626-275864c GetTempPathA call 2758274 call 275eca5 805->809 818 27585df-27585eb 806->818 820 27584c0-27584db RegQueryValueExA 807->820 821 2758543-2758571 call 2752544 RegOpenKeyExA 807->821 828 27586b6-27586bd call 2757e2f 808->828 829 2758762 808->829 849 2758671-27586a4 call 2752544 call 275ef00 call 275ee2a 809->849 850 275864e-275866f call 275eca5 809->850 817 2758779-275877a 810->817 811->810 816 275838a-275838d 811->816 816->810 824 2758393-2758399 816->824 817->796 818->805 825 27585ed-27585ef 818->825 826 2758521-275852d RegCloseKey 820->826 827 27584dd-27584e1 820->827 842 27585a5-27585b7 call 275ee2a 821->842 843 2758573-275857b 821->843 831 275839c-27583a1 824->831 825->805 833 27585f1-27585fa 825->833 826->821 840 275852f-2758541 call 275eed1 826->840 827->826 836 27584e3-27584e6 827->836 858 27586c3-275873b call 275ee2a * 2 lstrcpyA lstrlenA call 2757fcf CreateProcessA 828->858 859 275875b-275875c DeleteFileA 828->859 838 2758768-275876b 829->838 831->831 841 27583a3-27583af 831->841 833->805 835 27585fc-275860f call 27524c2 833->835 835->805 835->838 836->826 845 27584e8-27584f6 call 275ebcc 836->845 847 2758776-2758778 838->847 848 275876d-2758775 call 275ec2e 838->848 840->821 840->842 852 27583b1 841->852 853 27583b3-27583ba 841->853 842->802 877 27585b9-27585c1 call 275ec2e 842->877 854 275857e-2758583 843->854 845->826 876 27584f8-2758513 RegQueryValueExA 845->876 847->817 848->847 849->808 850->849 852->853 864 2758450-275845f call 275ee2a 853->864 865 27583c0-27583fb call 2752544 RegOpenKeyExA 853->865 854->854 866 2758585-275859f RegSetValueExA RegCloseKey 854->866 899 275873d-275874d CloseHandle * 2 858->899 900 275874f-275875a call 2757ee6 call 2757ead 858->900 859->829 864->802 865->864 882 27583fd-275841c RegQueryValueExA 865->882 866->842 876->826 883 2758515-275851e call 275ec2e 876->883 877->802 887 275842d-2758441 RegSetValueExA 882->887 888 275841e-2758421 882->888 883->826 894 2758447-275844a RegCloseKey 887->894 888->887 893 2758423-2758426 888->893 893->887 897 2758428-275842b 893->897 894->864 897->887 897->894 899->838 900->859
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02760750,?,?,00000000,localcfg,00000000), ref: 027583F3
                                                                                            • RegQueryValueExA.KERNELBASE(02760750,?,00000000,?,02758893,?,?,?,00000000,00000103,02760750,?,?,00000000,localcfg,00000000), ref: 02758414
                                                                                            • RegSetValueExA.KERNELBASE(02760750,?,00000000,00000004,02758893,00000004,?,?,00000000,00000103,02760750,?,?,00000000,localcfg,00000000), ref: 02758441
                                                                                            • RegCloseKey.ADVAPI32(02760750,?,?,00000000,00000103,02760750,?,?,00000000,localcfg,00000000), ref: 0275844A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseOpenQuery
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe$localcfg
                                                                                            • API String ID: 237177642-1740763546
                                                                                            • Opcode ID: fd497a92c3d4486ef87c990851e0c57e368b0763f9e2eaf62485c17d3e8ea8c4
                                                                                            • Instruction ID: 2d840a0e4c4819e14e764590964603cd4bead38a07f5a4a18bc948da04fe68c4
                                                                                            • Opcode Fuzzy Hash: fd497a92c3d4486ef87c990851e0c57e368b0763f9e2eaf62485c17d3e8ea8c4
                                                                                            • Instruction Fuzzy Hash: CAC185B1D40269BFEB129FA4DC89EFEBBBDEB04304F144865ED05A6041E7B14A94CF61
                                                                                            Function 02751D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32 ref: 02751DC6
                                                                                            • GetSystemInfo.KERNELBASE(?), ref: 02751DE8
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02751E03
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02751E0A
                                                                                            • GetCurrentProcess.KERNEL32(?), ref: 02751E1B
                                                                                            • GetTickCount.KERNEL32 ref: 02751FC9
                                                                                              • Part of subcall function 02751BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02751C15
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                                            • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                                            • API String ID: 4207808166-1381319158
                                                                                            • Opcode ID: fce1416994b4d88a28576d3ab0f43d510063114c1cb3c61583376079f4207cff
                                                                                            • Instruction ID: d779f70245df8123690da7a11e87a7ec2c2b9ebaa13a9414de7c4b71cf45e0da
                                                                                            • Opcode Fuzzy Hash: fce1416994b4d88a28576d3ab0f43d510063114c1cb3c61583376079f4207cff
                                                                                            • Instruction Fuzzy Hash: 6E51A0B09083546FE321AB768C8DF2BFAECFB45709F44491DFD5A92142D7F4A9048BA1
                                                                                            Function 027573FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 999 27573ff-2757419 1000 275741d-2757422 999->1000 1001 275741b 999->1001 1002 2757424 1000->1002 1003 2757426-275742b 1000->1003 1001->1000 1002->1003 1004 2757430-2757435 1003->1004 1005 275742d 1003->1005 1006 2757437 1004->1006 1007 275743a-2757481 call 2756dc2 call 2752544 RegOpenKeyExA 1004->1007 1005->1004 1006->1007 1012 2757487-275749d call 275ee2a 1007->1012 1013 27577f9-27577fe call 275ee2a 1007->1013 1019 2757703-275770e RegEnumKeyA 1012->1019 1018 2757801 1013->1018 1020 2757804-2757808 1018->1020 1021 2757714-275771d RegCloseKey 1019->1021 1022 27574a2-27574b1 call 2756cad 1019->1022 1021->1018 1025 27574b7-27574cc call 275f1a5 1022->1025 1026 27576ed-2757700 1022->1026 1025->1026 1029 27574d2-27574f8 RegOpenKeyExA 1025->1029 1026->1019 1030 2757727-275772a 1029->1030 1031 27574fe-2757530 call 2752544 RegQueryValueExA 1029->1031 1032 2757755-2757764 call 275ee2a 1030->1032 1033 275772c-2757740 call 275ef00 1030->1033 1031->1030 1039 2757536-275753c 1031->1039 1044 27576df-27576e2 1032->1044 1041 2757742-2757745 RegCloseKey 1033->1041 1042 275774b-275774e 1033->1042 1043 275753f-2757544 1039->1043 1041->1042 1046 27577ec-27577f7 RegCloseKey 1042->1046 1043->1043 1045 2757546-275754b 1043->1045 1044->1026 1047 27576e4-27576e7 RegCloseKey 1044->1047 1045->1032 1048 2757551-275756b call 275ee95 1045->1048 1046->1020 1047->1026 1048->1032 1051 2757571-2757593 call 2752544 call 275ee95 1048->1051 1056 2757753 1051->1056 1057 2757599-27575a0 1051->1057 1056->1032 1058 27575a2-27575c6 call 275ef00 call 275ed03 1057->1058 1059 27575c8-27575d7 call 275ed03 1057->1059 1065 27575d8-27575da 1058->1065 1059->1065 1067 27575dc 1065->1067 1068 27575df-2757623 call 275ee95 call 2752544 call 275ee95 call 275ee2a 1065->1068 1067->1068 1077 2757626-275762b 1068->1077 1077->1077 1078 275762d-2757634 1077->1078 1079 2757637-275763c 1078->1079 1079->1079 1080 275763e-2757642 1079->1080 1081 2757644-2757656 call 275ed77 1080->1081 1082 275765c-2757673 call 275ed23 1080->1082 1081->1082 1087 2757769-275777c call 275ef00 1081->1087 1088 2757675-275767e 1082->1088 1089 2757680 1082->1089 1095 27577e3-27577e6 RegCloseKey 1087->1095 1091 2757683-275768e call 2756cad 1088->1091 1089->1091 1096 2757694-27576bf call 275f1a5 call 2756c96 1091->1096 1097 2757722-2757725 1091->1097 1095->1046 1103 27576c1-27576c7 1096->1103 1104 27576d8 1096->1104 1098 27576dd 1097->1098 1098->1044 1103->1104 1105 27576c9-27576d2 1103->1105 1104->1098 1105->1104 1106 275777e-2757797 GetFileAttributesExA 1105->1106 1107 2757799 1106->1107 1108 275779a-275779f 1106->1108 1107->1108 1109 27577a1 1108->1109 1110 27577a3-27577a8 1108->1110 1109->1110 1111 27577c4-27577c8 1110->1111 1112 27577aa-27577c0 call 275ee08 1110->1112 1114 27577d7-27577dc 1111->1114 1115 27577ca-27577d6 call 275ef00 1111->1115 1112->1111 1118 27577e0-27577e2 1114->1118 1119 27577de 1114->1119 1115->1114 1118->1095 1119->1118
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,75920F10,00000000), ref: 02757472
                                                                                            • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,75920F10,00000000), ref: 027574F0
                                                                                            • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,75920F10,00000000), ref: 02757528
                                                                                            • ___ascii_stricmp.LIBCMT ref: 0275764D
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,75920F10,00000000), ref: 027576E7
                                                                                            • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02757706
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 02757717
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,75920F10,00000000), ref: 02757745
                                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,75920F10,00000000), ref: 027577EF
                                                                                              • Part of subcall function 0275F1A5: lstrlenA.KERNEL32(000000C8,000000E4,027622F8,000000C8,02757150,?), ref: 0275F1AD
                                                                                            • GetFileAttributesExA.KERNELBASE(00000022,00000000,?), ref: 0275778F
                                                                                            • RegCloseKey.KERNELBASE(?), ref: 027577E6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                                            • String ID: "
                                                                                            • API String ID: 3433985886-123907689
                                                                                            • Opcode ID: 93ce9d556c1714b35201afe043d44693dab2313135428c1842f189d7af469dec
                                                                                            • Instruction ID: cefd2789bc888b9a0dd2a1429a5d5921c81cd31602d8721e743c5e94d1115a52
                                                                                            • Opcode Fuzzy Hash: 93ce9d556c1714b35201afe043d44693dab2313135428c1842f189d7af469dec
                                                                                            • Instruction Fuzzy Hash: B2C18171900229AFEB169FA4DC48FEEFBBAEF45310F140495ED04E6190EBB19A54CF60
                                                                                            Function 0275675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1121 275675c-2756778 1122 2756784-27567a2 CreateFileA 1121->1122 1123 275677a-275677e SetFileAttributesA 1121->1123 1124 27567b5-27567b8 1122->1124 1125 27567a4-27567b2 CreateFileA 1122->1125 1123->1122 1126 27567c5-27567c9 1124->1126 1127 27567ba-27567bf SetFileAttributesA 1124->1127 1125->1124 1128 2756977-2756986 1126->1128 1129 27567cf-27567df GetFileSize 1126->1129 1127->1126 1130 27567e5-27567e7 1129->1130 1131 275696b 1129->1131 1130->1131 1133 27567ed-275680b ReadFile 1130->1133 1132 275696e-2756971 FindCloseChangeNotification 1131->1132 1132->1128 1133->1131 1134 2756811-2756824 SetFilePointer 1133->1134 1134->1131 1135 275682a-2756842 ReadFile 1134->1135 1135->1131 1136 2756848-2756861 SetFilePointer 1135->1136 1136->1131 1137 2756867-2756876 1136->1137 1138 27568d5-27568df 1137->1138 1139 2756878-275688f ReadFile 1137->1139 1138->1132 1140 27568e5-27568eb 1138->1140 1141 2756891-275689e 1139->1141 1142 27568d2 1139->1142 1143 27568f0-27568fe call 275ebcc 1140->1143 1144 27568ed 1140->1144 1145 27568b7-27568ba 1141->1145 1146 27568a0-27568b5 1141->1146 1142->1138 1143->1131 1153 2756900-275690b SetFilePointer 1143->1153 1144->1143 1148 27568bd-27568c3 1145->1148 1146->1148 1149 27568c5 1148->1149 1150 27568c8-27568ce 1148->1150 1149->1150 1150->1139 1152 27568d0 1150->1152 1152->1138 1154 275690d-2756920 ReadFile 1153->1154 1155 275695a-2756969 call 275ec2e 1153->1155 1154->1155 1156 2756922-2756958 1154->1156 1155->1132 1156->1132
                                                                                            APIs
                                                                                            • SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0275677E
                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0275679A
                                                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 027567B0
                                                                                            • SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 027567BF
                                                                                            • GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 027567D3
                                                                                            • ReadFile.KERNELBASE(000000FF,?,00000040,02758244,00000000,?,75920F10,00000000), ref: 02756807
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0275681F
                                                                                            • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0275683E
                                                                                            • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0275685C
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000028,02758244,00000000,?,75920F10,00000000), ref: 0275688B
                                                                                            • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,75920F10,00000000), ref: 02756906
                                                                                            • ReadFile.KERNEL32(000000FF,?,00000000,02758244,00000000,?,75920F10,00000000), ref: 0275691C
                                                                                            • FindCloseChangeNotification.KERNELBASE(000000FF,?,75920F10,00000000), ref: 02756971
                                                                                              • Part of subcall function 0275EC2E: GetProcessHeap.KERNEL32(00000000,0275EA27,00000000,0275EA27,00000000), ref: 0275EC41
                                                                                              • Part of subcall function 0275EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0275EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                                            • String ID:
                                                                                            • API String ID: 1400801100-0
                                                                                            • Opcode ID: cbacdf52b7442a435969f86d950369b55c0daaf89e7d5d9c21a706a168bbd659
                                                                                            • Instruction ID: e4cc40c4bb3f6b80da643a8f9be84900c4ae816d5f4a32a6c462d71a0dac6ecb
                                                                                            • Opcode Fuzzy Hash: cbacdf52b7442a435969f86d950369b55c0daaf89e7d5d9c21a706a168bbd659
                                                                                            • Instruction Fuzzy Hash: 6B7126B1C0022DEFDF158FA4CC84AEEBBB9FB04314F50456AE915A6190E7709E92CF60
                                                                                            Function 0275F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1159 275f315-275f332 1160 275f334-275f336 1159->1160 1161 275f33b-275f372 call 275ee2a htons socket 1159->1161 1162 275f424-275f427 1160->1162 1165 275f374-275f37d closesocket 1161->1165 1166 275f382-275f39b ioctlsocket 1161->1166 1165->1162 1167 275f39d 1166->1167 1168 275f3aa-275f3f0 connect select 1166->1168 1169 275f39f-275f3a8 closesocket 1167->1169 1170 275f421 1168->1170 1171 275f3f2-275f401 __WSAFDIsSet 1168->1171 1172 275f423 1169->1172 1170->1172 1171->1169 1173 275f403-275f416 ioctlsocket call 275f26d 1171->1173 1172->1162 1175 275f41b-275f41f 1173->1175 1175->1172
                                                                                            APIs
                                                                                            • htons.WS2_32(0275CA1D), ref: 0275F34D
                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 0275F367
                                                                                            • closesocket.WS2_32(00000000), ref: 0275F375
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesockethtonssocket
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 311057483-2401304539
                                                                                            • Opcode ID: a6306034e22988f1517560cc596a5e326ecfbf7128acf1e1be2c1b5a6bed4eba
                                                                                            • Instruction ID: c0f7baa2428b8aba674048027b055ee736465715b1b857769b784b4b6ae3d1f5
                                                                                            • Opcode Fuzzy Hash: a6306034e22988f1517560cc596a5e326ecfbf7128acf1e1be2c1b5a6bed4eba
                                                                                            • Instruction Fuzzy Hash: 50317C72940228AFDB11DFA4DC889EFBBBCFF89310F104566F915E3140E7B09A418BA1
                                                                                            Function 0275405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1176 275405e-275407b CreateEventA 1177 2754084-27540a8 call 2753ecd call 2754000 1176->1177 1178 275407d-2754081 1176->1178 1183 2754130-275413e call 275ee2a 1177->1183 1184 27540ae-27540be call 275ee2a 1177->1184 1189 275413f-2754165 call 2753ecd CreateNamedPipeA 1183->1189 1184->1183 1190 27540c0-27540f1 call 275eca5 call 2753f18 call 2753f8c 1184->1190 1195 2754167-2754174 Sleep 1189->1195 1196 2754188-2754193 ConnectNamedPipe 1189->1196 1207 2754127-275412a CloseHandle 1190->1207 1208 27540f3-27540ff 1190->1208 1195->1189 1198 2754176-2754182 CloseHandle 1195->1198 1200 2754195-27541a5 GetLastError 1196->1200 1201 27541ab-27541c0 call 2753f8c 1196->1201 1198->1196 1200->1201 1203 275425e-2754265 DisconnectNamedPipe 1200->1203 1201->1196 1209 27541c2-27541f2 call 2753f18 call 2753f8c 1201->1209 1203->1196 1207->1183 1208->1207 1210 2754101-2754121 call 2753f18 ExitProcess 1208->1210 1209->1203 1217 27541f4-2754200 1209->1217 1217->1203 1218 2754202-2754215 call 2753f8c 1217->1218 1218->1203 1221 2754217-275421b 1218->1221 1221->1203 1222 275421d-2754230 call 2753f8c 1221->1222 1222->1203 1225 2754232-2754236 1222->1225 1225->1196 1226 275423c-2754251 call 2753f18 1225->1226 1229 2754253-2754259 1226->1229 1230 275426a-2754276 CloseHandle * 2 call 275e318 1226->1230 1229->1196 1232 275427b 1230->1232 1232->1232
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02754070
                                                                                            • ExitProcess.KERNEL32 ref: 02754121
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEventExitProcess
                                                                                            • String ID:
                                                                                            • API String ID: 2404124870-0
                                                                                            • Opcode ID: 1bb8202f906360d8ff969a0ba42f9fd981d9ee4ec3de58196be958a4c05531e7
                                                                                            • Instruction ID: 5223c3fe734a2e95b086aeef39f8f2b4310fb1b0fc2b3dba90623b066d2fd87d
                                                                                            • Opcode Fuzzy Hash: 1bb8202f906360d8ff969a0ba42f9fd981d9ee4ec3de58196be958a4c05531e7
                                                                                            • Instruction Fuzzy Hash: EE5170B1D40229BAEB21ABA09C49FBFBA7DEB11754F104455FE14B60C0E7B18A41CBA1
                                                                                            Function 02752D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1233 2752d21-2752d44 GetModuleHandleA 1234 2752d46-2752d52 LoadLibraryA 1233->1234 1235 2752d5b-2752d69 GetProcAddress 1233->1235 1234->1235 1236 2752d54-2752d56 1234->1236 1235->1236 1237 2752d6b-2752d7b DnsQuery_A 1235->1237 1238 2752dee-2752df1 1236->1238 1237->1236 1239 2752d7d-2752d88 1237->1239 1240 2752deb 1239->1240 1241 2752d8a-2752d8b 1239->1241 1240->1238 1242 2752d90-2752d95 1241->1242 1243 2752d97-2752daa GetProcessHeap HeapAlloc 1242->1243 1244 2752de2-2752de8 1242->1244 1245 2752dac-2752dd9 call 275ee2a lstrcpynA 1243->1245 1246 2752dea 1243->1246 1244->1242 1244->1246 1249 2752de0 1245->1249 1250 2752ddb-2752dde 1245->1250 1246->1240 1249->1244 1250->1244
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02752F01,?,027520FF,02762000), ref: 02752D3A
                                                                                            • LoadLibraryA.KERNEL32(?), ref: 02752D4A
                                                                                            • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02752D61
                                                                                            • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02752D77
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02752D99
                                                                                            • HeapAlloc.KERNEL32(00000000), ref: 02752DA0
                                                                                            • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02752DCB
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                                            • String ID: DnsQuery_A$dnsapi.dll
                                                                                            • API String ID: 233223969-3847274415
                                                                                            • Opcode ID: 336a46de4754bbf8ccb49ad55c51aa13a69c03acd7e306465a78f0cd7e605566
                                                                                            • Instruction ID: a75f023a2f4c3866f6a720f54ddc4dc67db6cd0286c9690be140614d3d4311a8
                                                                                            • Opcode Fuzzy Hash: 336a46de4754bbf8ccb49ad55c51aa13a69c03acd7e306465a78f0cd7e605566
                                                                                            • Instruction Fuzzy Hash: B6214A71940326BBCB229B66DC48AAEFBB8FF08B51F104416FD05A7101D7B0AA858BD0
                                                                                            Function 027580C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1251 27580c9-27580ed call 2756ec3 1254 27580ef call 2757ee6 1251->1254 1255 27580f9-2758115 call 275704c 1251->1255 1258 27580f4 1254->1258 1260 2758225-275822b 1255->1260 1261 275811b-2758121 1255->1261 1258->1260 1262 275822d-2758233 1260->1262 1263 275826c-2758273 1260->1263 1261->1260 1264 2758127-275812a 1261->1264 1262->1263 1266 2758235-275823f call 275675c 1262->1266 1264->1260 1265 2758130-2758167 call 2752544 RegOpenKeyExA 1264->1265 1272 2758216-2758222 call 275ee2a 1265->1272 1273 275816d-275818b RegQueryValueExA 1265->1273 1270 2758244-275824b 1266->1270 1270->1263 1271 275824d-2758269 call 27524c2 call 275ec2e 1270->1271 1271->1263 1272->1260 1275 27581f7-27581fe 1273->1275 1276 275818d-2758191 1273->1276 1279 2758200-2758206 call 275ec2e 1275->1279 1280 275820d-2758210 RegCloseKey 1275->1280 1276->1275 1281 2758193-2758196 1276->1281 1289 275820c 1279->1289 1280->1272 1281->1275 1285 2758198-27581a8 call 275ebcc 1281->1285 1285->1280 1291 27581aa-27581c2 RegQueryValueExA 1285->1291 1289->1280 1291->1275 1292 27581c4-27581ca 1291->1292 1293 27581cd-27581d2 1292->1293 1293->1293 1294 27581d4-27581e5 call 275ebcc 1293->1294 1294->1280 1297 27581e7-27581f5 call 275ef00 1294->1297 1297->1289
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 0275815F
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0275A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02758187
                                                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0275A45F,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 027581BE
                                                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,75920F10,00000000), ref: 02758210
                                                                                              • Part of subcall function 0275675C: SetFileAttributesA.KERNEL32(?,00000080,?,75920F10,00000000), ref: 0275677E
                                                                                              • Part of subcall function 0275675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,75920F10,00000000), ref: 0275679A
                                                                                              • Part of subcall function 0275675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,75920F10,00000000), ref: 027567B0
                                                                                              • Part of subcall function 0275675C: SetFileAttributesA.KERNEL32(?,00000002,?,75920F10,00000000), ref: 027567BF
                                                                                              • Part of subcall function 0275675C: GetFileSize.KERNEL32(000000FF,00000000,?,75920F10,00000000), ref: 027567D3
                                                                                              • Part of subcall function 0275675C: ReadFile.KERNELBASE(000000FF,?,00000040,02758244,00000000,?,75920F10,00000000), ref: 02756807
                                                                                              • Part of subcall function 0275675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0275681F
                                                                                              • Part of subcall function 0275675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,75920F10,00000000), ref: 0275683E
                                                                                              • Part of subcall function 0275675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,75920F10,00000000), ref: 0275685C
                                                                                              • Part of subcall function 0275EC2E: GetProcessHeap.KERNEL32(00000000,0275EA27,00000000,0275EA27,00000000), ref: 0275EC41
                                                                                              • Part of subcall function 0275EC2E: RtlFreeHeap.NTDLL(00000000), ref: 0275EC48
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                                            • String ID: C:\Windows\SysWOW64\jcbeaetw\szylttbf.exe
                                                                                            • API String ID: 124786226-2476057647
                                                                                            • Opcode ID: ba80dede7627304399e9ba028b50efc163be837b1a1b4d3b3da8c457f5c70aed
                                                                                            • Instruction ID: fc46e75b663c4f9e42906e56da5b308b528f3dde28c40ff65f4a545fa19d5179
                                                                                            • Opcode Fuzzy Hash: ba80dede7627304399e9ba028b50efc163be837b1a1b4d3b3da8c457f5c70aed
                                                                                            • Instruction Fuzzy Hash: 474198B1D45269BFEB51EB90DD88DBFFB7DAB04304F04486AED05E2001E7B15E948B51
                                                                                            Function 02751AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 2751ac3-2751adc LoadLibraryA 1301 2751ae2-2751af3 GetProcAddress 1300->1301 1302 2751b6b-2751b70 1300->1302 1303 2751af5-2751b01 1301->1303 1304 2751b6a 1301->1304 1305 2751b1c-2751b27 GetAdaptersAddresses 1303->1305 1304->1302 1306 2751b03-2751b12 call 275ebed 1305->1306 1307 2751b29-2751b2b 1305->1307 1306->1307 1315 2751b14-2751b1b 1306->1315 1309 2751b2d-2751b32 1307->1309 1310 2751b5b-2751b5e 1307->1310 1312 2751b34-2751b3b 1309->1312 1313 2751b69 1309->1313 1310->1313 1314 2751b60-2751b68 call 275ec2e 1310->1314 1316 2751b54-2751b59 1312->1316 1317 2751b3d-2751b52 1312->1317 1313->1304 1314->1313 1315->1305 1316->1310 1316->1312 1317->1316 1317->1317
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02751AD4
                                                                                            • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02751AE9
                                                                                            • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02751B20
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                                            • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                                            • API String ID: 3646706440-1087626847
                                                                                            • Opcode ID: 97c2b32ac3cff513633909f5957f14cfdb4de0c971bfedc9f1bb9a490a7659ea
                                                                                            • Instruction ID: d77a3000306fd851f57796a7a375880fa00f714ad5bddedd86e6d60ee4f173c3
                                                                                            • Opcode Fuzzy Hash: 97c2b32ac3cff513633909f5957f14cfdb4de0c971bfedc9f1bb9a490a7659ea
                                                                                            • Instruction Fuzzy Hash: E311E971E01538BFDB15DBA8CC88DEDFBBAEB44B12B954055E809E7100E7B04E40CB90
                                                                                            Function 0275E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1320 275e3ca-275e3ee RegOpenKeyExA 1321 275e3f4-275e3fb 1320->1321 1322 275e528-275e52d 1320->1322 1323 275e3fe-275e403 1321->1323 1323->1323 1324 275e405-275e40f 1323->1324 1325 275e414-275e452 call 275ee08 call 275f1ed RegQueryValueExA 1324->1325 1326 275e411-275e413 1324->1326 1331 275e51d-275e527 RegCloseKey 1325->1331 1332 275e458-275e486 call 275f1ed RegQueryValueExA 1325->1332 1326->1325 1331->1322 1335 275e488-275e48a 1332->1335 1335->1331 1336 275e490-275e4a1 call 275db2e 1335->1336 1336->1331 1339 275e4a3-275e4a6 1336->1339 1340 275e4a9-275e4d3 call 275f1ed RegQueryValueExA 1339->1340 1343 275e4d5-275e4da 1340->1343 1344 275e4e8-275e4ea 1340->1344 1343->1344 1345 275e4dc-275e4e6 1343->1345 1344->1331 1346 275e4ec-275e516 call 2752544 call 275e332 1344->1346 1345->1340 1345->1344 1346->1331
                                                                                            APIs
                                                                                            • RegOpenKeyExA.KERNELBASE(80000001,0275E5F2,00000000,00020119,0275E5F2,027622F8), ref: 0275E3E6
                                                                                            • RegQueryValueExA.ADVAPI32(0275E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0275E44E
                                                                                            • RegQueryValueExA.ADVAPI32(0275E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0275E482
                                                                                            • RegQueryValueExA.ADVAPI32(0275E5F2,?,00000000,?,80000001,?), ref: 0275E4CF
                                                                                            • RegCloseKey.ADVAPI32(0275E5F2,?,?,?,?,000000C8,000000E4), ref: 0275E520
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: QueryValue$CloseOpen
                                                                                            • String ID:
                                                                                            • API String ID: 1586453840-0
                                                                                            • Opcode ID: 25affffe3b97ebfa69b0505ffc3859c61d043c9dc3f35b4292c90394fac936b5
                                                                                            • Instruction ID: c41406d8e9565497a608c0fbd6b0c43140edceaac63526839eea0a6bda4b71af
                                                                                            • Opcode Fuzzy Hash: 25affffe3b97ebfa69b0505ffc3859c61d043c9dc3f35b4292c90394fac936b5
                                                                                            • Instruction Fuzzy Hash: F941E8B2D0022DAFEF119FD4DC84DEEBBBDFB08344F144566EA10A2150E3B19A559FA1
                                                                                            Function 0275F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1351 275f26d-275f303 setsockopt * 5
                                                                                            APIs
                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0275F2A0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0275F2C0
                                                                                            • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0275F2DD
                                                                                            • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0275F2EC
                                                                                            • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0275F2FD
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: setsockopt
                                                                                            • String ID:
                                                                                            • API String ID: 3981526788-0
                                                                                            • Opcode ID: 8de9b12aaf9adec31a036e4e774bcef00bb70f9e9ef3a20c1d18f127f124e3f0
                                                                                            • Instruction ID: 06183837faf5a360ba1cfed3ac8f32733f4c96d17fc09061096095c67421dd9e
                                                                                            • Opcode Fuzzy Hash: 8de9b12aaf9adec31a036e4e774bcef00bb70f9e9ef3a20c1d18f127f124e3f0
                                                                                            • Instruction Fuzzy Hash: 6311FBB1A40248BAEB11DE94CD45F9E7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                                            Function 02751BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1352 2751bdf-2751c04 call 2751ac3 1354 2751c09-2751c0b 1352->1354 1355 2751c0d-2751c1d GetComputerNameA 1354->1355 1356 2751c5a-2751c5e 1354->1356 1357 2751c45-2751c57 GetVolumeInformationA 1355->1357 1358 2751c1f-2751c24 1355->1358 1357->1356 1358->1357 1359 2751c26-2751c3b 1358->1359 1359->1359 1360 2751c3d-2751c3f 1359->1360 1360->1357 1361 2751c41-2751c43 1360->1361 1361->1356
                                                                                            APIs
                                                                                              • Part of subcall function 02751AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02751AD4
                                                                                              • Part of subcall function 02751AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02751AE9
                                                                                              • Part of subcall function 02751AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02751B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 02751C15
                                                                                            • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02751C51
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: hi_id$localcfg
                                                                                            • API String ID: 2794401326-2393279970
                                                                                            • Opcode ID: 28fad9e5b10bafedc7297e0cf21c72e065331358a4ddaa8d7c66453ce221bd6d
                                                                                            • Instruction ID: b4925a93ca4de23f3ce47962e066c9ee6e8678a2af08d56c2eab816126f38ab2
                                                                                            • Opcode Fuzzy Hash: 28fad9e5b10bafedc7297e0cf21c72e065331358a4ddaa8d7c66453ce221bd6d
                                                                                            • Instruction Fuzzy Hash: 29019672D01128BFEB10DAF8C8C4AFFFBBDE744646F504475EA06E3100D2B09D449660
                                                                                            Function 02751B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 02751AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02751AD4
                                                                                              • Part of subcall function 02751AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02751AE9
                                                                                              • Part of subcall function 02751AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02751B20
                                                                                            • GetComputerNameA.KERNEL32(?,0000000F), ref: 02751BA3
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02751EFD,00000000,00000000,00000000,00000000), ref: 02751BB8
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2794401326-1857712256
                                                                                            • Opcode ID: 56a380ff6cd725aedddedff30064e9fb452aa51f3f70b567897b148b3fa03e01
                                                                                            • Instruction ID: 1ce3e5d4c38e4acc69b5f5c11924b789cfd1b5fd215308dd032b9461378ccf41
                                                                                            • Opcode Fuzzy Hash: 56a380ff6cd725aedddedff30064e9fb452aa51f3f70b567897b148b3fa03e01
                                                                                            • Instruction Fuzzy Hash: 57014FB6D00118BFEB019AE9C885AEFFABDEB48655F550561AA05F7140D5B05E048AA0
                                                                                            Function 02752684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • inet_addr.WS2_32(00000001), ref: 02752693
                                                                                            • gethostbyname.WS2_32(00000001), ref: 0275269F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynameinet_addr
                                                                                            • String ID: time_cfg
                                                                                            • API String ID: 1594361348-2401304539
                                                                                            • Opcode ID: 684fc13b4b77c53b6649013a774c374e8a02c8ada323908dd21df6b61d2f6e6a
                                                                                            • Instruction ID: b7f63f74f03751fa51c412d6b1b5b7373bc99b485f6f49b374cde58b94099f7e
                                                                                            • Opcode Fuzzy Hash: 684fc13b4b77c53b6649013a774c374e8a02c8ada323908dd21df6b61d2f6e6a
                                                                                            • Instruction Fuzzy Hash: 94E0C2306041218FDB108F28F448BD6B7E4EF06230F018580FC40C3191C770DC808780
                                                                                            Function 0275E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0275DD05: GetTickCount.KERNEL32 ref: 0275DD0F
                                                                                              • Part of subcall function 0275DD05: InterlockedExchange.KERNEL32(027636B4,00000001), ref: 0275DD44
                                                                                              • Part of subcall function 0275DD05: GetCurrentThreadId.KERNEL32 ref: 0275DD53
                                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,75920F10,?,00000000,?,0275A445), ref: 0275E558
                                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,75920F10,?,00000000,?,0275A445), ref: 0275E583
                                                                                            • CloseHandle.KERNEL32(00000000,?,75920F10,?,00000000,?,0275A445), ref: 0275E5B2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                                            • String ID:
                                                                                            • API String ID: 3683885500-0
                                                                                            • Opcode ID: f69457cc9984fa50d08201ef225d3ff98cc3b85f81b748bb9ac423b109b80e83
                                                                                            • Instruction ID: 33fea64e70986c9149e40c757cf0b1ca5bb60954738afa3511c945dd23835d97
                                                                                            • Opcode Fuzzy Hash: f69457cc9984fa50d08201ef225d3ff98cc3b85f81b748bb9ac423b109b80e83
                                                                                            • Instruction Fuzzy Hash: B021B1B2E803207BF6227A219C5EF6BBA1DDB55750F100454FE0EA51D3FAE1DA108AF1
                                                                                            Function 0275877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • Sleep.KERNELBASE(000003E8), ref: 027588A5
                                                                                              • Part of subcall function 0275F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0275E342,00000000,7508EA50,80000001,00000000,0275E513,?,00000000,00000000,?,000000E4), ref: 0275F089
                                                                                              • Part of subcall function 0275F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0275E342,00000000,7508EA50,80000001,00000000,0275E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0275F093
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$FileSystem$Sleep
                                                                                            • String ID: localcfg$rresolv
                                                                                            • API String ID: 1561729337-486471987
                                                                                            • Opcode ID: 391322323b5bdc21439c26957c33c2fbaaf7b52717f031e995e3139ad4ee4fbe
                                                                                            • Instruction ID: 93eaa7fa7945585a61480b04e3c58504afdbeed26165c9b9ab0243793dcd0b65
                                                                                            • Opcode Fuzzy Hash: 391322323b5bdc21439c26957c33c2fbaaf7b52717f031e995e3139ad4ee4fbe
                                                                                            • Instruction Fuzzy Hash: 06212931A883216FF356B7656C4EFAABAD9EB02724F540819FD08850C2EFF5559049A3
                                                                                            Function 02754000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,027622F8,027542B6,00000000,00000001,027622F8,00000000,?,027598FD), ref: 02754021
                                                                                            • GetLastError.KERNEL32(?,027598FD,00000001,00000100,027622F8,0275A3C7), ref: 0275402C
                                                                                            • Sleep.KERNEL32(000001F4,?,027598FD,00000001,00000100,027622F8,0275A3C7), ref: 02754046
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateErrorFileLastSleep
                                                                                            • String ID:
                                                                                            • API String ID: 408151869-0
                                                                                            • Opcode ID: f289152fecbb21b5be4198ba333d3b1b7a665fca248a36205604e9f020305307
                                                                                            • Instruction ID: fc63a53c63edc185d59cf3e2a8ce58c2e41e9b74b16f7906f12ce640049c6346
                                                                                            • Opcode Fuzzy Hash: f289152fecbb21b5be4198ba333d3b1b7a665fca248a36205604e9f020305307
                                                                                            • Instruction Fuzzy Hash: 4FF0A7316402116AD7350F34AC5DBAAB361EF81724F358F64F7B9E20D0C7B044C19B14
                                                                                            Function 0275DB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetEnvironmentVariableA.KERNELBASE(0275DC19,?,00000104), ref: 0275DB7F
                                                                                            • lstrcpyA.KERNEL32(?,027628F8), ref: 0275DBA4
                                                                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 0275DBC2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                                            • String ID:
                                                                                            • API String ID: 2536392590-0
                                                                                            • Opcode ID: bfc4490a5ffac8cf5c5cf5315b93ff9eb2504c151982d90d795c46610bfa2605
                                                                                            • Instruction ID: 0fea60c0082a13334f7dc94009278361d519e245f9f49081047d056d9a31cd4b
                                                                                            • Opcode Fuzzy Hash: bfc4490a5ffac8cf5c5cf5315b93ff9eb2504c151982d90d795c46610bfa2605
                                                                                            • Instruction Fuzzy Hash: 8DF09AB0540309ABEF21DF64DC89FE97B69BB00308F2089A4FB91A40D0D7F2D595CB20
                                                                                            Function 0275EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0275EC5E
                                                                                            • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0275EC72
                                                                                            • GetTickCount.KERNEL32 ref: 0275EC78
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$CountFileInformationSystemTickVolume
                                                                                            • String ID:
                                                                                            • API String ID: 1209300637-0
                                                                                            • Opcode ID: 71315140a24e91fed5226c603607116795bdf731264b8eb009a655332f7a8efd
                                                                                            • Instruction ID: 420ef1d7920420e6705c7f3302b79ea9831ab048a7a5f1096832794834863994
                                                                                            • Opcode Fuzzy Hash: 71315140a24e91fed5226c603607116795bdf731264b8eb009a655332f7a8efd
                                                                                            • Instruction Fuzzy Hash: 02E09AF5C50204BFEB05ABB0DC4EE6B77BCFB08314F504A50F912D6080DA709A148B60
                                                                                            Function 027530B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 027530D8
                                                                                            • gethostbyname.WS2_32(?), ref: 027530E2
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbynamegethostname
                                                                                            • String ID:
                                                                                            • API String ID: 3961807697-0
                                                                                            • Opcode ID: 7f508d2b7d44c333884325ed3b20c1f7a2d4c08c5e00d6f84e32a19fe6cfd06d
                                                                                            • Instruction ID: 7560ee5fdce982a1ba13832750a7c0933eadfa54a025b68f6d74a3eb61f082a8
                                                                                            • Opcode Fuzzy Hash: 7f508d2b7d44c333884325ed3b20c1f7a2d4c08c5e00d6f84e32a19fe6cfd06d
                                                                                            • Instruction Fuzzy Hash: 25E06571D002299FCB009BA8EC89F9B77ACBF04208F084461F905E3250EA74E5048790
                                                                                            Function 0275EBED Relevance: 3.0, APIs: 2, Instructions: 27memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,7FFF0001,80000001,?,0275DB55,7FFF0001), ref: 0275EC13
                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,0275DB55,7FFF0001), ref: 0275EC1A
                                                                                              • Part of subcall function 0275EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0275EBFE,7FFF0001,?,0275DB55,7FFF0001), ref: 0275EBD3
                                                                                              • Part of subcall function 0275EBCC: RtlAllocateHeap.NTDLL(00000000,?,0275DB55,7FFF0001), ref: 0275EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$AllocateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1357844191-0
                                                                                            • Opcode ID: 5d55394599b49b3269ecd20b7d4106ebf03452740c3a2e40a6a264428306e5ad
                                                                                            • Instruction ID: 298284ab328f337219a039990729af5e85c3422d7c33a73d300dfe48bbc29f4d
                                                                                            • Opcode Fuzzy Hash: 5d55394599b49b3269ecd20b7d4106ebf03452740c3a2e40a6a264428306e5ad
                                                                                            • Instruction Fuzzy Hash: E5E012325446287BDF062F94E80CF9D7B9AEB04362F108015FD0D49060CBB186A0DA95
                                                                                            Function 0275EC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0275EBA0: GetProcessHeap.KERNEL32(00000000,00000000,0275EC0A,00000000,80000001,?,0275DB55,7FFF0001), ref: 0275EBAD
                                                                                              • Part of subcall function 0275EBA0: HeapSize.KERNEL32(00000000,?,0275DB55,7FFF0001), ref: 0275EBB4
                                                                                            • GetProcessHeap.KERNEL32(00000000,0275EA27,00000000,0275EA27,00000000), ref: 0275EC41
                                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 0275EC48
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$FreeSize
                                                                                            • String ID:
                                                                                            • API String ID: 1305341483-0
                                                                                            • Opcode ID: e57c5892462c9e99c3058e268c39df0360fe0d145bcf360419328cb091170e6c
                                                                                            • Instruction ID: 4a79d4b2cfbda76e4903a538037cde6ee132150e604b6c55ecd7f9c3eae35f25
                                                                                            • Opcode Fuzzy Hash: e57c5892462c9e99c3058e268c39df0360fe0d145bcf360419328cb091170e6c
                                                                                            • Instruction Fuzzy Hash: E4C01232C467306BC5562A50B90CF9FBB59AF46612F094809F805660408BB0994046E1
                                                                                            Function 0275EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0275EBFE,7FFF0001,?,0275DB55,7FFF0001), ref: 0275EBD3
                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0275DB55,7FFF0001), ref: 0275EBDA
                                                                                              • Part of subcall function 0275EB74: GetProcessHeap.KERNEL32(00000000,00000000,0275EC28,00000000,?,0275DB55,7FFF0001), ref: 0275EB81
                                                                                              • Part of subcall function 0275EB74: HeapSize.KERNEL32(00000000,?,0275DB55,7FFF0001), ref: 0275EB88
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AllocateSize
                                                                                            • String ID:
                                                                                            • API String ID: 2559512979-0
                                                                                            • Opcode ID: d6f49c8b696f9558869bade65015575710b1b3dbcad5d9d12ec0ba6c94faf121
                                                                                            • Instruction ID: 69bd62ac0ed8a805850a38be2625403b9a56bb31507590edd64cabea1a74db88
                                                                                            • Opcode Fuzzy Hash: d6f49c8b696f9558869bade65015575710b1b3dbcad5d9d12ec0ba6c94faf121
                                                                                            • Instruction Fuzzy Hash: 3DC08C32A483306BCA0627A8BC0CF9E7E98FF083A3F048814FA09C2150CB3049508BA2
                                                                                            Function 0275F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • recv.WS2_32(000000C8,?,00000000,0275CA44), ref: 0275F476
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: recv
                                                                                            • String ID:
                                                                                            • API String ID: 1507349165-0
                                                                                            • Opcode ID: 997efeca99d976ecddd7f7fd2aef3a73e9b96c0e5a702cec6920ab2615b3ee4a
                                                                                            • Instruction ID: e10abca4124db580e46b22a38ef35f225411ea42155c2b19da1716e200ae145c
                                                                                            • Opcode Fuzzy Hash: 997efeca99d976ecddd7f7fd2aef3a73e9b96c0e5a702cec6920ab2615b3ee4a
                                                                                            • Instruction Fuzzy Hash: 5FF01C7220156AAB9B119E9ADC84CAB7BAEFB8A2507040522FE14D7110D671E8218BA1
                                                                                            Function 02751978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • closesocket.WS2_32(00000000), ref: 02751992
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: closesocket
                                                                                            • String ID:
                                                                                            • API String ID: 2781271927-0
                                                                                            • Opcode ID: c61b578634f1904c231045d56adfa89ba7631fd5e92420e409cf1fb4ad483455
                                                                                            • Instruction ID: 0097ce0e9cdbe244cbb6d27b2d9e18bdaaa8a69d7a4ee2141f828e2758815081
                                                                                            • Opcode Fuzzy Hash: c61b578634f1904c231045d56adfa89ba7631fd5e92420e409cf1fb4ad483455
                                                                                            • Instruction Fuzzy Hash: 2AD012265486316A52112759BC085BFEB9CEF45662B51981AFC48C0150D735C8418796
                                                                                            Function 0275DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(80000011,00000000), ref: 0275DDB5
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID:
                                                                                            • API String ID: 1586166983-0
                                                                                            • Opcode ID: 28f78530d7cba8394a925e359d7dde91ce49ac608153d0908256dfebe095bfc4
                                                                                            • Instruction ID: 5390a650e743f33046b1deee8cc0d38eb834991802f538ec371effdae6546f04
                                                                                            • Opcode Fuzzy Hash: 28f78530d7cba8394a925e359d7dde91ce49ac608153d0908256dfebe095bfc4
                                                                                            • Instruction Fuzzy Hash: F1F08C32200322EBCB30CE269888656F3E8EB8622AF14483FE955D2150DBB1D855CBA1

                                                                                            Non-executed Functions

                                                                                            Function 0275637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02759816,EntryPoint), ref: 0275638F
                                                                                            • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02759816,EntryPoint), ref: 027563A9
                                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 027563CA
                                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 027563EB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 1965334864-0
                                                                                            • Opcode ID: 9fba57783d8fe5b30e421e0cc0fd7b69765b5f6a1e413b44c488f9b7ace3343f
                                                                                            • Instruction ID: 956574d21ff99e80321189f9e62f9c829afa5ac2dc8f05513646b1ba84a4475e
                                                                                            • Opcode Fuzzy Hash: 9fba57783d8fe5b30e421e0cc0fd7b69765b5f6a1e413b44c488f9b7ace3343f
                                                                                            • Instruction Fuzzy Hash: 4711A771A00229BFEB115F65DC49F9B7BACEB047A4F004464FD04E7240D7B0DD108AA0
                                                                                            Function 02751000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02751839,02759646), ref: 02751012
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 027510C2
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 027510E1
                                                                                            • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02751101
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02751121
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02751140
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02751160
                                                                                            • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02751180
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0275119F
                                                                                            • GetProcAddress.KERNEL32(00000000,NtClose), ref: 027511BF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 027511DF
                                                                                            • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 027511FE
                                                                                            • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0275121A
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressProc$LibraryLoad
                                                                                            • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                                            • API String ID: 2238633743-3228201535
                                                                                            • Opcode ID: 0142e04d51ddd8c5b480bffa458f3e214b6f88c0d20959e57c63562b8d736744
                                                                                            • Instruction ID: a73ec60e945dc2703742f702f47252bdc4fb46e2dce39249dfe516f18b67892e
                                                                                            • Opcode Fuzzy Hash: 0142e04d51ddd8c5b480bffa458f3e214b6f88c0d20959e57c63562b8d736744
                                                                                            • Instruction Fuzzy Hash: 4D51E3B1E82711AAE719CA6CEC8C76277E86748B2DF448796DC29D22D0D7F0C491CF51
                                                                                            Function 0275B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0275B2B3
                                                                                            • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0275B2C2
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0275B2D0
                                                                                            • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0275B2E1
                                                                                            • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0275B31A
                                                                                            • GetTimeZoneInformation.KERNEL32(?), ref: 0275B329
                                                                                            • wsprintfA.USER32 ref: 0275B3B7
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                                            • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                                            • API String ID: 766114626-2976066047
                                                                                            • Opcode ID: 66e007f8e325ae4c886153420db67dc4af7adcb974e789f2eb97ffc20687b260
                                                                                            • Instruction ID: 2184a987d8a3451ab5ed45733bd83b77b5de96fd736dee8e668cb0a7d885ed90
                                                                                            • Opcode Fuzzy Hash: 66e007f8e325ae4c886153420db67dc4af7adcb974e789f2eb97ffc20687b260
                                                                                            • Instruction Fuzzy Hash: A1510AB1E0122CAACF15DFD5D9899FFBBBAFF48308F114469EA01B6150D3744A99CB90
                                                                                            Function 02756511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                                            • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                                            • API String ID: 2400214276-165278494
                                                                                            • Opcode ID: 62e35cc7a02399b527f7a9f90aa16998b0b8539852f34a4d89edd2bfe14d5b10
                                                                                            • Instruction ID: 68e9ddfccabf889454e6663a6ed3433042ec5718eb9f5d4b35c4664d0412f9f6
                                                                                            • Opcode Fuzzy Hash: 62e35cc7a02399b527f7a9f90aa16998b0b8539852f34a4d89edd2bfe14d5b10
                                                                                            • Instruction Fuzzy Hash: 74615DB2950218AFEB609FB4DC49FEA7BE9FF08300F148469FD69D2121DB7199548F50
                                                                                            Function 0275A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0275A7FB
                                                                                            • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0275A87E
                                                                                            • send.WS2_32(00000000,?,00000000,00000000), ref: 0275A893
                                                                                            • wsprintfA.USER32 ref: 0275A8AF
                                                                                            • send.WS2_32(00000000,.,00000005,00000000), ref: 0275A8D2
                                                                                            • wsprintfA.USER32 ref: 0275A8E2
                                                                                            • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0275A97C
                                                                                            • wsprintfA.USER32 ref: 0275A9B9
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$send$lstrlenrecv
                                                                                            • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                                            • API String ID: 3650048968-2394369944
                                                                                            • Opcode ID: 4e1f24ef603b6f7fb0bcd3a93c6b676ecc065728c2dc801e0f1749fd1a95169e
                                                                                            • Instruction ID: b98817dab7a3a7a3dd1c67403ed0c525cb2fa719c7a6f73343d7bd2ffbd172ee
                                                                                            • Opcode Fuzzy Hash: 4e1f24ef603b6f7fb0bcd3a93c6b676ecc065728c2dc801e0f1749fd1a95169e
                                                                                            • Instruction Fuzzy Hash: 67A13B71D44339ABEF118A54DC89FBEFB66BB00308F144676FD06A6080EBF19944CB95
                                                                                            Function 02751280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ShellExecuteExW.SHELL32(?), ref: 0275139A
                                                                                            • lstrlenW.KERNEL32(-00000003), ref: 02751571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ExecuteShelllstrlen
                                                                                            • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDGu$uac$useless$wusa.exe
                                                                                            • API String ID: 1628651668-3716895483
                                                                                            • Opcode ID: 7331bd842e54e1d6745a870078ef2019dc924ab0dc7ced3e8dfd2c36b3aa4be7
                                                                                            • Instruction ID: aae6086ed1f493ba862702530bc126998f212a39e5196c795f8938b48ebcd761
                                                                                            • Opcode Fuzzy Hash: 7331bd842e54e1d6745a870078ef2019dc924ab0dc7ced3e8dfd2c36b3aa4be7
                                                                                            • Instruction Fuzzy Hash: A2F17AB59083519FE320DF64C888B6AF7E5FB88709F408D2DF99A97280D7B49944CF52
                                                                                            Function 02752A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,7591F380), ref: 02752A83
                                                                                            • HeapAlloc.KERNEL32(00000000,?,7591F380), ref: 02752A86
                                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 02752AA0
                                                                                            • htons.WS2_32(00000000), ref: 02752ADB
                                                                                            • select.WS2_32 ref: 02752B28
                                                                                            • recv.WS2_32(?,00000000,00001000,00000000), ref: 02752B4A
                                                                                            • htons.WS2_32(?), ref: 02752B71
                                                                                            • htons.WS2_32(?), ref: 02752B8C
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02752BFB
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                                            • String ID:
                                                                                            • API String ID: 1639031587-0
                                                                                            • Opcode ID: 6f8f92d98bb280e23f7ba8b0ceaedf795d6eedf8db7bd40fdd0ad351e2648893
                                                                                            • Instruction ID: 817795f054e7472a95a141c7f5ebe70bdc9cdb4307f65aa530ad22406546e7d9
                                                                                            • Opcode Fuzzy Hash: 6f8f92d98bb280e23f7ba8b0ceaedf795d6eedf8db7bd40fdd0ad351e2648893
                                                                                            • Instruction Fuzzy Hash: E661BD719053259FD720AF64DC48B6BFBE8FB88745F054809FD49A7242D7F0E8448BA2
                                                                                            Function 0275704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,75920F10,?,75920F10,00000000), ref: 027570C2
                                                                                            • RegEnumValueA.ADVAPI32(75920F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,75920F10,00000000), ref: 0275719E
                                                                                            • RegCloseKey.ADVAPI32(75920F10,?,75920F10,00000000), ref: 027571B2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 02757208
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 02757291
                                                                                            • ___ascii_stricmp.LIBCMT ref: 027572C2
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 027572D0
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 02757314
                                                                                            • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0275738D
                                                                                            • RegCloseKey.ADVAPI32(75920F10), ref: 027573D8
                                                                                              • Part of subcall function 0275F1A5: lstrlenA.KERNEL32(000000C8,000000E4,027622F8,000000C8,02757150,?), ref: 0275F1AD
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                                            • String ID: $"
                                                                                            • API String ID: 4293430545-3817095088
                                                                                            • Opcode ID: f60f7e71c92dc20470e443277ada9b3b715a06e877b1d1cc96e5264c3dcfdb31
                                                                                            • Instruction ID: 8e698673d7e2b59c88478a885b953dbee68741b07bc55fd4ee60088d68322ddf
                                                                                            • Opcode Fuzzy Hash: f60f7e71c92dc20470e443277ada9b3b715a06e877b1d1cc96e5264c3dcfdb31
                                                                                            • Instruction Fuzzy Hash: 1DB16371D44229AFEB199FA4DC48BEFF7B9AF04310F100466FD05E6090EBB59A94CB64
                                                                                            Function 0275AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetLocalTime.KERNEL32(?), ref: 0275AD98
                                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 0275ADA6
                                                                                              • Part of subcall function 0275AD08: gethostname.WS2_32(?,00000080), ref: 0275AD1C
                                                                                              • Part of subcall function 0275AD08: lstrlenA.KERNEL32(00000000), ref: 0275AD60
                                                                                              • Part of subcall function 0275AD08: lstrlenA.KERNEL32(00000000), ref: 0275AD69
                                                                                              • Part of subcall function 0275AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0275AD7F
                                                                                              • Part of subcall function 027530B5: gethostname.WS2_32(?,00000080), ref: 027530D8
                                                                                              • Part of subcall function 027530B5: gethostbyname.WS2_32(?), ref: 027530E2
                                                                                            • wsprintfA.USER32 ref: 0275AEA5
                                                                                              • Part of subcall function 0275A7A3: inet_ntoa.WS2_32(?), ref: 0275A7A9
                                                                                            • wsprintfA.USER32 ref: 0275AE4F
                                                                                            • wsprintfA.USER32 ref: 0275AE5E
                                                                                              • Part of subcall function 0275EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0275EF92
                                                                                              • Part of subcall function 0275EF7C: lstrlenA.KERNEL32(?), ref: 0275EF99
                                                                                              • Part of subcall function 0275EF7C: lstrlenA.KERNEL32(00000000), ref: 0275EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                                            • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                                            • API String ID: 3631595830-1816598006
                                                                                            • Opcode ID: 5828fa6be17e15ffc546afa150a67d46d42fa1df103bb7daaad8246ffc47e9f8
                                                                                            • Instruction ID: 4cdfea54dfd5aa910d3ddce4ec05129f8bade586c6aae5c33323aab3a4ffa7b5
                                                                                            • Opcode Fuzzy Hash: 5828fa6be17e15ffc546afa150a67d46d42fa1df103bb7daaad8246ffc47e9f8
                                                                                            • Instruction Fuzzy Hash: 744112B290031C6BEB26AFA0DC49EEE7BADFB08304F14482AFD1592151EA71D6548F50
                                                                                            Function 02752DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(iphlpapi.dll,759223A0,?,000DBBA0,?,00000000,02752F0F,?,027520FF,02762000), ref: 02752E01
                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02752F0F,?,027520FF,02762000), ref: 02752E11
                                                                                            • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02752E2E
                                                                                            • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02752F0F,?,027520FF,02762000), ref: 02752E4C
                                                                                            • HeapAlloc.KERNEL32(00000000,?,00000000,02752F0F,?,027520FF,02762000), ref: 02752E4F
                                                                                            • htons.WS2_32(00000035), ref: 02752E88
                                                                                            • inet_addr.WS2_32(?), ref: 02752E93
                                                                                            • gethostbyname.WS2_32(?), ref: 02752EA6
                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02752F0F,?,027520FF,02762000), ref: 02752EE3
                                                                                            • HeapFree.KERNEL32(00000000,?,00000000,02752F0F,?,027520FF,02762000), ref: 02752EE6
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                                            • String ID: GetNetworkParams$iphlpapi.dll
                                                                                            • API String ID: 929413710-2099955842
                                                                                            • Opcode ID: 939c4278115308e4d444a15b86da18ec16d638d6d6bc255dc3bc87b73b2e87c0
                                                                                            • Instruction ID: 6cfa33ffa276d1beced68f93aae15881d6d4d38342d4ff4900f47140551e2565
                                                                                            • Opcode Fuzzy Hash: 939c4278115308e4d444a15b86da18ec16d638d6d6bc255dc3bc87b73b2e87c0
                                                                                            • Instruction Fuzzy Hash: E431A231E4031AABDB119BB89C4CB6FBBB8BF04365F144519ED14E7281DBB0D9528B50
                                                                                            Function 02759326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetVersionExA.KERNEL32(?,?,02759DD7,?,00000022,?,?,00000000,00000001), ref: 02759340
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02759DD7,?,00000022,?,?,00000000,00000001), ref: 0275936E
                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,02759DD7,?,00000022,?,?,00000000,00000001), ref: 02759375
                                                                                            • wsprintfA.USER32 ref: 027593CE
                                                                                            • wsprintfA.USER32 ref: 0275940C
                                                                                            • wsprintfA.USER32 ref: 0275948D
                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 027594F1
                                                                                            • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02759526
                                                                                            • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02759571
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                                            • String ID: runas
                                                                                            • API String ID: 3696105349-4000483414
                                                                                            • Opcode ID: b878a65bebbb63f9754cda2ab3cea01967004b78ffe2333b7e603161dc287881
                                                                                            • Instruction ID: 6cd7f671a59c483481b0a0e0833654304767344e52a15303cdd4f638bb93cfde
                                                                                            • Opcode Fuzzy Hash: b878a65bebbb63f9754cda2ab3cea01967004b78ffe2333b7e603161dc287881
                                                                                            • Instruction Fuzzy Hash: EFA16DB1940268EFEB269FA0CC49FDE7BADFB04740F104466FE0592142E7B59554CFA1
                                                                                            Function 0275B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • wsprintfA.USER32 ref: 0275B467
                                                                                              • Part of subcall function 0275EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0275EF92
                                                                                              • Part of subcall function 0275EF7C: lstrlenA.KERNEL32(?), ref: 0275EF99
                                                                                              • Part of subcall function 0275EF7C: lstrlenA.KERNEL32(00000000), ref: 0275EFA0
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$wsprintf
                                                                                            • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                                            • API String ID: 1220175532-2340906255
                                                                                            • Opcode ID: 45163d1d8636d371451845d895c6701ff2caf840d92d91002d4c543d2543875b
                                                                                            • Instruction ID: 1fc45ab62c381a5f16ff980020c4011c71e76e3dde6911f48c3fc6c2c24fd416
                                                                                            • Opcode Fuzzy Hash: 45163d1d8636d371451845d895c6701ff2caf840d92d91002d4c543d2543875b
                                                                                            • Instruction Fuzzy Hash: 3A4120B25411297FEB02AB94CCC9DFFBF6EFF49648F140425FD05A2040DBB1AA149BA1
                                                                                            Function 02752011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02752078
                                                                                            • GetTickCount.KERNEL32 ref: 027520D4
                                                                                            • GetTickCount.KERNEL32 ref: 027520DB
                                                                                            • GetTickCount.KERNEL32 ref: 0275212B
                                                                                            • GetTickCount.KERNEL32 ref: 02752132
                                                                                            • GetTickCount.KERNEL32 ref: 02752142
                                                                                              • Part of subcall function 0275F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0275E342,00000000,7508EA50,80000001,00000000,0275E513,?,00000000,00000000,?,000000E4), ref: 0275F089
                                                                                              • Part of subcall function 0275F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0275E342,00000000,7508EA50,80000001,00000000,0275E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0275F093
                                                                                              • Part of subcall function 0275E854: lstrcpyA.KERNEL32(00000001,?,?,0275D8DF,00000001,localcfg,except_info,00100000,02760264), ref: 0275E88B
                                                                                              • Part of subcall function 0275E854: lstrlenA.KERNEL32(00000001,?,0275D8DF,00000001,localcfg,except_info,00100000,02760264), ref: 0275E899
                                                                                              • Part of subcall function 02751C5F: wsprintfA.USER32 ref: 02751CE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                                            • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                                            • API String ID: 3976553417-1522128867
                                                                                            • Opcode ID: b340cd51659058c8897d1ff87f284920f758b7d9441901762afd204cde6b91c8
                                                                                            • Instruction ID: 25fddffa2ffc2bdfaffbce4ef05771fc77f9ef1ec40265c6a07c779f1d1339e1
                                                                                            • Opcode Fuzzy Hash: b340cd51659058c8897d1ff87f284920f758b7d9441901762afd204cde6b91c8
                                                                                            • Instruction Fuzzy Hash: 48514370E893569EE369EF30ED4DB27BBD5AF00304F09481EEE4986193DBF4A454CA11
                                                                                            Function 0275C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0275A4C7: GetTickCount.KERNEL32 ref: 0275A4D1
                                                                                              • Part of subcall function 0275A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0275A4FA
                                                                                            • GetTickCount.KERNEL32 ref: 0275C31F
                                                                                            • GetTickCount.KERNEL32 ref: 0275C32B
                                                                                            • GetTickCount.KERNEL32 ref: 0275C363
                                                                                            • GetTickCount.KERNEL32 ref: 0275C378
                                                                                            • GetTickCount.KERNEL32 ref: 0275C44D
                                                                                            • InterlockedIncrement.KERNEL32(0275C4E4), ref: 0275C4AE
                                                                                            • CreateThread.KERNEL32(00000000,00000000,0275B535,00000000,?,0275C4E0), ref: 0275C4C1
                                                                                            • CloseHandle.KERNEL32(00000000,?,0275C4E0,02763588,02758810), ref: 0275C4CC
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1553760989-1857712256
                                                                                            • Opcode ID: 3b8894d0ae5d62690ede96e6539d18b8f7a243e4142423bc1bf9cdc11a3a615f
                                                                                            • Instruction ID: dd989b0e2eda385abfdc361fecf531a8c98d5969d87ebd38a9e2984f69d971af
                                                                                            • Opcode Fuzzy Hash: 3b8894d0ae5d62690ede96e6539d18b8f7a243e4142423bc1bf9cdc11a3a615f
                                                                                            • Instruction Fuzzy Hash: 69518AB1A00B558FD7658F69C684A2AFBE9FB48304B505D3ED98BC7A90D7B4F844CB10
                                                                                            Function 0275BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0275BE4F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0275BE5B
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0275BE67
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0275BF6A
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0275BF7F
                                                                                            • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0275BF94
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmpi
                                                                                            • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                                            • API String ID: 1586166983-1625972887
                                                                                            • Opcode ID: b20ce44ec0c17694b24ff53c934a507606c3d1b50d6e1918165ff74a5c607424
                                                                                            • Instruction ID: 3962d22777067f9e13100575928072720cca5928f3905f51066d5ec1c0e42b04
                                                                                            • Opcode Fuzzy Hash: b20ce44ec0c17694b24ff53c934a507606c3d1b50d6e1918165ff74a5c607424
                                                                                            • Instruction Fuzzy Hash: A851D471A0032AEFEB118F65C884B7EFBA9AF0534CF046455EC41AB258D7B0E951CF90
                                                                                            Function 02756A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,75918A60,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756A7D
                                                                                            • GetDiskFreeSpaceA.KERNEL32(02759E9D,02759A60,?,?,?,027622F8,?,?,?,02759A60,?,?,02759E9D), ref: 02756ABB
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756B40
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756B4E
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756B5F
                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756B6F
                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756B7D
                                                                                            • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02759A60,?,?,02759E9D), ref: 02756B80
                                                                                            • GetLastError.KERNEL32(?,?,?,02759A60,?,?,02759E9D,?,?,?,?,?,02759E9D,?,00000022,?), ref: 02756B96
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                                            • String ID:
                                                                                            • API String ID: 3188212458-0
                                                                                            • Opcode ID: d5bd9ce14a2266b5d0ee312315164939449698b722be849e129654ecc4aedcda
                                                                                            • Instruction ID: 084e7583e5872de33e511c1c40cf6eac7d1b9100c400822f72ed8e8d91ab00bd
                                                                                            • Opcode Fuzzy Hash: d5bd9ce14a2266b5d0ee312315164939449698b722be849e129654ecc4aedcda
                                                                                            • Instruction Fuzzy Hash: CB31D3B2D0065DBFDB019FA48848ADEBB7DFB44310F148866EA51A3241D77099558F61
                                                                                            Function 02756F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetUserNameA.ADVAPI32(?,0275D7C3), ref: 02756F7A
                                                                                            • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0275D7C3), ref: 02756FC1
                                                                                            • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02756FE8
                                                                                            • LocalFree.KERNEL32(00000120), ref: 0275701F
                                                                                            • wsprintfA.USER32 ref: 02757036
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                                            • String ID: /%d$|
                                                                                            • API String ID: 676856371-4124749705
                                                                                            • Opcode ID: 862da33209c1d56c0b7b2df4d978241268d9e32ae334be2a81725d46896526c9
                                                                                            • Instruction ID: 69678d3c7f35658fb3d25424002109c6c011cd1254aec6604a3d2f406a46c018
                                                                                            • Opcode Fuzzy Hash: 862da33209c1d56c0b7b2df4d978241268d9e32ae334be2a81725d46896526c9
                                                                                            • Instruction Fuzzy Hash: 99311872900219AFDB01DFA8D849AEABBBDFF05314F048166F859DB140EB75D6088B94
                                                                                            Function 02756CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,027622F8,000000E4,02756DDC,000000C8), ref: 02756CE7
                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 02756CEE
                                                                                            • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02756D14
                                                                                            • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02756D2B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                                            • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                                            • API String ID: 1082366364-3395550214
                                                                                            • Opcode ID: 9542d6e5f0624c28044dd2837f5d943ba82aa00b8413b11afb8c7e20b2951470
                                                                                            • Instruction ID: 3337ccf24a9ea51e673df8215b898ffa50954ea1355186217375681c7e3025cf
                                                                                            • Opcode Fuzzy Hash: 9542d6e5f0624c28044dd2837f5d943ba82aa00b8413b11afb8c7e20b2951470
                                                                                            • Instruction Fuzzy Hash: 28215B61E813707AFB7256334C8CF7BBE4D9B02744F0C8854FC04A6082DBE58555C6B5
                                                                                            Function 0275977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(00000000,02759947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,027622F8), ref: 027597B1
                                                                                            • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,027622F8), ref: 027597EB
                                                                                            • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,027622F8), ref: 027597F9
                                                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,027622F8), ref: 02759831
                                                                                            • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,027622F8), ref: 0275984E
                                                                                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,027622F8), ref: 0275985B
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                                            • String ID: D
                                                                                            • API String ID: 2981417381-2746444292
                                                                                            • Opcode ID: 271371436ddafb281aa5765075b937b75b3bd5adb83c63167eef9a1181d95946
                                                                                            • Instruction ID: 8a47c40a668ec309b5fd8acb33905b3726183cac7b1b02267b1190aa78f71f08
                                                                                            • Opcode Fuzzy Hash: 271371436ddafb281aa5765075b937b75b3bd5adb83c63167eef9a1181d95946
                                                                                            • Instruction Fuzzy Hash: 89212AB1D41229EBDB119FA1DC49FEFBBBCEF09654F004861FA19E1040EBB09654CAA0
                                                                                            Function 0275E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0275DD05: GetTickCount.KERNEL32 ref: 0275DD0F
                                                                                              • Part of subcall function 0275DD05: InterlockedExchange.KERNEL32(027636B4,00000001), ref: 0275DD44
                                                                                              • Part of subcall function 0275DD05: GetCurrentThreadId.KERNEL32 ref: 0275DD53
                                                                                              • Part of subcall function 0275DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0275DDB5
                                                                                            • lstrcpynA.KERNEL32(?,02751E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0275EAAA,?,?), ref: 0275E8DE
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0275EAAA,?,?,00000001,?,02751E84,?), ref: 0275E935
                                                                                            • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0275EAAA,?,?,00000001,?,02751E84,?,0000000A), ref: 0275E93D
                                                                                            • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0275EAAA,?,?,00000001,?,02751E84,?), ref: 0275E94F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                                            • String ID: flags_upd$localcfg
                                                                                            • API String ID: 204374128-3505511081
                                                                                            • Opcode ID: dc75d56b8400006e865ec848e6743fbd9fa1a4242cfa27006eaa601ea83dc982
                                                                                            • Instruction ID: ea7642e8123443c543650808fd13aaacd5fbd5bd946fcd3958400a2ed93d4bcf
                                                                                            • Opcode Fuzzy Hash: dc75d56b8400006e865ec848e6743fbd9fa1a4242cfa27006eaa601ea83dc982
                                                                                            • Instruction Fuzzy Hash: 66510E72D0021AAFDB11EFA8C984DAEF7F9BF48304F14456AE805A7210D775EA15CF54
                                                                                            Function 02756BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Code
                                                                                            • String ID:
                                                                                            • API String ID: 3609698214-0
                                                                                            • Opcode ID: 678672a19a914ec62b024be9784d4981ad5b6fa39ff3e4f801c542d66a349832
                                                                                            • Instruction ID: 1dffaa3ab2dd4d5c26342ab53865875fcc86a3400ce035aab86b111d7bbfe54b
                                                                                            • Opcode Fuzzy Hash: 678672a19a914ec62b024be9784d4981ad5b6fa39ff3e4f801c542d66a349832
                                                                                            • Instruction Fuzzy Hash: 7A21B772905225FFDB115B70ED8CD9FBBADEB05764B108915FD02E1080EBB1EA10DA74
                                                                                            Function 02759064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTempPathA.KERNEL32(00000400,?,00000000,027622F8), ref: 0275907B
                                                                                            • wsprintfA.USER32 ref: 027590E9
                                                                                            • CreateFileA.KERNEL32(027622F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0275910E
                                                                                            • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02759122
                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0275912D
                                                                                            • CloseHandle.KERNEL32(00000000), ref: 02759134
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                                            • String ID:
                                                                                            • API String ID: 2439722600-0
                                                                                            • Opcode ID: ef7946bf38318fa26e4d81f3d5e09a2a3340d964b3728c4f5c1178cdf9ab21b3
                                                                                            • Instruction ID: 20e439364b15b53a7f3bfe9a65387d8207ebe33823bc8a8ad0f66d4c06af63c8
                                                                                            • Opcode Fuzzy Hash: ef7946bf38318fa26e4d81f3d5e09a2a3340d964b3728c4f5c1178cdf9ab21b3
                                                                                            • Instruction Fuzzy Hash: 63116AB6A401247BF7256672DC0DFAF7A6EDBC5701F00C465FF0AE5051EAB08E118AA0
                                                                                            Function 0275DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0275DD0F
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0275DD20
                                                                                            • GetTickCount.KERNEL32 ref: 0275DD2E
                                                                                            • Sleep.KERNEL32(00000000,?,75920F10,?,00000000,0275E538,?,75920F10,?,00000000,?,0275A445), ref: 0275DD3B
                                                                                            • InterlockedExchange.KERNEL32(027636B4,00000001), ref: 0275DD44
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 0275DD53
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 3819781495-0
                                                                                            • Opcode ID: 784625c3eb23531e592a1e586594dae01363215ac6eb418473e42ea5cb393b88
                                                                                            • Instruction ID: b79599439d1e232b737039b07da5e739f7dacb06d4d34ed000f5769af1d1a852
                                                                                            • Opcode Fuzzy Hash: 784625c3eb23531e592a1e586594dae01363215ac6eb418473e42ea5cb393b88
                                                                                            • Instruction Fuzzy Hash: 5EF0E272D84315AFC7905B66B88CB39BBA4F745B12F008856E90BC2241C7B15075CF22
                                                                                            Function 0275AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostname.WS2_32(?,00000080), ref: 0275AD1C
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0275AD60
                                                                                            • lstrlenA.KERNEL32(00000000), ref: 0275AD69
                                                                                            • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0275AD7F
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$gethostnamelstrcpy
                                                                                            • String ID: LocalHost
                                                                                            • API String ID: 3695455745-3154191806
                                                                                            • Opcode ID: a07e147ce30ca5a8ed348b820e8678c2c19ba90adfee7d8d338f0bd3aca346bf
                                                                                            • Instruction ID: a15f5d9b301f413f9bb5dd960a3a4d1a52a0257b5cd25aaa3bb93e43d5613988
                                                                                            • Opcode Fuzzy Hash: a07e147ce30ca5a8ed348b820e8678c2c19ba90adfee7d8d338f0bd3aca346bf
                                                                                            • Instruction Fuzzy Hash: 5B014920C843A95DDF32263A8848BB5FF666B8764AF0042B6DCC09711DEFE480438761
                                                                                            Function 02754BD1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02754BDD
                                                                                            • GetTickCount.KERNEL32 ref: 02754BEC
                                                                                            • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,02755D02,00000000,?,0275B85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 02754BF9
                                                                                            • InterlockedExchange.KERNEL32(02C1B160,00000001), ref: 02754C02
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 2207858713-2903620461
                                                                                            • Opcode ID: 60e6924b817a7dde90deebbc28989eff756e1f79443c8e00f521d48e1a234b26
                                                                                            • Instruction ID: d17b4a85106cc6f093818cadd6e59c76da93275ec90426df9c08dd1ed18c205a
                                                                                            • Opcode Fuzzy Hash: 60e6924b817a7dde90deebbc28989eff756e1f79443c8e00f521d48e1a234b26
                                                                                            • Instruction Fuzzy Hash: 5AE0CD3768532467C7101BB55C88F5AB79CFB85361F064876FF0CD2141C6E694A141B5
                                                                                            Function 02754280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,027598FD,00000001,00000100,027622F8,0275A3C7), ref: 02754290
                                                                                            • CloseHandle.KERNEL32(0275A3C7), ref: 027543AB
                                                                                            • CloseHandle.KERNEL32(00000001), ref: 027543AE
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CloseHandle$CreateEvent
                                                                                            • String ID:
                                                                                            • API String ID: 1371578007-0
                                                                                            • Opcode ID: 34b6a59a2d7f546455fedfcc9dfe327fcd4e5d8aeccd31f41cfb162c82fb7037
                                                                                            • Instruction ID: 265478922fa8f49b17127efb87cf484f97ab4160de599ee2b01df707253541ec
                                                                                            • Opcode Fuzzy Hash: 34b6a59a2d7f546455fedfcc9dfe327fcd4e5d8aeccd31f41cfb162c82fb7037
                                                                                            • Instruction Fuzzy Hash: 07418DB1C00219BADB11AFA1DD89FAFFFB9EF41364F104555FA15B2190D7B48690CBA0
                                                                                            Function 02756069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,027564CF,00000000), ref: 0275609C
                                                                                            • LoadLibraryA.KERNEL32(?,?,027564CF,00000000), ref: 027560C3
                                                                                            • GetProcAddress.KERNEL32(?,00000014), ref: 0275614A
                                                                                            • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0275619E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Read$AddressLibraryLoadProc
                                                                                            • String ID:
                                                                                            • API String ID: 2438460464-0
                                                                                            • Opcode ID: 7dc764579d866ff2adab1d77f3d70710670455be39a7e4006ed7db8309e39e87
                                                                                            • Instruction ID: d0035e76bfee477d08ccfd3a34983f9b9dc9233f95bda4d14358a6a9ca347f05
                                                                                            • Opcode Fuzzy Hash: 7dc764579d866ff2adab1d77f3d70710670455be39a7e4006ed7db8309e39e87
                                                                                            • Instruction Fuzzy Hash: C1412971E00229ABDB24CF58C884B79F7B9FF04358F548169EC15E7291E7B0E955CB90
                                                                                            Function 02752923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f6e720bb0e8fc4bbf54d4ce4150d8fc3b63d3a96ea3dc60b67f559c94a398fc8
                                                                                            • Instruction ID: e6d33dce5b1601b2e7e40bfdea87359b248e43ca33a4ba29d83146188b98ef6e
                                                                                            • Opcode Fuzzy Hash: f6e720bb0e8fc4bbf54d4ce4150d8fc3b63d3a96ea3dc60b67f559c94a398fc8
                                                                                            • Instruction Fuzzy Hash: 4B318F71A00328ABDB219FA5CC85BBEB7F4FF48701F108456FD45E6242E3B8E6518B54
                                                                                            Function 027526FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0275272E
                                                                                            • htons.WS2_32(00000001), ref: 02752752
                                                                                            • htons.WS2_32(0000000F), ref: 027527D5
                                                                                            • htons.WS2_32(00000001), ref: 027527E3
                                                                                            • sendto.WS2_32(?,02762BF8,00000009,00000000,00000010,00000010), ref: 02752802
                                                                                              • Part of subcall function 0275EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0275EBFE,7FFF0001,?,0275DB55,7FFF0001), ref: 0275EBD3
                                                                                              • Part of subcall function 0275EBCC: RtlAllocateHeap.NTDLL(00000000,?,0275DB55,7FFF0001), ref: 0275EBDA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                                            • String ID:
                                                                                            • API String ID: 1128258776-0
                                                                                            • Opcode ID: b7940b74f9fb64d94fefac0f384901303b7fceaa3ed7040db06b64cd81cf8db1
                                                                                            • Instruction ID: 8a8fd25fabe18fd9deb3c98b6c281c9b6f9fe248e8a2017cf47e0a690fbbb73e
                                                                                            • Opcode Fuzzy Hash: b7940b74f9fb64d94fefac0f384901303b7fceaa3ed7040db06b64cd81cf8db1
                                                                                            • Instruction Fuzzy Hash: 59313434A843939FD710CF75D884A62BB60EF19358B1DC86DED598B313E7B29892CB10
                                                                                            Function 02759145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,027622F8), ref: 0275915F
                                                                                            • GetModuleFileNameA.KERNEL32(00000000), ref: 02759166
                                                                                            • CharToOemA.USER32(?,?), ref: 02759174
                                                                                            • wsprintfA.USER32 ref: 027591A9
                                                                                              • Part of subcall function 02759064: GetTempPathA.KERNEL32(00000400,?,00000000,027622F8), ref: 0275907B
                                                                                              • Part of subcall function 02759064: wsprintfA.USER32 ref: 027590E9
                                                                                              • Part of subcall function 02759064: CreateFileA.KERNEL32(027622F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0275910E
                                                                                              • Part of subcall function 02759064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02759122
                                                                                              • Part of subcall function 02759064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0275912D
                                                                                              • Part of subcall function 02759064: CloseHandle.KERNEL32(00000000), ref: 02759134
                                                                                            • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 027591E1
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                                            • String ID:
                                                                                            • API String ID: 3857584221-0
                                                                                            • Opcode ID: 2c0d651ea254e206e2d7f2dad44b7d2585c57f3bfce03e061145b03339575e0c
                                                                                            • Instruction ID: 2c213ff7d93af013ef352eb7e9f8af1239a9d232d3d92c37a7eb0bad97860dbd
                                                                                            • Opcode Fuzzy Hash: 2c0d651ea254e206e2d7f2dad44b7d2585c57f3bfce03e061145b03339575e0c
                                                                                            • Instruction Fuzzy Hash: 330180F6D40268BBEA21A6618C4DFEF7B7CEB85701F000491FB09E2040E6B096848FB0
                                                                                            Function 02752419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02752491,?,?,?,0275E844,-00000030,?,?,?,00000001), ref: 02752429
                                                                                            • lstrlenA.KERNEL32(?,?,02752491,?,?,?,0275E844,-00000030,?,?,?,00000001,02751E3D,00000001,localcfg,lid_file_upd), ref: 0275243E
                                                                                            • lstrcmpiA.KERNEL32(?,?), ref: 02752452
                                                                                            • lstrlenA.KERNEL32(?,?,02752491,?,?,?,0275E844,-00000030,?,?,?,00000001,02751E3D,00000001,localcfg,lid_file_upd), ref: 02752467
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrlen$lstrcmpi
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 1808961391-1857712256
                                                                                            • Opcode ID: 55cb19feba370029a11ff511a936b79bd6c613418d07f3aea35e52c2b3eb807f
                                                                                            • Instruction ID: c2c4bde853386cffafd3b39505b825d692128afe4818d780b75f988e6462c309
                                                                                            • Opcode Fuzzy Hash: 55cb19feba370029a11ff511a936b79bd6c613418d07f3aea35e52c2b3eb807f
                                                                                            • Instruction Fuzzy Hash: 2401DA71600228AFCF11EF69DC849DEBBA9EF44394B05C425ED59A7202E370EE518A94
                                                                                            Function 02751C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: wsprintf
                                                                                            • String ID: %u.%u.%u.%u.%s$localcfg
                                                                                            • API String ID: 2111968516-120809033
                                                                                            • Opcode ID: 066e1075733a9589a683b973a1efbb6157ad2a2104e8942fdbd42bb7e02fa44d
                                                                                            • Instruction ID: f88bb8c77cf5399d3af80ca07ff6846b9b9d7deabc76c508bfba5fba068f9103
                                                                                            • Opcode Fuzzy Hash: 066e1075733a9589a683b973a1efbb6157ad2a2104e8942fdbd42bb7e02fa44d
                                                                                            • Instruction Fuzzy Hash: EA419C729042A89FDB22CF798C48BEE7BE9AF49311F240056FDA4D3141D775DA05CBA0
                                                                                            Function 0275E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 0275DD05: GetTickCount.KERNEL32 ref: 0275DD0F
                                                                                              • Part of subcall function 0275DD05: InterlockedExchange.KERNEL32(027636B4,00000001), ref: 0275DD44
                                                                                              • Part of subcall function 0275DD05: GetCurrentThreadId.KERNEL32 ref: 0275DD53
                                                                                            • lstrcmpA.KERNEL32(75920F18,00000000,?,75920F10,00000000,?,02755EC1), ref: 0275E693
                                                                                            • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,75920F10,00000000,?,02755EC1), ref: 0275E6E9
                                                                                            • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,75920F10,00000000,?,02755EC1), ref: 0275E722
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                                            • String ID: 89ABCDEF
                                                                                            • API String ID: 3343386518-71641322
                                                                                            • Opcode ID: 8e91df8765c712e8dc89e29f59df09704ae51bd6369131bd70584478741dfb5e
                                                                                            • Instruction ID: eed0d34ead910a025a84740936c1a172fbcadcbef14693fdf422f011108b9ab6
                                                                                            • Opcode Fuzzy Hash: 8e91df8765c712e8dc89e29f59df09704ae51bd6369131bd70584478741dfb5e
                                                                                            • Instruction Fuzzy Hash: 4E31E731904726DFDB318F65D888767B7E4FF05394F10882AED9587542E7B0EA80CB81
                                                                                            Function 0275E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • RegCreateKeyExA.ADVAPI32(80000001,0275E2A3,00000000,00000000,00000000,00020106,00000000,0275E2A3,00000000,000000E4), ref: 0275E0B2
                                                                                            • RegSetValueExA.ADVAPI32(0275E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,027622F8), ref: 0275E127
                                                                                            • RegDeleteValueA.ADVAPI32(0275E2A3,?,?,?,?,?,000000C8,027622F8), ref: 0275E158
                                                                                            • RegCloseKey.ADVAPI32(0275E2A3,?,?,?,?,000000C8,027622F8,?,?,?,?,?,?,?,?,0275E2A3), ref: 0275E161
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Value$CloseCreateDelete
                                                                                            • String ID:
                                                                                            • API String ID: 2667537340-0
                                                                                            • Opcode ID: a2cae90ea84d8ba863964c58b9ff539d33404a85d0201a04b589452c4fbfcccc
                                                                                            • Instruction ID: ea5228114dd5a744923f5a391460b677c4adb0fb0076f37a9a458fb25a4d2691
                                                                                            • Opcode Fuzzy Hash: a2cae90ea84d8ba863964c58b9ff539d33404a85d0201a04b589452c4fbfcccc
                                                                                            • Instruction Fuzzy Hash: B2215E71E00229BBDF219EA4DC89EDEBF79EF09790F108061FD04A6150E7B18B54CBA0
                                                                                            Function 02753F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • WriteFile.KERNEL32(00000000,00000000,0275A3C7,00000000,00000000,000007D0,00000001), ref: 02753F44
                                                                                            • GetLastError.KERNEL32 ref: 02753F4E
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 02753F5F
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02753F72
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3373104450-0
                                                                                            • Opcode ID: 67ee4e7066351b0e1cf388d34b7fff1b0276bfa8fc1dc043db8e796642178c25
                                                                                            • Instruction ID: 92e5ffe5de9da92151997fa23691c703bcdbd1a66a8a95b3d278d31ae6c3520a
                                                                                            • Opcode Fuzzy Hash: 67ee4e7066351b0e1cf388d34b7fff1b0276bfa8fc1dc043db8e796642178c25
                                                                                            • Instruction Fuzzy Hash: 0F01E972915219ABDF01DE90DD48BEFBB7CFB04395F104455FA01E2090D770DA248BB1
                                                                                            Function 02753F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • ReadFile.KERNEL32(00000000,00000000,0275A3C7,00000000,00000000,000007D0,00000001), ref: 02753FB8
                                                                                            • GetLastError.KERNEL32 ref: 02753FC2
                                                                                            • WaitForSingleObject.KERNEL32(00000004,?), ref: 02753FD3
                                                                                            • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02753FE6
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                                            • String ID:
                                                                                            • API String ID: 888215731-0
                                                                                            • Opcode ID: e4c77a14aa1c144ff7d9d8be7d4dca71ce38e57f85d2acb0134ba3cbc1c1bfbf
                                                                                            • Instruction ID: f35cb489ebf6c497cab09ed34b8025d7c6ead1098f4a3b7a00c3f523b1999136
                                                                                            • Opcode Fuzzy Hash: e4c77a14aa1c144ff7d9d8be7d4dca71ce38e57f85d2acb0134ba3cbc1c1bfbf
                                                                                            • Instruction Fuzzy Hash: AB01957291021AABDF11DF94D949BAA7B78BB05255F104451ED02E2090D7709A658BB1
                                                                                            Function 0275A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 0275A4D1
                                                                                            • GetTickCount.KERNEL32 ref: 0275A4E4
                                                                                            • Sleep.KERNEL32(00000000,?,0275C2E9,0275C4E0,00000000,localcfg,?,0275C4E0,02763588,02758810), ref: 0275A4F1
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 0275A4FA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 87bbd45c894b78aeac49116c2320b917913799a6487267793e24dc151aae4bf2
                                                                                            • Instruction ID: 97aeb6012d189af4eaf7854420c85eb8234c4fa0208444e04f7969bd7e4ad47f
                                                                                            • Opcode Fuzzy Hash: 87bbd45c894b78aeac49116c2320b917913799a6487267793e24dc151aae4bf2
                                                                                            • Instruction Fuzzy Hash: F7E07D3324032567C70017E9AC88F6BB388FB49761F014531FF04E3241D7A6A85181B3
                                                                                            Function 02754E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02754E9E
                                                                                            • GetTickCount.KERNEL32 ref: 02754EAD
                                                                                            • Sleep.KERNEL32(0000000A,?,00000001), ref: 02754EBA
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02754EC3
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: aed3014168e266ec7fbbbdaae42bc49020b1d30b22f1d6107d1a09a6b77633f9
                                                                                            • Instruction ID: 039ea94281cc9bd38dd10168cbf1c9c02919c03de7480fe16e3892c9e2e21dad
                                                                                            • Opcode Fuzzy Hash: aed3014168e266ec7fbbbdaae42bc49020b1d30b22f1d6107d1a09a6b77633f9
                                                                                            • Instruction Fuzzy Hash: FEE0CD3374132467D6102BBAAC88F57B749BB45371F010931FF09D2141C6E7D8A245F1
                                                                                            Function 027530FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • GetTickCount.KERNEL32 ref: 02753103
                                                                                            • GetTickCount.KERNEL32 ref: 0275310F
                                                                                            • Sleep.KERNEL32(00000000), ref: 0275311C
                                                                                            • InterlockedExchange.KERNEL32(?,00000001), ref: 02753128
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick$ExchangeInterlockedSleep
                                                                                            • String ID:
                                                                                            • API String ID: 2207858713-0
                                                                                            • Opcode ID: 092cc8bbd227d94a8b6887053dadcc2386a6a726dca070d89a947cbc1043660a
                                                                                            • Instruction ID: 0129815a3f1720676b9a58b082479dd37f0cbd1b8e18a970556b6aa2992db37a
                                                                                            • Opcode Fuzzy Hash: 092cc8bbd227d94a8b6887053dadcc2386a6a726dca070d89a947cbc1043660a
                                                                                            • Instruction Fuzzy Hash: 2EE0C231640325ABDB002B76AD48F49BA5AEF847A1F015871FA01E60A0C6A14C208971
                                                                                            Function 02758CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTick
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 536389180-1857712256
                                                                                            • Opcode ID: 53af816ba53715bf6c3410fdf7e331874ac2c135374d50b9f3636aafbc4b8cd1
                                                                                            • Instruction ID: a59d64ecb3a11b902fc2495bbf0c707559e3ba9aed63f8748e26be6b285cd859
                                                                                            • Opcode Fuzzy Hash: 53af816ba53715bf6c3410fdf7e331874ac2c135374d50b9f3636aafbc4b8cd1
                                                                                            • Instruction Fuzzy Hash: 7C210A32A10725AFDB10DF76C88866AFBF9FF24714B294599DC01DB201CBB0E980CB51
                                                                                            Function 0275BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Strings
                                                                                            • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0275C057
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CountTickwsprintf
                                                                                            • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                                            • API String ID: 2424974917-1012700906
                                                                                            • Opcode ID: f9d551d15d752ffcb2cb5e206e8ab5759700728d1338b8f2158732c38e27c223
                                                                                            • Instruction ID: 9ee2676d7985aa0745bd413fe1329ba4dd71885bd2103226ca32f3dd81be278e
                                                                                            • Opcode Fuzzy Hash: f9d551d15d752ffcb2cb5e206e8ab5759700728d1338b8f2158732c38e27c223
                                                                                            • Instruction Fuzzy Hash: 6A1197B2500100FFDB429AA9CD48E567FA6FF88318B34919CF6188E126D633D863EB50
                                                                                            Function 027538F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 027530FA: GetTickCount.KERNEL32 ref: 02753103
                                                                                              • Part of subcall function 027530FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02753128
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02753929
                                                                                            • GetCurrentThreadId.KERNEL32 ref: 02753939
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 3716169038-2903620461
                                                                                            • Opcode ID: 311b432f9abce04a9027ba86b78be6e1fbeeba30e1d8273b4a839654cbbdad7f
                                                                                            • Instruction ID: 3a76ddd5fa59748a837f450abf6876eb558cc872bd9dd6c8ace6485afd3b163f
                                                                                            • Opcode Fuzzy Hash: 311b432f9abce04a9027ba86b78be6e1fbeeba30e1d8273b4a839654cbbdad7f
                                                                                            • Instruction Fuzzy Hash: BD118CB1940225EFE721DF19D484A6CF3F5FB0575AF10899EEC4497291C7B0AA80CFA0
                                                                                            Function 0275AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0275BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0275ABB9
                                                                                            • InterlockedIncrement.KERNEL32(02763640), ref: 0275ABE1
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: IncrementInterlockedlstrcpyn
                                                                                            • String ID: %FROM_EMAIL
                                                                                            • API String ID: 224340156-2903620461
                                                                                            • Opcode ID: 4c0a7804265a042e44aaf48ebfc1f60e8baa75ef34a7b44e5f470433e24a8553
                                                                                            • Instruction ID: 3deece0dc1615d83a81cf624ca2d2852f2196480546b5ebb9854fd888cdfa9cd
                                                                                            • Opcode Fuzzy Hash: 4c0a7804265a042e44aaf48ebfc1f60e8baa75ef34a7b44e5f470433e24a8553
                                                                                            • Instruction Fuzzy Hash: 17019E71908394AFEB11CF18D885F96BFA6BF15214F144998E9804B203C3B1E544CBD1
                                                                                            Function 027526B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 027526C3
                                                                                            • inet_ntoa.WS2_32(?), ref: 027526E4
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: gethostbyaddrinet_ntoa
                                                                                            • String ID: localcfg
                                                                                            • API String ID: 2112563974-1857712256
                                                                                            • Opcode ID: 50002fc28a3778ceb49ab750151229d018be0010878074914086b03e99fa9dad
                                                                                            • Instruction ID: c6c3514abdef8c8641f49c07366e59a781f44779635e058f062bfcfcdd7793c8
                                                                                            • Opcode Fuzzy Hash: 50002fc28a3778ceb49ab750151229d018be0010878074914086b03e99fa9dad
                                                                                            • Instruction Fuzzy Hash: 0CF082321483287FEB04AEA0EC09AAA779CEF05650F108425FD08DA090EBB1D9508798
                                                                                            Function 0275EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            • LoadLibraryA.KERNEL32(ntdll.dll,0275EB54,_alldiv,0275F0B7,80000001,00000000,00989680,00000000,?,?,?,0275E342,00000000,7508EA50,80000001,00000000), ref: 0275EAF2
                                                                                            • GetProcAddress.KERNEL32(76E80000,00000000), ref: 0275EB07
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: AddressLibraryLoadProc
                                                                                            • String ID: ntdll.dll
                                                                                            • API String ID: 2574300362-2227199552
                                                                                            • Opcode ID: a01cbcb981873a0aaee28f35a67a855c423193cc89fb91235b5f7ac23523aaee
                                                                                            • Instruction ID: aba05e7abfb10294f424e4496645e297a49ab3c5c23b8bb573e65876ddc24c3c
                                                                                            • Opcode Fuzzy Hash: a01cbcb981873a0aaee28f35a67a855c423193cc89fb91235b5f7ac23523aaee
                                                                                            • Instruction Fuzzy Hash: 0AD01274E807029BDF164F65DA0EE19BBE9BB40B02B84C859FC0BD1200E7B0E424DB00
                                                                                            Function 02752F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                              • Part of subcall function 02752D21: GetModuleHandleA.KERNEL32(00000000,759223A0,?,00000000,02752F01,?,027520FF,02762000), ref: 02752D3A
                                                                                              • Part of subcall function 02752D21: LoadLibraryA.KERNEL32(?), ref: 02752D4A
                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02752F73
                                                                                            • HeapFree.KERNEL32(00000000), ref: 02752F7A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000013.00000002.3295266720.0000000002750000.00000040.00000400.00020000.00000000.sdmp, Offset: 02750000, based on PE: true
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_19_2_2750000_svchost.jbxd
                                                                                            Yara matches
                                                                                            Similarity
                                                                                            • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                                            • String ID:
                                                                                            • API String ID: 1017166417-0
                                                                                            • Opcode ID: a56a816796d6baec93392a9425c3e21ca40f17c3a6a3015cf1f58a4aa3a23d90
                                                                                            • Instruction ID: 9085c5110f4598b376b2bd6d11081b47e6201a4eb56853558fa555b18fd23d33
                                                                                            • Opcode Fuzzy Hash: a56a816796d6baec93392a9425c3e21ca40f17c3a6a3015cf1f58a4aa3a23d90
                                                                                            • Instruction Fuzzy Hash: 5851C07190022A9FDF06DF64D888AF9F776FF06304F1045A9EC96D7221E7729A19CB90