Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ewdWlNc8TL.exe

Overview

General Information

Sample name:ewdWlNc8TL.exe
renamed because original name is a hash value
Original sample name:6c2830c79d0a840f479ad635e3d57883.exe
Analysis ID:1482762
MD5:6c2830c79d0a840f479ad635e3d57883
SHA1:dc4073381a79705a4df53048cad7b44679623835
SHA256:a5f35b4f8933e0106c7743eaadbd3b883f61552add7ff17aca237450b3aa4168
Tags:32exeTofseetrojan
Infos:

Detection

Tofsee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Tofsee
AI detected suspicious sample
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Drops executables to the windows directory (C:\Windows) and starts them
Found API chain indicative of debugger detection
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious New Service Creation
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after accessing registry keys)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Windows Defender Exclusions Added - Registry
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ewdWlNc8TL.exe (PID: 3664 cmdline: "C:\Users\user\Desktop\ewdWlNc8TL.exe" MD5: 6C2830C79D0A840F479AD635E3D57883)
    • cmd.exe (PID: 6808 cmdline: "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rpfcsqnj\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2304 cmdline: "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ybuffopp.exe" C:\Windows\SysWOW64\rpfcsqnj\ MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 2504 cmdline: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 4048 cmdline: "C:\Windows\System32\sc.exe" description rpfcsqnj "wifi internet conection" MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sc.exe (PID: 6996 cmdline: "C:\Windows\System32\sc.exe" start rpfcsqnj MD5: D9D7684B8431A0D10D0E76FE9F5FFEC8)
      • conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • netsh.exe (PID: 5328 cmdline: "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7256 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 652 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • ybuffopp.exe (PID: 4048 cmdline: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d"C:\Users\user\Desktop\ewdWlNc8TL.exe" MD5: E4141310CE16DAF84C1718D66EAE2E57)
    • svchost.exe (PID: 7276 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
    • WerFault.exe (PID: 7316 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 540 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 6248 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 7220 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3664 -ip 3664 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7284 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 4048 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TofseeAccording to PCrisk, Tofsee (also known as Gheg) is a malicious Trojan-type program that is capable of performing DDoS attacks, mining cryptocurrency, sending emails, stealing various account credentials, updating itself, and more.Cyber criminals mainly use this program as an email-oriented tool (they target users' email accounts), however, having Tofsee installed can also lead to many other problems.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee

Malware Configuration

Threatname: Tofsee

{"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
    00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
    • 0x27ab:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
    • 0xf0fc:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
    0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_TofseeYara detected TofseeJoe Security
      0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.ewdWlNc8TL.exe.25e0e67.1.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
      • 0xd44:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
      • 0xd695:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
      0.2.ewdWlNc8TL.exe.25e0e67.1.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
      • 0xe110:$s2: loader_id
      • 0xe140:$s3: start_srv
      • 0xe170:$s4: lid_file_upd
      • 0xe164:$s5: localcfg
      • 0xe894:$s6: Incorrect respons
      11.2.ybuffopp.exe.2c60000.2.unpackJoeSecurity_TofseeYara detected TofseeJoe Security
        11.2.ybuffopp.exe.2c60000.2.unpackWindows_Trojan_Tofsee_26124fe4unknownunknown
        • 0x1944:$a: 55 8B EC 8B 45 08 57 8B 7D 10 B1 01 85 FF 74 1D 56 8B 75 0C 2B F0 8A 14 06 32 55 14 88 10 8A D1 02 55 18 F6 D9 00 55 14 40 4F 75 EA 5E 8B 45 08 5F 5D C3
        • 0xe295:$b: 8B 44 24 04 53 8A 18 84 DB 74 2D 8B D0 2B 54 24 0C 8B 4C 24 0C 84 DB 74 12 8A 19 84 DB 74 1B 38 1C 0A 75 07 41 80 3C 0A 00 75 EE 80 39 00 74 0A 40 8A 18 42 84 DB 75 D9 33 C0 5B C3
        11.2.ybuffopp.exe.2c60000.2.unpackMALWARE_Win_TofseeDetects TofseeditekSHen
        • 0xfc3e:$s1: n%systemroot%\system32\cmd.exe
        • 0xed10:$s2: loader_id
        • 0xed40:$s3: start_srv
        • 0xed70:$s4: lid_file_upd
        • 0xed64:$s5: localcfg
        • 0xf494:$s6: Incorrect respons
        • 0xf574:$s7: mx connect error
        • 0xf4f0:$s8: Error sending command (sent = %d/%d)
        • 0xf628:$s9: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u
        Click to see the 39 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Suspect Svchost Activity
        Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d"C:\Users\user\Desktop\ewdWlNc8TL.exe", ParentImage: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe, ParentProcessId: 4048, ParentProcessName: ybuffopp.exe, ProcessCommandLine: svchost.exe, ProcessId: 7276, ProcessName: svchost.exe
        Sigma detected: Suspicious New Service Creation
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\ewdWlNc8TL.exe", ParentImage: C:\Users\user\Desktop\ewdWlNc8TL.exe, ParentProcessId: 3664, ParentProcessName: ewdWlNc8TL.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2504, ProcessName: sc.exe
        Sigma detected: Suspicious Outbound SMTP Connections
        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 52.101.8.49, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\SysWOW64\svchost.exe, Initiated: true, ProcessId: 7276, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d"C:\Users\user\Desktop\ewdWlNc8TL.exe", ParentImage: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe, ParentProcessId: 4048, ParentProcessName: ybuffopp.exe, ProcessCommandLine: svchost.exe, ProcessId: 7276, ProcessName: svchost.exe
        Sigma detected: Windows Defender Exclusions Added - Registry
        Source: Registry Key setAuthor: Christian Burkard (Nextron Systems): Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 7276, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\rpfcsqnj
        Sigma detected: New Service Creation Using Sc.EXE
        Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support", CommandLine|base64offset|contains: r, Image: C:\Windows\SysWOW64\sc.exe, NewProcessName: C:\Windows\SysWOW64\sc.exe, OriginalFileName: C:\Windows\SysWOW64\sc.exe, ParentCommandLine: "C:\Users\user\Desktop\ewdWlNc8TL.exe", ParentImage: C:\Users\user\Desktop\ewdWlNc8TL.exe, ParentProcessId: 3664, ParentProcessName: ewdWlNc8TL.exe, ProcessCommandLine: "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support", ProcessId: 2504, ProcessName: sc.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 6248, ProcessName: svchost.exe

        Snort Signatures

        No Snort rule has matched

        Suricata Signatures

        Timestamp:2024-07-26T04:12:47.020064+0200
        SID:2022930
        Source Port:443
        Destination Port:61235
        Protocol:TCP
        Classtype:A Network Trojan was detected
        Timestamp:2024-07-26T04:12:18.258834+0200
        SID:2022930
        Source Port:443
        Destination Port:49733
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: vanaheim.cn:443Avira URL Cloud: Label: phishing
        Found malware configuration
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpackMalware Configuration Extractor: Tofsee {"C2 list": ["vanaheim.cn:443", "jotunheim.name:443"]}
        Multi AV Scanner detection for domain / URL
        Source: vanaheim.cnVirustotal: Detection: 17%Perma Link
        Source: vanaheim.cn:443Virustotal: Detection: 7%Perma Link
        Source: jotunheim.name:443Virustotal: Detection: 12%Perma Link
        Multi AV Scanner detection for submitted file
        Source: ewdWlNc8TL.exeReversingLabs: Detection: 91%
        Source: ewdWlNc8TL.exeVirustotal: Detection: 74%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.4% probability
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\ybuffopp.exeJoe Sandbox ML: detected
        Machine Learning detection for sample
        Source: ewdWlNc8TL.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeUnpacked PE file: 0.2.ewdWlNc8TL.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeUnpacked PE file: 11.2.ybuffopp.exe.400000.0.unpack
        Source: ewdWlNc8TL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

        Change of critical system settings

        barindex
        Adds extensions / path to Windows Defender exclusion list (Registry)
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\rpfcsqnjJump to behavior

        Networking

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.71.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: vanaheim.cn:443
        Source: Malware configuration extractorURLs: jotunheim.name:443
        Source: Joe Sandbox ViewIP Address: 52.101.8.49 52.101.8.49
        Source: Joe Sandbox ViewIP Address: 217.69.139.150 217.69.139.150
        Source: Joe Sandbox ViewIP Address: 67.195.204.74 67.195.204.74
        Source: Joe Sandbox ViewASN Name: RETN-ASEU RETN-ASEU
        Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
        Source: Joe Sandbox ViewASN Name: MAILRU-ASMailRuRU MAILRU-ASMailRuRU
        Source: Joe Sandbox ViewASN Name: YAHOO-3US YAHOO-3US
        Source: global trafficTCP traffic: 192.168.2.4:49731 -> 52.101.8.49:25
        Source: global trafficTCP traffic: 192.168.2.4:49739 -> 67.195.204.74:25
        Source: global trafficTCP traffic: 192.168.2.4:61236 -> 74.125.71.27:25
        Source: global trafficTCP traffic: 192.168.2.4:61238 -> 217.69.139.150:25
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00402A62 GetProcessHeap,GetProcessHeap,GetProcessHeap,HeapAlloc,socket,htons,select,recv,htons,htons,htons,GetProcessHeap,HeapAlloc,htons,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,closesocket,GetProcessHeap,HeapFree,0_2_00402A62
        Source: global trafficDNS traffic detected: DNS query: microsoft-com.mail.protection.outlook.com
        Source: global trafficDNS traffic detected: DNS query: vanaheim.cn
        Source: global trafficDNS traffic detected: DNS query: yahoo.com
        Source: global trafficDNS traffic detected: DNS query: mta6.am0.yahoodns.net
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: smtp.google.com
        Source: global trafficDNS traffic detected: DNS query: mail.ru
        Source: global trafficDNS traffic detected: DNS query: mxs.mail.ru
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
        Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61237
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 61239
        Source: unknownNetwork traffic detected: HTTP traffic on port 61237 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 61239 -> 443

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ewdWlNc8TL.exe PID: 3664, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ybuffopp.exe PID: 4048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7276, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ybuffopp.exe.2550e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ybuffopp.exe.2550e67.1.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.ybuffopp.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.ybuffopp.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 00000000.00000002.1760365617.000000000264D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 Author: unknown
        Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Tofsee Author: ditekSHen
        Source: 0000000B.00000002.1773773019.00000000025D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00408E26: CreateFileW,DeviceIoControl,CloseHandle,0_2_00408E26
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00401280 ShellExecuteExW,lstrlenW,GetStartupInfoW,CreateProcessWithLogonW,WaitForSingleObject,CloseHandle,CloseHandle,GetLastError,GetLastError,0_2_00401280
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\rpfcsqnj\Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_0040C9130_2_0040C913
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_0040C91311_2_0040C913
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02F8C91317_2_02F8C913
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: String function: 0040EE2A appears 40 times
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: String function: 00402544 appears 53 times
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: String function: 025E27AB appears 35 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3664 -ip 3664
        Source: ewdWlNc8TL.exe, 00000000.00000002.1759735917.0000000002452000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesOdilesigo6 vs ewdWlNc8TL.exe
        Source: ewdWlNc8TL.exe, 00000000.00000002.1760384734.00000000026A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesOdilesigo6 vs ewdWlNc8TL.exe
        Source: ewdWlNc8TL.exeBinary or memory string: OriginalFilenamesOdilesigo6 vs ewdWlNc8TL.exe
        Source: ewdWlNc8TL.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ybuffopp.exe.2550e67.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ybuffopp.exe.2550e67.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.ybuffopp.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.ybuffopp.exe.2c60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 00000000.00000002.1760365617.000000000264D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Tofsee_26124fe4 reference_sample = e658fe6d3bd685f41eb0527432099ee01075bfdb523ef5aa3e5ebd42221c8494, os = windows, severity = x86, creation_date = 2022-03-31, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Tofsee, fingerprint = dc7ada5c6341e98bc41182a5698527b1649c4e80924ba0405f1b94356f63ff31, id = 26124fe4-f2a1-4fc9-8155-585b581476de, last_modified = 2022-04-12
        Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Tofsee author = ditekSHen, description = Detects Tofsee
        Source: 0000000B.00000002.1773773019.00000000025D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: classification engineClassification label: mal100.troj.evad.winEXE@31/3@9/5
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00406A60 lstrcatA,CreateFileA,GetDiskFreeSpaceA,GetLastError,CloseHandle,CloseHandle,FindCloseChangeNotification,GetLastError,CloseHandle,DeleteFileA,GetLastError,0_2_00406A60
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_02651E99 CreateToolhelp32Snapshot,Module32First,0_2_02651E99
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02F89A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_02F89A6B
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7220:64:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:7284:64:WilError_03
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeFile created: C:\Users\user\AppData\Local\Temp\ybuffopp.exeJump to behavior
        Source: ewdWlNc8TL.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: ewdWlNc8TL.exeReversingLabs: Detection: 91%
        Source: ewdWlNc8TL.exeVirustotal: Detection: 74%
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeFile read: C:\Users\user\Desktop\ewdWlNc8TL.exeJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_11-14875
        Source: unknownProcess created: C:\Users\user\Desktop\ewdWlNc8TL.exe "C:\Users\user\Desktop\ewdWlNc8TL.exe"
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rpfcsqnj\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ybuffopp.exe" C:\Windows\SysWOW64\rpfcsqnj\
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description rpfcsqnj "wifi internet conection"
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start rpfcsqnj
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d"C:\Users\user\Desktop\ewdWlNc8TL.exe"
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3664 -ip 3664
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 652
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exe
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 4048
        Source: C:\Windows\SysWOW64\sc.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 540
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rpfcsqnj\Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ybuffopp.exe" C:\Windows\SysWOW64\rpfcsqnj\Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description rpfcsqnj "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start rpfcsqnjJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3664 -ip 3664Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 652Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 4048Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 540Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: edputil.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: urlmon.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: iertutil.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: appresolver.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: slc.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeSection loaded: msimg32.dllJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeSection loaded: msvcr100.dllJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dbghelp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
        Source: ewdWlNc8TL.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation

        barindex
        Detected unpacking (changes PE section rights)
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeUnpacked PE file: 0.2.ewdWlNc8TL.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeUnpacked PE file: 11.2.ybuffopp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeUnpacked PE file: 0.2.ewdWlNc8TL.exe.400000.0.unpack
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeUnpacked PE file: 11.2.ybuffopp.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_02655181 push 0000002Bh; iretd 0_2_02655187
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_025E0E29 push 0000002Bh; iretd 11_2_025E0E2F

        Persistence and Installation Behavior

        barindex
        Drops executables to the windows directory (C:\Windows) and starts them
        Source: unknownExecutable created and started: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeFile created: C:\Users\user\AppData\Local\Temp\ybuffopp.exeJump to dropped file
        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe (copy)Jump to dropped file
        Source: C:\Windows\SysWOW64\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\rpfcsqnjJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support"

        Hooking and other Techniques for Hiding and Protection

        barindex
        Deletes itself after installation
        Source: C:\Windows\SysWOW64\svchost.exeFile deleted: c:\users\user\desktop\ewdwlnc8tl.exeJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00401000 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00401000
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeCode function: inet_addr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetBestInterface,GetProcessHeap,HeapAlloc,GetAdaptersInfo,HeapReAlloc,GetAdaptersInfo,HeapFree,FreeLibrary,FreeLibrary,17_2_02F8199C
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-15851
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_11-15266
        Source: C:\Windows\SysWOW64\svchost.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_17-6489
        Source: C:\Windows\SysWOW64\svchost.exeEvaded block: after key decisiongraph_17-6158
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_17-7344
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-15908
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-15256
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_17-7459
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_11-14890
        Source: C:\Windows\SysWOW64\svchost.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_17-6187
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-14727
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeAPI coverage: 5.4 %
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeAPI coverage: 3.9 %
        Source: C:\Windows\SysWOW64\svchost.exe TID: 7312Thread sleep count: 33 > 30Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exe TID: 7312Thread sleep time: -33000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00401D96 CreateThread,GetVersionExA,GetSystemInfo,GetModuleHandleA,GetProcAddress,GetCurrentProcess,GetTickCount,0_2_00401D96
        Source: svchost.exe, 00000011.00000002.2948546824.0000000003400000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"2
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeAPI call chain: ExitProcess graph end nodegraph_0-15156
        Source: C:\Windows\SysWOW64\svchost.exeAPI call chain: ExitProcess graph end nodegraph_17-6191

        Anti Debugging

        barindex
        Found API chain indicative of debugger detection
        Source: C:\Windows\SysWOW64\svchost.exeDebugger detection routine: GetTickCount, GetTickCount, DecisionNodes, ExitProcess or Sleepgraph_17-7683
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00406069 IsBadReadPtr,LoadLibraryA,GetProcAddress,GetProcAddress,IsBadReadPtr,0_2_00406069
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_025E092B mov eax, dword ptr fs:[00000030h]0_2_025E092B
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_025E0D90 mov eax, dword ptr fs:[00000030h]0_2_025E0D90
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_02651776 push dword ptr fs:[00000030h]0_2_02651776
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_0255092B mov eax, dword ptr fs:[00000030h]11_2_0255092B
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_02550D90 mov eax, dword ptr fs:[00000030h]11_2_02550D90
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_025DD41E push dword ptr fs:[00000030h]11_2_025DD41E
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_0040EBCC GetProcessHeap,RtlAllocateHeap,0_2_0040EBCC
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,0_2_00409A6B
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_00409A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,11_2_00409A6B
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02F89A6B EntryPoint,SetErrorMode,SetErrorMode,SetErrorMode,SetUnhandledExceptionFilter,GetModuleHandleA,GetModuleFileNameA,GetCommandLineA,lstrlenA,ExitProcess,GetTempPathA,lstrcpyA,lstrcatA,lstrcatA,GetFileAttributesExA,DeleteFileA,GetEnvironmentVariableA,lstrcpyA,lstrlenA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,wsprintfA,lstrcatA,lstrcatA,CreateProcessA,DeleteFileA,GetModuleHandleA,GetModuleFileNameA,GetDriveTypeA,GetCommandLineA,lstrlenA,StartServiceCtrlDispatcherA,DeleteFileA,GetLastError,Sleep,DeleteFileA,CreateThread,CreateThread,WSAStartup,CreateThread,Sleep,Sleep,GetTickCount,GetTickCount,GetTickCount,Sleep,17_2_02F89A6B

        HIPS / PFW / Operating System Protection Evasion

        barindex
        System process connects to network (likely due to code injection or exploit)
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 74.125.71.27 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 52.101.8.49 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 217.69.139.150 25Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 213.226.112.95 443Jump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeNetwork Connect: 67.195.204.74 25Jump to behavior
        Allocates memory in foreign processes
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeMemory allocated: C:\Windows\SysWOW64\svchost.exe base: 2F80000 protect: page execute and read and writeJump to behavior
        Injects a PE file into a foreign processes
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F80000 value starts with: 4D5AJump to behavior
        Writes to foreign memory regions
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2F80000Jump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 31F4008Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rpfcsqnj\Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ybuffopp.exe" C:\Windows\SysWOW64\rpfcsqnj\Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support"Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" description rpfcsqnj "wifi internet conection"Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\sc.exe "C:\Windows\System32\sc.exe" start rpfcsqnjJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeProcess created: C:\Windows\SysWOW64\svchost.exe svchost.exeJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3664 -ip 3664Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 652Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 4048Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 540Jump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00406EDD AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00406EDD
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\SysWOW64\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_0040405E CreateEventA,ExitProcess,CloseHandle,CreateNamedPipeA,Sleep,CloseHandle,ConnectNamedPipe,GetLastError,DisconnectNamedPipe,CloseHandle,CloseHandle,CloseHandle,0_2_0040405E
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_0040EC54 GetSystemTimeAsFileTime,GetVolumeInformationA,GetTickCount,0_2_0040EC54
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00407809 CreateThread,GetUserNameA,LookupAccountNameA,GetLengthSid,GetFileSecurityA,GetSecurityDescriptorOwner,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetFileSecurityA,LocalFree,GetSecurityDescriptorDacl,GetAce,EqualSid,DeleteAce,EqualSid,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetFileSecurityA,LocalFree,0_2_00407809
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_0040B211 FileTimeToSystemTime,GetLocalTime,FileTimeToLocalFileTime,FileTimeToSystemTime,SystemTimeToFileTime,FileTimeToSystemTime,GetTimeZoneInformation,wsprintfA,0_2_0040B211
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_00409326 GetVersionExA,GetModuleHandleA,GetModuleFileNameA,wsprintfA,wsprintfA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,0_2_00409326

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Modifies the windows firewall
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeProcess created: C:\Windows\SysWOW64\netsh.exe "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

        Stealing of Sensitive Information

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ewdWlNc8TL.exe PID: 3664, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ybuffopp.exe PID: 4048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7276, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected Tofsee
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2c60000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2c60000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.25e0e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.3.ybuffopp.exe.2c60000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.3.ewdWlNc8TL.exe.2600000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.400000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2f80000.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.ewdWlNc8TL.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 17.2.svchost.exe.2f80000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.ybuffopp.exe.2550e67.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: ewdWlNc8TL.exe PID: 3664, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: ybuffopp.exe PID: 4048, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 7276, type: MEMORYSTR
        Source: C:\Users\user\Desktop\ewdWlNc8TL.exeCode function: 0_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,0_2_004088B0
        Source: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exeCode function: 11_2_004088B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,11_2_004088B0
        Source: C:\Windows\SysWOW64\svchost.exeCode function: 17_2_02F888B0 CreateThread,CreateThread,send,recv,socket,connect,closesocket,setsockopt,bind,listen,accept,select,getpeername,getsockname,17_2_02F888B0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		41
        Native API        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		3
        Disable or Modify Tools        		OS Credential Dumping2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Ingress Tool Transfer        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts2
        Command and Scripting Interpreter        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Deobfuscate/Decode Files or Information        		LSASS Memory1
        Account Discovery        		Remote Desktop ProtocolData from Removable Media12
        Encrypted Channel        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        Service Execution        		14
        Windows Service        		1
        Access Token Manipulation        		2
        Obfuscated Files or Information        		Security Account Manager1
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook14
        Windows Service        		2
        Software Packing        		NTDS15
        System Information Discovery        		Distributed Component Object ModelInput Capture112
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script412
        Process Injection        		1
        DLL Side-Loading        		LSA Secrets111
        Security Software Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        File Deletion        		Cached Domain Credentials11
        Virtualization/Sandbox Evasion        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
        Masquerading        		DCSync1
        Process Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Valid Accounts        		Proc Filesystem1
        System Owner/User Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
        Virtualization/Sandbox Evasion        		/etc/passwd and /etc/shadow1
        System Network Configuration Discovery        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Access Token Manipulation        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd412
        Process Injection        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1482762 Sample: ewdWlNc8TL.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 57 yahoo.com 2->57 59 vanaheim.cn 2->59 61 6 other IPs or domains 2->61 71 Multi AV Scanner detection for domain / URL 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 10 other signatures 2->77 8 ybuffopp.exe 2->8         started        11 ewdWlNc8TL.exe 2 2->11         started        14 svchost.exe 6 6 2->14         started        signatures3 process4 file5 79 Detected unpacking (changes PE section rights) 8->79 81 Detected unpacking (overwrites its own PE header) 8->81 83 Writes to foreign memory regions 8->83 89 2 other signatures 8->89 16 svchost.exe 1 8->16         started        20 WerFault.exe 2 8->20         started        49 C:\Users\user\AppData\Local\...\ybuffopp.exe, PE32 11->49 dropped 85 Uses netsh to modify the Windows network and firewall settings 11->85 87 Modifies the windows firewall 11->87 22 cmd.exe 1 11->22         started        25 netsh.exe 2 11->25         started        27 cmd.exe 2 11->27         started        33 4 other processes 11->33 29 WerFault.exe 2 14->29         started        31 WerFault.exe 2 14->31         started        signatures6 process7 dnsIp8 51 mta6.am0.yahoodns.net 67.195.204.74, 25 YAHOO-3US United States 16->51 53 vanaheim.cn 213.226.112.95, 443, 49732, 61237 RETN-ASEU Russian Federation 16->53 55 3 other IPs or domains 16->55 63 System process connects to network (likely due to code injection or exploit) 16->63 65 Found API chain indicative of debugger detection 16->65 67 Deletes itself after installation 16->67 69 Adds extensions / path to Windows Defender exclusion list (Registry) 16->69 47 C:\Windows\SysWOW64\...\ybuffopp.exe (copy), PE32 22->47 dropped 35 conhost.exe 22->35         started        37 conhost.exe 25->37         started        39 conhost.exe 27->39         started        41 conhost.exe 33->41         started        43 conhost.exe 33->43         started        45 conhost.exe 33->45         started        file9 signatures10 process11

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        ewdWlNc8TL.exe92%ReversingLabsWin32.Trojan.StealC
        ewdWlNc8TL.exe75%VirustotalBrowse
        ewdWlNc8TL.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\ybuffopp.exe100%Joe Sandbox ML

        Unpacked PE Files

        No Antivirus matches

        Domains

        SourceDetectionScannerLabelLink
        mta6.am0.yahoodns.net1%VirustotalBrowse
        mxs.mail.ru0%VirustotalBrowse
        microsoft-com.mail.protection.outlook.com0%VirustotalBrowse
        vanaheim.cn17%VirustotalBrowse
        google.com0%VirustotalBrowse
        smtp.google.com0%VirustotalBrowse
        yahoo.com0%VirustotalBrowse
        mail.ru0%VirustotalBrowse

        URLs

        SourceDetectionScannerLabelLink
        vanaheim.cn:443100%Avira URL Cloudphishing
        jotunheim.name:4430%Avira URL Cloudsafe
        vanaheim.cn:4438%VirustotalBrowse
        jotunheim.name:44313%VirustotalBrowse

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        mta6.am0.yahoodns.net
        		67.195.204.74
        		truetrueunknown
        mxs.mail.ru
        		217.69.139.150
        		truetrueunknown
        microsoft-com.mail.protection.outlook.com
        		52.101.8.49
        		truetrueunknown
        vanaheim.cn
        		213.226.112.95
        		truetrueunknown
        smtp.google.com
        		74.125.71.27
        		truefalseunknown
        google.com
        		unknown
        		unknowntrueunknown
        yahoo.com
        		unknown
        		unknowntrueunknown
        mail.ru
        		unknown
        		unknowntrueunknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        vanaheim.cn:443true
        • 8%, Virustotal, Browse
        • Avira URL Cloud: phishing
        		unknown
        jotunheim.name:443true
        • 13%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        74.125.71.27
        		smtp.google.comUnited States
        		15169GOOGLEUSfalse
        213.226.112.95
        		vanaheim.cnRussian Federation
        		9002RETN-ASEUtrue
        52.101.8.49
        		microsoft-com.mail.protection.outlook.comUnited States
        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
        217.69.139.150
        		mxs.mail.ruRussian Federation
        		47764MAILRU-ASMailRuRUtrue
        67.195.204.74
        		mta6.am0.yahoodns.netUnited States
        		26101YAHOO-3UStrue

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1482762
        Start date and time:2024-07-26 04:11:04 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 6m 0s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:24
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:ewdWlNc8TL.exe
        renamed because original name is a hash value
        Original Sample Name:6c2830c79d0a840f479ad635e3d57883.exe
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@31/3@9/5
        EGA Information:
        • Successful, ratio: 100%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 61
        • Number of non-executed functions: 255
        Cookbook Comments:
        • Found application associated with file extension: .exe

        Warnings

        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
        • Excluded IPs from analysis (whitelisted): 20.76.201.171, 20.70.246.20, 20.112.250.133, 20.231.239.246, 20.236.44.162
        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, microsoft.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtEnumerateKey calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        22:12:48API Interceptor7x Sleep call for process: svchost.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        213.226.112.95rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
          52.101.8.49kPl1mZTpru.exeGet hashmaliciousTofseeBrowse
            Wc4SadetF5.exeGet hashmaliciousTofseeBrowse
              L7iza9mNDI.exeGet hashmaliciousTofseeBrowse
                file.exeGet hashmaliciousTofseeBrowse
                  mvu3vh0t.exeGet hashmaliciousTofseeBrowse
                    U9dDsItOij.exeGet hashmaliciousTofseeBrowse
                      bwntJQufLG.exeGet hashmaliciousTofseeBrowse
                        t26nL0kcxj.exeGet hashmaliciousTofseeBrowse
                          lhs31fcc2k0lmr.exeGet hashmaliciousTofseeBrowse
                            SecuriteInfo.com.Win32.TrojanX-gen.11678.1633.exeGet hashmaliciousTofseeBrowse
                              217.69.139.150SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                  AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                    I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                      lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                        dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                          rpzOeQ5QzX.exeGet hashmaliciousTofseeBrowse
                                            OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                              G7DyaA9iz9.exeGet hashmaliciousPushdoBrowse
                                                x607DB0i08.exeGet hashmaliciousPushdoBrowse
                                                  67.195.204.74SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                    file.exeGet hashmaliciousTofseeBrowse
                                                      file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                        file.exeGet hashmaliciousPhorpiex, XmrigBrowse
                                                          l3Qj8QhTYZ.exeGet hashmaliciousPhorpiexBrowse
                                                            message.elm.exeGet hashmaliciousUnknownBrowse
                                                              message.txt.exeGet hashmaliciousUnknownBrowse
                                                                test.dat.exeGet hashmaliciousUnknownBrowse
                                                                  Update-KB2984-x86.exeGet hashmaliciousUnknownBrowse
                                                                    64434c8c20fe4b64041795ac2a1472662fa5d33fa0cbb.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee Vidar XmrigBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      mta6.am0.yahoodns.netrRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      • 98.136.96.74
                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      • 98.136.96.75
                                                                      I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                      • 67.195.228.110
                                                                      OgcktrbHkI.exeGet hashmaliciousTofseeBrowse
                                                                      • 67.195.228.110
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 67.195.228.94
                                                                      file.exeGet hashmaliciousPhorpiexBrowse
                                                                      • 67.195.204.72
                                                                      RqrQG7s66x.dllGet hashmaliciousUnknownBrowse
                                                                      • 67.195.228.109
                                                                      webcam.txt.com.exeGet hashmaliciousUnknownBrowse
                                                                      • 67.195.204.73
                                                                      file.exeGet hashmaliciousTofseeBrowse
                                                                      • 98.136.96.74
                                                                      file.msg.scr.exeGet hashmaliciousUnknownBrowse
                                                                      • 67.195.228.106
                                                                      microsoft-com.mail.protection.outlook.comrRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      • 52.101.42.0
                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                      • 52.101.40.26
                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                      • 104.47.53.36
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                      • 104.47.54.36
                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                      • 104.47.53.36
                                                                      vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                      • 52.101.11.0
                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      • 52.101.11.0
                                                                      bill.txt.exeGet hashmaliciousUnknownBrowse
                                                                      • 104.47.54.36
                                                                      I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                      • 104.47.54.36
                                                                      lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                      • 52.101.40.26
                                                                      vanaheim.cnrRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      • 213.226.112.95
                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                      • 185.218.0.41
                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                      • 195.133.13.231
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                      • 195.133.13.231
                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                      • 195.133.13.231
                                                                      vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                      • 195.133.13.231
                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      • 195.133.13.231
                                                                      I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                      • 62.76.228.127
                                                                      lYWiDKe1In.exeGet hashmaliciousTofseeBrowse
                                                                      • 62.76.228.127
                                                                      dIg0MWRViP.exeGet hashmaliciousTofseeBrowse
                                                                      • 141.8.199.94
                                                                      mxs.mail.rurRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      5CxmQXL0LD.exeGet hashmaliciousSystemBCBrowse
                                                                      • 94.100.180.31
                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      SecuriteInfo.com.Win32.CrypterX-gen.13041.27911.exeGet hashmaliciousTofseeBrowse
                                                                      • 217.69.139.150
                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      AvDJi40xp_9fyz7RPmKdbxb4.exeGet hashmaliciousTofseeBrowse
                                                                      • 217.69.139.150
                                                                      yq5xNPpWCT.exeGet hashmaliciousPureLog Stealer, SystemBCBrowse
                                                                      • 94.100.180.31
                                                                      I5vhb7vJPS.exeGet hashmaliciousTofseeBrowse
                                                                      • 217.69.139.150

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      RETN-ASEULisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                      • 139.45.197.236
                                                                      LisectAVT_2403002A_312.exeGet hashmaliciousHTMLPhisherBrowse
                                                                      • 139.45.197.236
                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      • 213.226.112.95
                                                                      https://ky.codzika.xyz/pubg/Get hashmaliciousUnknownBrowse
                                                                      • 139.45.197.250
                                                                      https://plcr.com.ng/atm.php?user=21003&ref=21003Get hashmaliciousUnknownBrowse
                                                                      • 139.45.197.237
                                                                      http://becast.onionlive.workers.devGet hashmaliciousUnknownBrowse
                                                                      • 139.45.197.236
                                                                      http://thampolsi.comGet hashmaliciousUnknownBrowse
                                                                      • 139.45.197.244
                                                                      http://webnovelpub.pro/Get hashmaliciousUnknownBrowse
                                                                      • 139.45.195.254
                                                                      vk2wTOx91s.exeGet hashmaliciousCopperShrimp, CryptbotBrowse
                                                                      • 176.113.81.61
                                                                      https://thuthoock.net/Get hashmaliciousUnknownBrowse
                                                                      • 139.45.197.245
                                                                      MAILRU-ASMailRuRU7Y18r(123).exeGet hashmaliciousUnknownBrowse
                                                                      • 94.100.180.106
                                                                      rRBVVlBwia.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      setup.exeGet hashmaliciousTofseeBrowse
                                                                      • 94.100.180.31
                                                                      SecuriteInfo.com.W32.Kryptik.CI.tr.21358.1519.exeGet hashmaliciousUnknownBrowse
                                                                      • 5.61.236.163
                                                                      botx.arm6.elfGet hashmaliciousMiraiBrowse
                                                                      • 79.137.247.12
                                                                      SIP.03746.XSLSX.exeGet hashmaliciousUnknownBrowse
                                                                      • 217.69.139.160
                                                                      1PDF.FaturaDetay_202407.exeGet hashmaliciousUnknownBrowse
                                                                      • 217.69.139.160
                                                                      PDF.FaturaDetay_202407.exeGet hashmaliciousUnknownBrowse
                                                                      • 94.100.180.160
                                                                      SIP.03746.XSLSX.exeGet hashmaliciousUnknownBrowse
                                                                      • 94.100.180.160
                                                                      1PDF.FaturaDetay_202407.exeGet hashmaliciousUnknownBrowse
                                                                      • 217.69.139.160
                                                                      YAHOO-3USarm7.elfGet hashmaliciousMiraiBrowse
                                                                      • 98.139.166.43
                                                                      https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                      • 74.6.138.67
                                                                      https://www.ima-india.com/index.phpGet hashmaliciousUnknownBrowse
                                                                      • 74.6.138.67
                                                                      https://www.ima-india.com/index.php?option=com_content&view=article&id=1092&Itemid=483Get hashmaliciousUnknownBrowse
                                                                      • 74.6.138.65
                                                                      D8OieODwpn.elfGet hashmaliciousMirai, Gafgyt, OkiruBrowse
                                                                      • 72.30.110.165
                                                                      m4Jp2TLBHJ.exeGet hashmaliciousTofseeBrowse
                                                                      • 67.195.204.77
                                                                      SecuriteInfo.com.Trojan-Ransom.StopCrypt.22110.437.exeGet hashmaliciousTofseeBrowse
                                                                      • 67.195.204.74
                                                                      vyrcclmm.exeGet hashmaliciousTofseeBrowse
                                                                      • 67.195.204.72
                                                                      HTUyCRuDev.elfGet hashmaliciousUnknownBrowse
                                                                      • 98.139.142.32
                                                                      https://yellatism.com/click.php?key=2240o76mk7oyoycyr074&cid=cphbldi9sch0sh7da130&zone=2353135-2517555085-3576986712&campaign=395161020&type=Push&age=11&creative_id=547520&campaign_id=108855&site_id=11517&placement_id=43113822&preset_id=500Get hashmaliciousUnknownBrowse
                                                                      • 74.6.143.26
                                                                      MICROSOFT-CORP-MSN-AS-BLOCKUShttps://odc.officeapps.live.com.mcas.ms/odc/v2.1/hrd?rs=en-US&Ver=16&app=111&p=6&hm=0&fpEnabled=1&McasTsid=REDACTEDGet hashmaliciousUnknownBrowse
                                                                      • 52.109.28.48
                                                                      file.exeGet hashmaliciousBabadedaBrowse
                                                                      • 23.101.168.44
                                                                      file.exeGet hashmaliciousBabadedaBrowse
                                                                      • 94.245.104.56
                                                                      My Info Tech Partner Executed Agreement Docs#071999(Revised).pdfGet hashmaliciousHTMLPhisherBrowse
                                                                      • 40.126.32.134
                                                                      TBw6qwEBHZ.exeGet hashmaliciousBlackMoon, Neshta, XRedBrowse
                                                                      • 13.107.246.60
                                                                      file.exeGet hashmaliciousPython Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, VidarBrowse
                                                                      • 20.189.173.22
                                                                      file.exeGet hashmaliciousBabadedaBrowse
                                                                      • 204.79.197.237
                                                                      EB34B4827C25A458359FE317D886E56C7B3C75A140DCD57D604FC093A9AA2B2C.exeGet hashmaliciousUnknownBrowse
                                                                      • 13.107.246.60
                                                                      Endermanch@DeriaLock.exeGet hashmaliciousDeriaLockBrowse
                                                                      • 13.107.246.60
                                                                      Endermanch@InfinityCrypt.exeGet hashmaliciousInfinityLockBrowse
                                                                      • 13.107.246.60

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\Local\Temp\ybuffopp.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\ewdWlNc8TL.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):11662848
                                                                      Entropy (8bit):4.152879666199878
                                                                      Encrypted:false
                                                                      SSDEEP:98304:Nfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff:
                                                                      MD5:E4141310CE16DAF84C1718D66EAE2E57
                                                                      SHA1:1BB39DEF90C68EC9AA3D33D6844B7226655331D3
                                                                      SHA-256:490D441334643A6658C385B15E41CFDB94A321903B2E9D3EDF59D1701EA60484
                                                                      SHA-512:1976BC25AE7B2D80EDD12943577F54EBDF3005032C8243C445936915AFE1E349C865C37503F1B6FC5A170551D1520A024399572EF1DC75049518543F4E4F18F2
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G!GW&O.W&O.W&O.8P..D&O.8P..3&O.8P..H&O.^^..P&O.W&N.&&O.8P..V&O.8P..V&O.8P..V&O.RichW&O.........PE..L......e.....................D.......1............@..................................K..........................................P.... .................................................................@............................................text...C........................... ..`.rdata.. 6.......8..................@..@.data...............................@....rsrc....... ...H..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe (copy)

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):11662848
                                                                      Entropy (8bit):4.152879666199878
                                                                      Encrypted:false
                                                                      SSDEEP:98304:Nfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff:
                                                                      MD5:E4141310CE16DAF84C1718D66EAE2E57
                                                                      SHA1:1BB39DEF90C68EC9AA3D33D6844B7226655331D3
                                                                      SHA-256:490D441334643A6658C385B15E41CFDB94A321903B2E9D3EDF59D1701EA60484
                                                                      SHA-512:1976BC25AE7B2D80EDD12943577F54EBDF3005032C8243C445936915AFE1E349C865C37503F1B6FC5A170551D1520A024399572EF1DC75049518543F4E4F18F2
                                                                      Malicious:true
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G!GW&O.W&O.W&O.8P..D&O.8P..3&O.8P..H&O.^^..P&O.W&N.&&O.8P..V&O.8P..V&O.8P..V&O.RichW&O.........PE..L......e.....................D.......1............@..................................K..........................................P.... .................................................................@............................................text...C........................... ..`.rdata.. 6.......8..................@..@.data...............................@....rsrc....... ...H..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                      \Device\ConDrv

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\netsh.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):3773
                                                                      Entropy (8bit):4.7109073551842435
                                                                      Encrypted:false
                                                                      SSDEEP:48:VHILZNfrI7WFY32iIiNOmV/HToZV9It199hiALlIg39bWA1RvTBi/g2eB:VoLr0y9iIiNOoHTou7bhBlIydWALLt2w
                                                                      MD5:DA3247A302D70819F10BCEEBAF400503
                                                                      SHA1:2857AA198EE76C86FC929CC3388A56D5FD051844
                                                                      SHA-256:5262E1EE394F329CD1F87EA31BA4A396C4A76EDC3A87612A179F81F21606ABC8
                                                                      SHA-512:48FFEC059B4E88F21C2AA4049B7D9E303C0C93D1AD771E405827149EDDF986A72EF49C0F6D8B70F5839DCDBD6B1EA8125C8B300134B7F71C47702B577AD090F8
                                                                      Malicious:false
                                                                      Preview:..A specified value is not valid.....Usage: add rule name=<string>.. dir=in|out.. action=allow|block|bypass.. [program=<program path>].. [service=<service short name>|any].. [description=<string>].. [enable=yes|no (default=yes)].. [profile=public|private|domain|any[,...]].. [localip=any|<IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [remoteip=any|localsubnet|dns|dhcp|wins|defaultgateway|.. <IPv4 address>|<IPv6 address>|<subnet>|<range>|<list>].. [localport=0-65535|<port range>[,...]|RPC|RPC-EPMap|IPHTTPS|any (default=any)].. [remoteport=0-65535|<port range>[,...]|any (default=any)].. [protocol=0-255|icmpv4|icmpv6|icmpv4:type,code|icmpv6:type,code|.. tcp|udp|any (default=any)].. [interfacetype=wireless|lan|ras|any].. [rmtcomputergrp=<SDDL string>].. [rmtusrgrp=<SDDL string>].. [edge=yes|deferapp|deferuser|no (default=no)].. [security=authenticate|authenc|authdynenc|authnoencap|

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                      Entropy (8bit):5.2465418897075
                                                                      TrID:
                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                      File name:ewdWlNc8TL.exe
                                                                      File size:274'944 bytes
                                                                      MD5:6c2830c79d0a840f479ad635e3d57883
                                                                      SHA1:dc4073381a79705a4df53048cad7b44679623835
                                                                      SHA256:a5f35b4f8933e0106c7743eaadbd3b883f61552add7ff17aca237450b3aa4168
                                                                      SHA512:0a17899c829495dddf3d08a832c7e2b4747ab9665089a9d6b8d5bb625e4851e885800cb242241740853f9e5ad30449f710edd231865c49d464a7aa3084aedc91
                                                                      SSDEEP:3072:66kSFokrBF+7cvxpl1oZkNYe/v4IMbGhULweRQvybL2RxTTu:jzfrK+Dl1ou2HtmaLgxTT
                                                                      TLSH:7244CF1176A6D472D1B2463058B4C6F52AFA7C23DAB9815B3B483F3F3D322925B68353
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G!GW&O.W&O.W&O.8P..D&O.8P..3&O.8P..H&O.^^..P&O.W&N.&&O.8P..V&O.8P..V&O.8P..V&O.RichW&O.........PE..L......e...................

                                                                      File Icon

                                                                      Icon Hash:63396de961436e0f

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x403198
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x658A97A9 [Tue Dec 26 09:06:49 2023 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:5
                                                                      OS Version Minor:1
                                                                      File Version Major:5
                                                                      File Version Minor:1
                                                                      Subsystem Version Major:5
                                                                      Subsystem Version Minor:1
                                                                      Import Hash:3ee3964629fff7decd6eee12d8b20149

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      call 00007F8470F76BB7h
                                                                      jmp 00007F8470F7262Eh
                                                                      mov edi, edi
                                                                      push ebp
                                                                      mov ebp, esp
                                                                      sub esp, 20h
                                                                      mov eax, dword ptr [ebp+08h]
                                                                      push esi
                                                                      push edi
                                                                      push 00000008h
                                                                      pop ecx
                                                                      mov esi, 0042D274h
                                                                      lea edi, dword ptr [ebp-20h]
                                                                      rep movsd
                                                                      mov dword ptr [ebp-08h], eax
                                                                      mov eax, dword ptr [ebp+0Ch]
                                                                      pop edi
                                                                      mov dword ptr [ebp-04h], eax
                                                                      pop esi
                                                                      test eax, eax
                                                                      je 00007F8470F727AEh
                                                                      test byte ptr [eax], 00000008h
                                                                      je 00007F8470F727A9h
                                                                      mov dword ptr [ebp-0Ch], 01994000h
                                                                      lea eax, dword ptr [ebp-0Ch]
                                                                      push eax
                                                                      push dword ptr [ebp-10h]
                                                                      push dword ptr [ebp-1Ch]
                                                                      push dword ptr [ebp-20h]
                                                                      call dword ptr [0042D0CCh]
                                                                      leave
                                                                      retn 0008h
                                                                      push edi
                                                                      mov eax, esi
                                                                      and eax, 0Fh
                                                                      test eax, eax
                                                                      jne 00007F8470F72867h
                                                                      mov edx, ecx
                                                                      and ecx, 7Fh
                                                                      shr edx, 07h
                                                                      je 00007F8470F72807h
                                                                      jmp 00007F8470F727A8h
                                                                      lea ebx, dword ptr [ebx+00000000h]
                                                                      movdqa xmm0, dqword ptr [esi]
                                                                      movdqa xmm1, dqword ptr [esi+10h]
                                                                      movdqa xmm2, dqword ptr [esi+20h]
                                                                      movdqa xmm3, dqword ptr [esi+30h]
                                                                      movdqa dqword ptr [edi], xmm0
                                                                      movdqa dqword ptr [edi+10h], xmm1
                                                                      movdqa dqword ptr [edi+20h], xmm2
                                                                      movdqa dqword ptr [edi+30h], xmm3
                                                                      movdqa xmm4, dqword ptr [esi+40h]
                                                                      movdqa xmm5, dqword ptr [esi+50h]
                                                                      movdqa xmm6, dqword ptr [esi+60h]
                                                                      movdqa xmm7, dqword ptr [esi+70h]
                                                                      movdqa dqword ptr [edi+40h], xmm4
                                                                      movdqa dqword ptr [edi+50h], xmm5
                                                                      movdqa dqword ptr [edi+60h], xmm6
                                                                      movdqa dqword ptr [edi+70h], xmm7
                                                                      lea esi, dword ptr [esi+00000080h]

                                                                      Rich Headers

                                                                      Programming Language:
                                                                      • [ASM] VS2010 build 30319
                                                                      • [ C ] VS2010 build 30319
                                                                      • [C++] VS2010 build 30319
                                                                      • [IMP] VS2008 SP1 build 30729
                                                                      • [RES] VS2010 build 30319
                                                                      • [LNK] VS2010 build 30319

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2fc840x50.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x20520000x82e8.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2fcd40x1c.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2f3000x40.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x2d0000x1a8.rdata
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x10000x2b7430x2b8001e404cc212a213d92766f2fa9161b0a6False0.6290802352729885data6.279343610638027IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rdata0x2d0000x36200x3800781065e0fe97db03e9c6cf3f905c4ccfFalse0.3412388392857143data4.8317589044540075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .data0x310000x2020bf00xba00ea770be69984578b59c7da74d62d8f8aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                      .rsrc0x20520000x82e80x84008e11723a15c44916521fb325791d1198False0.3206972064393939data4.107102812401712IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_CURSOR0x20555c80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4375
                                                                      RT_CURSOR0x20556f80xb0Device independent bitmap graphic, 16 x 32 x 1, image size 00.44886363636363635
                                                                      RT_CURSOR0x20557d00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.27238805970149255
                                                                      RT_CURSOR0x20566780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.375
                                                                      RT_CURSOR0x2056f200x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5057803468208093
                                                                      RT_CURSOR0x20574b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.30943496801705755
                                                                      RT_CURSOR0x20583600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.427797833935018
                                                                      RT_CURSOR0x2058c080x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.5469653179190751
                                                                      RT_ICON0x20524800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilIndia0.5339861751152074
                                                                      RT_ICON0x20524800x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TamilSri Lanka0.5339861751152074
                                                                      RT_ICON0x2052b480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilIndia0.40860995850622406
                                                                      RT_ICON0x2052b480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TamilSri Lanka0.40860995850622406
                                                                      RT_ICON0x20550f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilIndia0.450354609929078
                                                                      RT_ICON0x20550f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TamilSri Lanka0.450354609929078
                                                                      RT_STRING0x20593d00x452dataTamilIndia0.45479204339963836
                                                                      RT_STRING0x20593d00x452dataTamilSri Lanka0.45479204339963836
                                                                      RT_STRING0x20598280x28edataTamilIndia0.481651376146789
                                                                      RT_STRING0x20598280x28edataTamilSri Lanka0.481651376146789
                                                                      RT_STRING0x2059ab80x82adataTamilIndia0.41818181818181815
                                                                      RT_STRING0x2059ab80x82adataTamilSri Lanka0.41818181818181815
                                                                      RT_ACCELERATOR0x20555880x40dataTamilIndia0.875
                                                                      RT_ACCELERATOR0x20555880x40dataTamilSri Lanka0.875
                                                                      RT_GROUP_CURSOR0x20557a80x22data1.0588235294117647
                                                                      RT_GROUP_CURSOR0x20574880x30data0.9166666666666666
                                                                      RT_GROUP_CURSOR0x20591700x30data0.9375
                                                                      RT_GROUP_ICON0x20555580x30dataTamilIndia0.9375
                                                                      RT_GROUP_ICON0x20555580x30dataTamilSri Lanka0.9375
                                                                      RT_VERSION0x20591a00x22cdata0.5233812949640287

                                                                      Imports

                                                                      DLLImport
                                                                      KERNEL32.dllSetEndOfFile, LocalCompact, GlobalLock, CreateHardLinkA, GetModuleHandleW, CreateNamedPipeW, GetProcessHeap, GetConsoleCP, GlobalAlloc, GetSystemDirectoryW, LoadLibraryW, IsProcessInJob, AssignProcessToJobObject, CreateEventA, CreateJobObjectA, GetConsoleAliasesW, GetLastError, SetLastError, GetProcAddress, PeekConsoleInputW, EnumDateFormatsExA, VerLanguageNameW, IsBadHugeReadPtr, SetConsoleCtrlHandler, AddAtomW, HeapWalk, EnumResourceTypesW, SetEnvironmentVariableA, GetModuleFileNameA, GetOEMCP, EnumResourceNamesA, GetFileTime, FatalAppExitA, SetProcessShutdownParameters, SetFileShortNameA, GetDiskFreeSpaceExA, LCMapStringW, CreateFileW, CloseHandle, WriteConsoleW, FlushFileBuffers, HeapReAlloc, FindFirstVolumeMountPointW, CreateFileA, HeapFree, HeapAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, RaiseException, IsProcessorFeaturePresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetCurrentThreadId, HeapCreate, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, ExitProcess, WriteFile, GetModuleFileNameW, ReadFile, MultiByteToWideChar, SetFilePointer, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, GetStringTypeW, Sleep, GetConsoleMode, RtlUnwind, SetStdHandle, HeapSize
                                                                      USER32.dllCharUpperBuffW, GetMessageExtraInfo, DrawStateW, SetMenu, GetSysColorBrush, SetCaretPos, SetClipboardViewer
                                                                      ADVAPI32.dllRegSetValueA

                                                                      Possible Origin

                                                                      Language of compilation systemCountry where language is spokenMap
                                                                      TamilIndia
                                                                      TamilSri Lanka

                                                                      Network Behavior

                                                                      Suricata IDS Alerts

                                                                      TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                      2024-07-26T04:12:47.020064+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436123540.127.169.103192.168.2.4
                                                                      2024-07-26T04:12:18.258834+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973340.127.169.103192.168.2.4

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 26, 2024 04:12:06.719734907 CEST4973125192.168.2.452.101.8.49
                                                                      Jul 26, 2024 04:12:07.713790894 CEST4973125192.168.2.452.101.8.49
                                                                      Jul 26, 2024 04:12:09.644850969 CEST49732443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:12:09.644936085 CEST44349732213.226.112.95192.168.2.4
                                                                      Jul 26, 2024 04:12:09.645230055 CEST49732443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:12:09.729433060 CEST4973125192.168.2.452.101.8.49
                                                                      Jul 26, 2024 04:12:13.729377985 CEST4973125192.168.2.452.101.8.49
                                                                      Jul 26, 2024 04:12:21.729422092 CEST4973125192.168.2.452.101.8.49
                                                                      Jul 26, 2024 04:12:26.751518965 CEST4973925192.168.2.467.195.204.74
                                                                      Jul 26, 2024 04:12:27.760688066 CEST4973925192.168.2.467.195.204.74
                                                                      Jul 26, 2024 04:12:29.760658979 CEST4973925192.168.2.467.195.204.74
                                                                      Jul 26, 2024 04:12:33.760746002 CEST4973925192.168.2.467.195.204.74
                                                                      Jul 26, 2024 04:12:41.776364088 CEST4973925192.168.2.467.195.204.74
                                                                      Jul 26, 2024 04:12:46.777574062 CEST6123625192.168.2.474.125.71.27
                                                                      Jul 26, 2024 04:12:47.776376963 CEST6123625192.168.2.474.125.71.27
                                                                      Jul 26, 2024 04:12:49.651454926 CEST49732443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:12:49.651556969 CEST44349732213.226.112.95192.168.2.4
                                                                      Jul 26, 2024 04:12:49.651629925 CEST49732443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:12:49.761895895 CEST61237443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:12:49.761953115 CEST44361237213.226.112.95192.168.2.4
                                                                      Jul 26, 2024 04:12:49.762166977 CEST61237443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:12:49.776470900 CEST6123625192.168.2.474.125.71.27
                                                                      Jul 26, 2024 04:12:53.792233944 CEST6123625192.168.2.474.125.71.27
                                                                      Jul 26, 2024 04:13:01.807873011 CEST6123625192.168.2.474.125.71.27
                                                                      Jul 26, 2024 04:13:06.801518917 CEST6123825192.168.2.4217.69.139.150
                                                                      Jul 26, 2024 04:13:07.807815075 CEST6123825192.168.2.4217.69.139.150
                                                                      Jul 26, 2024 04:13:09.807828903 CEST6123825192.168.2.4217.69.139.150
                                                                      Jul 26, 2024 04:13:13.807984114 CEST6123825192.168.2.4217.69.139.150
                                                                      Jul 26, 2024 04:13:21.807888031 CEST6123825192.168.2.4217.69.139.150
                                                                      Jul 26, 2024 04:13:29.761310101 CEST61237443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:13:29.761441946 CEST44361237213.226.112.95192.168.2.4
                                                                      Jul 26, 2024 04:13:29.761790037 CEST61237443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:13:29.871499062 CEST61239443192.168.2.4213.226.112.95
                                                                      Jul 26, 2024 04:13:29.871534109 CEST44361239213.226.112.95192.168.2.4
                                                                      Jul 26, 2024 04:13:29.872221947 CEST61239443192.168.2.4213.226.112.95

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jul 26, 2024 04:12:06.664130926 CEST5122253192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:12:06.718054056 CEST53512221.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:12:09.636693001 CEST5093653192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:12:09.644001961 CEST53509361.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:12:26.730237961 CEST5853753192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:12:26.737260103 CEST53585371.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:12:26.738137960 CEST5711753192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:12:26.745398998 CEST53571171.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:12:45.066613913 CEST5351029162.159.36.2192.168.2.4
                                                                      Jul 26, 2024 04:12:45.871397972 CEST53521981.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:12:46.761281013 CEST5779953192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:12:46.768919945 CEST53577991.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:12:46.769582033 CEST5341753192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:12:46.777045012 CEST53534171.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:13:06.781939983 CEST5784253192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:13:06.790203094 CEST53578421.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:13:06.791930914 CEST6366953192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:13:06.800410032 CEST53636691.1.1.1192.168.2.4
                                                                      Jul 26, 2024 04:14:04.722315073 CEST6010553192.168.2.41.1.1.1
                                                                      Jul 26, 2024 04:14:04.758263111 CEST53601051.1.1.1192.168.2.4

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jul 26, 2024 04:12:06.664130926 CEST192.168.2.41.1.1.10x15b1Standard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:09.636693001 CEST192.168.2.41.1.1.10x8067Standard query (0)vanaheim.cnA (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.730237961 CEST192.168.2.41.1.1.10x7172Standard query (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.738137960 CEST192.168.2.41.1.1.10xae87Standard query (0)mta6.am0.yahoodns.netA (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.761281013 CEST192.168.2.41.1.1.10xc96fStandard query (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.769582033 CEST192.168.2.41.1.1.10xee64Standard query (0)smtp.google.comA (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:13:06.781939983 CEST192.168.2.41.1.1.10x9b06Standard query (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:13:06.791930914 CEST192.168.2.41.1.1.10x279dStandard query (0)mxs.mail.ruA (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:14:04.722315073 CEST192.168.2.41.1.1.10xc8daStandard query (0)microsoft-com.mail.protection.outlook.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jul 26, 2024 04:12:06.718054056 CEST1.1.1.1192.168.2.40x15b1No error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:06.718054056 CEST1.1.1.1192.168.2.40x15b1No error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:06.718054056 CEST1.1.1.1192.168.2.40x15b1No error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:06.718054056 CEST1.1.1.1192.168.2.40x15b1No error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:09.644001961 CEST1.1.1.1192.168.2.40x8067No error (0)vanaheim.cn213.226.112.95A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.737260103 CEST1.1.1.1192.168.2.40x7172No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.737260103 CEST1.1.1.1192.168.2.40x7172No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.737260103 CEST1.1.1.1192.168.2.40x7172No error (0)yahoo.comMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net67.195.204.74A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net67.195.228.106A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net98.136.96.76A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net98.136.96.75A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net67.195.228.94A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net98.136.96.74A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net98.136.96.77A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:26.745398998 CEST1.1.1.1192.168.2.40xae87No error (0)mta6.am0.yahoodns.net67.195.228.110A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.768919945 CEST1.1.1.1192.168.2.40xc96fNo error (0)google.comMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.777045012 CEST1.1.1.1192.168.2.40xee64No error (0)smtp.google.com74.125.71.27A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.777045012 CEST1.1.1.1192.168.2.40xee64No error (0)smtp.google.com74.125.71.26A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.777045012 CEST1.1.1.1192.168.2.40xee64No error (0)smtp.google.com74.125.133.26A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.777045012 CEST1.1.1.1192.168.2.40xee64No error (0)smtp.google.com64.233.166.27A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:12:46.777045012 CEST1.1.1.1192.168.2.40xee64No error (0)smtp.google.com64.233.166.26A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:13:06.790203094 CEST1.1.1.1192.168.2.40x9b06No error (0)mail.ruMX (Mail exchange)IN (0x0001)false
                                                                      Jul 26, 2024 04:13:06.800410032 CEST1.1.1.1192.168.2.40x279dNo error (0)mxs.mail.ru217.69.139.150A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:13:06.800410032 CEST1.1.1.1192.168.2.40x279dNo error (0)mxs.mail.ru94.100.180.31A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:14:04.758263111 CEST1.1.1.1192.168.2.40xc8daNo error (0)microsoft-com.mail.protection.outlook.com52.101.11.0A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:14:04.758263111 CEST1.1.1.1192.168.2.40xc8daNo error (0)microsoft-com.mail.protection.outlook.com52.101.8.49A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:14:04.758263111 CEST1.1.1.1192.168.2.40xc8daNo error (0)microsoft-com.mail.protection.outlook.com52.101.40.26A (IP address)IN (0x0001)false
                                                                      Jul 26, 2024 04:14:04.758263111 CEST1.1.1.1192.168.2.40xc8daNo error (0)microsoft-com.mail.protection.outlook.com52.101.42.0A (IP address)IN (0x0001)false

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:22:11:57
                                                                      Start date:25/07/2024
                                                                      Path:C:\Users\user\Desktop\ewdWlNc8TL.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\ewdWlNc8TL.exe"
                                                                      Imagebase:0x400000
                                                                      File size:274'944 bytes
                                                                      MD5 hash:6C2830C79D0A840F479AD635E3D57883
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1760365617.000000000264D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000000.00000003.1720652652.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:1
                                                                      Start time:22:12:01
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\rpfcsqnj\
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:22:12:01
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:3
                                                                      Start time:22:12:01
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\user\AppData\Local\Temp\ybuffopp.exe" C:\Windows\SysWOW64\rpfcsqnj\
                                                                      Imagebase:0x240000
                                                                      File size:236'544 bytes
                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:4
                                                                      Start time:22:12:01
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:5
                                                                      Start time:22:12:02
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\sc.exe" create rpfcsqnj binPath= "C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d\"C:\Users\user\Desktop\ewdWlNc8TL.exe\"" type= own start= auto DisplayName= "wifi support"
                                                                      Imagebase:0x980000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:6
                                                                      Start time:22:12:02
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:7
                                                                      Start time:22:12:02
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\sc.exe" description rpfcsqnj "wifi internet conection"
                                                                      Imagebase:0x980000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:8
                                                                      Start time:22:12:02
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:9
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\sc.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\sc.exe" start rpfcsqnj
                                                                      Imagebase:0x980000
                                                                      File size:61'440 bytes
                                                                      MD5 hash:D9D7684B8431A0D10D0E76FE9F5FFEC8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:10
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:11
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe /d"C:\Users\user\Desktop\ewdWlNc8TL.exe"
                                                                      Imagebase:0x400000
                                                                      File size:11'662'848 bytes
                                                                      MD5 hash:E4141310CE16DAF84C1718D66EAE2E57
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000003.1770040637.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1774025895.0000000002C60000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Author: ditekSHen
                                                                      • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000B.00000002.1773773019.00000000025D9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:12
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\netsh.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                                                                      Imagebase:0x1560000
                                                                      File size:82'432 bytes
                                                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:13
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\svchost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                      Imagebase:0x7ff6eef20000
                                                                      File size:55'320 bytes
                                                                      MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:14
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\System32\conhost.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                      Imagebase:0x7ff7699e0000
                                                                      File size:862'208 bytes
                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:15
                                                                      Start time:22:12:03
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3664 -ip 3664
                                                                      Imagebase:0x270000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:16
                                                                      Start time:22:12:04
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 652
                                                                      Imagebase:0x270000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:17
                                                                      Start time:22:12:05
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\svchost.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:svchost.exe
                                                                      Imagebase:0x9f0000
                                                                      File size:46'504 bytes
                                                                      MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Tofsee, Description: Yara detected Tofsee, Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: Windows_Trojan_Tofsee_26124fe4, Description: unknown, Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                      • Rule: MALWARE_Win_Tofsee, Description: Detects Tofsee, Source: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:18
                                                                      Start time:22:12:05
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4048 -ip 4048
                                                                      Imagebase:0x270000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:19
                                                                      Start time:22:12:05
                                                                      Start date:25/07/2024
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 540
                                                                      Imagebase:0x270000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Has exited:true

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:3.7%
                                                                        Dynamic/Decrypted Code Coverage:2.1%
                                                                        Signature Coverage:25.6%
                                                                        Total number of Nodes:1548
                                                                        Total number of Limit Nodes:18
                                                                        execution_graph 14695 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14813 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14695->14813 14697 409a95 14698 409aa3 GetModuleHandleA GetModuleFileNameA 14697->14698 14703 40a3c7 14697->14703 14710 409ac4 14698->14710 14699 40a41c CreateThread WSAStartup 14982 40e52e 14699->14982 15860 40405e CreateEventA 14699->15860 14700 40a406 DeleteFileA 14700->14703 14704 40a40d 14700->14704 14702 409afd GetCommandLineA 14711 409b22 14702->14711 14703->14699 14703->14700 14703->14704 14706 40a3ed GetLastError 14703->14706 14704->14699 14705 40a445 15001 40eaaf 14705->15001 14706->14704 14708 40a3f8 Sleep 14706->14708 14708->14700 14709 40a44d 15005 401d96 14709->15005 14710->14702 14716 409c0c 14711->14716 14722 409b47 14711->14722 14713 40a457 15053 4080c9 14713->15053 14814 4096aa 14716->14814 14726 409b96 lstrlenA 14722->14726 14728 409b58 14722->14728 14723 40a1d2 14729 40a1e3 GetCommandLineA 14723->14729 14724 409c39 14727 40a167 GetModuleHandleA GetModuleFileNameA 14724->14727 14820 404280 CreateEventA 14724->14820 14726->14728 14731 409c05 ExitProcess 14727->14731 14732 40a189 14727->14732 14728->14731 14737 40675c 21 API calls 14728->14737 14756 40a205 14729->14756 14732->14731 14739 40a1b2 GetDriveTypeA 14732->14739 14740 409be3 14737->14740 14739->14731 14741 40a1c5 14739->14741 14740->14731 14919 406a60 CreateFileA 14740->14919 14963 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14741->14963 14748 40a491 14749 40a49f GetTickCount 14748->14749 14752 40a4be Sleep 14748->14752 14755 40a4b7 GetTickCount 14748->14755 15099 40c913 14748->15099 14749->14748 14749->14752 14750 409ca0 GetTempPathA 14751 409e3e 14750->14751 14754 409cba 14750->14754 14762 409e6b GetEnvironmentVariableA 14751->14762 14763 409e04 14751->14763 14752->14748 14875 4099d2 lstrcpyA 14754->14875 14755->14752 14759 40a285 lstrlenA 14756->14759 14772 40a239 14756->14772 14759->14772 14762->14763 14764 409e7d 14762->14764 14958 40ec2e 14763->14958 14765 4099d2 16 API calls 14764->14765 14766 409e9d 14765->14766 14766->14763 14771 409eb0 lstrcpyA lstrlenA 14766->14771 14768 409d5f 14938 406cc9 14768->14938 14770 40a3c2 14975 4098f2 14770->14975 14773 409ef4 14771->14773 14971 406ec3 14772->14971 14777 406dc2 6 API calls 14773->14777 14780 409f03 14773->14780 14776 40a35f 14776->14770 14776->14776 14782 40a37b 14776->14782 14777->14780 14778 40a39d StartServiceCtrlDispatcherA 14778->14770 14781 409f32 RegOpenKeyExA 14780->14781 14783 409f48 RegSetValueExA RegCloseKey 14781->14783 14787 409f70 14781->14787 14782->14778 14783->14787 14784 409cf6 14882 409326 14784->14882 14793 409f9d GetModuleHandleA GetModuleFileNameA 14787->14793 14788 409e0c DeleteFileA 14788->14751 14789 409dde GetFileAttributesExA 14789->14788 14790 409df7 14789->14790 14790->14763 14792 409dff 14790->14792 14948 4096ff 14792->14948 14795 409fc2 14793->14795 14796 40a093 14793->14796 14795->14796 14802 409ff1 GetDriveTypeA 14795->14802 14797 40a103 CreateProcessA 14796->14797 14798 40a0a4 wsprintfA 14796->14798 14799 40a13a 14797->14799 14800 40a12a DeleteFileA 14797->14800 14954 402544 14798->14954 14799->14763 14806 4096ff 3 API calls 14799->14806 14800->14799 14802->14796 14804 40a00d 14802->14804 14808 40a02d lstrcatA 14804->14808 14806->14763 14809 40a046 14808->14809 14810 40a052 lstrcatA 14809->14810 14811 40a064 lstrcatA 14809->14811 14810->14811 14811->14796 14812 40a081 lstrcatA 14811->14812 14812->14796 14813->14697 14815 4096b9 14814->14815 15202 4073ff 14815->15202 14817 4096e2 14818 4096f7 14817->14818 15222 40704c 14817->15222 14818->14723 14818->14724 14821 4042a5 14820->14821 14822 40429d 14820->14822 15247 403ecd 14821->15247 14822->14727 14847 40675c 14822->14847 14824 4042b0 15251 404000 14824->15251 14827 4043c1 CloseHandle 14827->14822 14828 4042ce 15257 403f18 WriteFile 14828->15257 14833 4043ba CloseHandle 14833->14827 14834 404318 14835 403f18 4 API calls 14834->14835 14836 404331 14835->14836 14837 403f18 4 API calls 14836->14837 14838 40434a 14837->14838 15265 40ebcc GetProcessHeap RtlAllocateHeap 14838->15265 14841 403f18 4 API calls 14842 404389 14841->14842 14843 40ec2e codecvt 4 API calls 14842->14843 14844 40438f 14843->14844 14845 403f8c 4 API calls 14844->14845 14846 40439f CloseHandle CloseHandle 14845->14846 14846->14822 14848 406784 CreateFileA 14847->14848 14849 40677a SetFileAttributesA 14847->14849 14850 4067a4 CreateFileA 14848->14850 14851 4067b5 14848->14851 14849->14848 14850->14851 14852 4067c5 14851->14852 14853 4067ba SetFileAttributesA 14851->14853 14854 406977 14852->14854 14855 4067cf GetFileSize 14852->14855 14853->14852 14854->14727 14854->14750 14854->14751 14856 4067e5 14855->14856 14874 406965 14855->14874 14857 4067ed ReadFile 14856->14857 14856->14874 14859 406811 SetFilePointer 14857->14859 14857->14874 14858 40696e FindCloseChangeNotification 14858->14854 14860 40682a ReadFile 14859->14860 14859->14874 14861 406848 SetFilePointer 14860->14861 14860->14874 14862 406867 14861->14862 14861->14874 14863 4068d5 14862->14863 14864 406878 ReadFile 14862->14864 14863->14858 14865 40ebcc 4 API calls 14863->14865 14867 406891 14864->14867 14869 4068d0 14864->14869 14866 4068f8 14865->14866 14868 406900 SetFilePointer 14866->14868 14866->14874 14867->14864 14867->14869 14870 40695a 14868->14870 14871 40690d ReadFile 14868->14871 14869->14863 14873 40ec2e codecvt 4 API calls 14870->14873 14871->14870 14872 406922 14871->14872 14872->14858 14873->14874 14874->14858 14876 4099eb 14875->14876 14877 409a2f lstrcatA 14876->14877 14878 40ee2a 14877->14878 14879 409a4b lstrcatA 14878->14879 14880 406a60 13 API calls 14879->14880 14881 409a60 14880->14881 14881->14751 14881->14784 14932 406dc2 14881->14932 15271 401910 14882->15271 14885 40934a GetModuleHandleA GetModuleFileNameA 14887 40937f 14885->14887 14888 4093a4 14887->14888 14889 4093d9 14887->14889 14891 4093c3 wsprintfA 14888->14891 14890 409401 wsprintfA 14889->14890 14892 409415 14890->14892 14891->14892 14895 406cc9 5 API calls 14892->14895 14915 4094a0 14892->14915 14894 4094ac 14896 40962f 14894->14896 14898 4094e8 RegOpenKeyExA 14894->14898 14897 409439 14895->14897 14904 409646 14896->14904 15301 401820 14896->15301 15286 40ef1e lstrlenA 14897->15286 14900 4094fb 14898->14900 14901 409502 14898->14901 14900->14896 14903 40958a 14900->14903 14905 40951f RegQueryValueExA 14901->14905 14903->14904 14907 409593 14903->14907 14911 4095d6 14904->14911 15281 4091eb 14904->15281 14908 409530 14905->14908 14909 409539 14905->14909 14907->14911 15288 40f0e4 14907->15288 14912 40956e RegCloseKey 14908->14912 14913 409556 RegQueryValueExA 14909->14913 14910 409462 14914 40947e wsprintfA 14910->14914 14911->14788 14911->14789 14912->14900 14913->14908 14913->14912 14914->14915 15273 406edd 14915->15273 14917 4095bb 14917->14911 15295 4018e0 14917->15295 14920 406b8c GetLastError 14919->14920 14921 406a8f GetDiskFreeSpaceA 14919->14921 14923 406b86 14920->14923 14922 406ac5 14921->14922 14931 406ad7 14921->14931 15349 40eb0e 14922->15349 14923->14731 14927 406b56 FindCloseChangeNotification 14927->14923 14930 406b65 GetLastError CloseHandle 14927->14930 14928 406b36 GetLastError CloseHandle 14929 406b7f DeleteFileA 14928->14929 14929->14923 14930->14929 15343 406987 14931->15343 14933 406dd7 14932->14933 14937 406e24 14932->14937 14934 406cc9 5 API calls 14933->14934 14935 406ddc 14934->14935 14935->14935 14936 406e02 GetVolumeInformationA 14935->14936 14935->14937 14936->14937 14937->14768 14939 406cdc GetModuleHandleA GetProcAddress 14938->14939 14940 406dbe lstrcpyA lstrcatA lstrcatA 14938->14940 14941 406d12 GetSystemDirectoryA 14939->14941 14942 406cfd 14939->14942 14940->14784 14943 406d27 GetWindowsDirectoryA 14941->14943 14944 406d1e 14941->14944 14942->14941 14946 406d8b 14942->14946 14945 406d42 14943->14945 14944->14943 14944->14946 14947 40ef1e lstrlenA 14945->14947 14946->14940 14946->14946 14947->14946 14949 402544 14948->14949 14950 40972d RegOpenKeyExA 14949->14950 14951 409740 14950->14951 14953 409765 14950->14953 14952 40974f RegDeleteValueA RegCloseKey 14951->14952 14952->14953 14953->14763 14955 402554 lstrcatA 14954->14955 14956 40ee2a 14955->14956 14957 40a0ec lstrcatA 14956->14957 14957->14797 14959 40ec37 14958->14959 14960 40a15d 14958->14960 15357 40eba0 14959->15357 14960->14727 14960->14731 14964 402544 14963->14964 14965 40919e wsprintfA 14964->14965 14966 4091bb 14965->14966 15360 409064 GetTempPathA 14966->15360 14969 4091d5 ShellExecuteA 14970 4091e7 14969->14970 14970->14731 14972 406ed5 14971->14972 14973 406ecc 14971->14973 14972->14776 14974 406e36 2 API calls 14973->14974 14974->14972 14976 4098f6 14975->14976 14977 404280 30 API calls 14976->14977 14978 409904 Sleep 14976->14978 14979 409915 14976->14979 14977->14976 14978->14976 14978->14979 14981 409947 14979->14981 15367 40977c 14979->15367 14981->14703 15389 40dd05 GetTickCount 14982->15389 14984 40e538 15396 40dbcf 14984->15396 14986 40e544 14987 40e555 GetFileSize 14986->14987 14992 40e5b8 14986->14992 14988 40e5b1 CloseHandle 14987->14988 14989 40e566 14987->14989 14988->14992 15406 40db2e 14989->15406 15415 40e3ca RegOpenKeyExA 14992->15415 14993 40e576 ReadFile 14993->14988 14994 40e58d 14993->14994 15410 40e332 14994->15410 14996 40e5f2 14999 40e3ca 19 API calls 14996->14999 15000 40e629 14996->15000 14999->15000 15000->14705 15002 40eabe 15001->15002 15004 40eaba 15001->15004 15003 40dd05 6 API calls 15002->15003 15002->15004 15003->15004 15004->14709 15006 40ee2a 15005->15006 15007 401db4 GetVersionExA 15006->15007 15008 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15007->15008 15010 401e24 15008->15010 15011 401e16 GetCurrentProcess 15008->15011 15468 40e819 15010->15468 15011->15010 15013 401e3d 15014 40e819 11 API calls 15013->15014 15015 401e4e 15014->15015 15016 401e77 15015->15016 15475 40df70 15015->15475 15484 40ea84 15016->15484 15019 401e6c 15021 40df70 12 API calls 15019->15021 15021->15016 15022 40e819 11 API calls 15023 401e93 15022->15023 15488 40199c inet_addr LoadLibraryA 15023->15488 15026 40e819 11 API calls 15027 401eb9 15026->15027 15028 401ed8 15027->15028 15029 40f04e 4 API calls 15027->15029 15030 40e819 11 API calls 15028->15030 15031 401ec9 15029->15031 15032 401eee 15030->15032 15033 40ea84 30 API calls 15031->15033 15034 401f0a 15032->15034 15501 401b71 15032->15501 15033->15028 15035 40e819 11 API calls 15034->15035 15037 401f23 15035->15037 15039 401f3f 15037->15039 15505 401bdf 15037->15505 15038 401efd 15040 40ea84 30 API calls 15038->15040 15042 40e819 11 API calls 15039->15042 15040->15034 15044 401f5e 15042->15044 15046 401f77 15044->15046 15047 40ea84 30 API calls 15044->15047 15045 40ea84 30 API calls 15045->15039 15512 4030b5 15046->15512 15047->15046 15050 406ec3 2 API calls 15052 401f8e GetTickCount 15050->15052 15052->14713 15054 406ec3 2 API calls 15053->15054 15055 4080eb 15054->15055 15056 4080f9 15055->15056 15057 4080ef 15055->15057 15058 40704c 16 API calls 15056->15058 15560 407ee6 15057->15560 15061 408110 15058->15061 15060 408269 CreateThread 15078 405e6c 15060->15078 15889 40877e 15060->15889 15063 408156 RegOpenKeyExA 15061->15063 15064 4080f4 15061->15064 15062 40675c 21 API calls 15068 408244 15062->15068 15063->15064 15065 40816d RegQueryValueExA 15063->15065 15064->15060 15064->15062 15066 4081f7 15065->15066 15067 40818d 15065->15067 15069 40820d RegCloseKey 15066->15069 15071 40ec2e codecvt 4 API calls 15066->15071 15067->15066 15072 40ebcc 4 API calls 15067->15072 15068->15060 15070 40ec2e codecvt 4 API calls 15068->15070 15069->15064 15070->15060 15077 4081dd 15071->15077 15073 4081a0 15072->15073 15073->15069 15074 4081aa RegQueryValueExA 15073->15074 15074->15066 15075 4081c4 15074->15075 15076 40ebcc 4 API calls 15075->15076 15076->15077 15077->15069 15628 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15078->15628 15080 405e71 15629 40e654 15080->15629 15082 405ec1 15083 403132 15082->15083 15084 40df70 12 API calls 15083->15084 15085 40313b 15084->15085 15086 40c125 15085->15086 15640 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15086->15640 15088 40c12d 15089 40e654 13 API calls 15088->15089 15090 40c2bd 15089->15090 15091 40e654 13 API calls 15090->15091 15092 40c2c9 15091->15092 15093 40e654 13 API calls 15092->15093 15094 40a47a 15093->15094 15095 408db1 15094->15095 15096 408dbc 15095->15096 15097 40e654 13 API calls 15096->15097 15098 408dec Sleep 15097->15098 15098->14748 15100 40c92f 15099->15100 15101 40c93c 15100->15101 15641 40c517 15100->15641 15103 40ca2b 15101->15103 15104 40e819 11 API calls 15101->15104 15103->14748 15105 40c96a 15104->15105 15106 40e819 11 API calls 15105->15106 15107 40c97d 15106->15107 15108 40e819 11 API calls 15107->15108 15109 40c990 15108->15109 15110 40c9aa 15109->15110 15111 40ebcc 4 API calls 15109->15111 15110->15103 15658 402684 15110->15658 15111->15110 15116 40ca26 15665 40c8aa 15116->15665 15119 40ca44 15120 40ca4b closesocket 15119->15120 15121 40ca83 15119->15121 15120->15116 15122 40ea84 30 API calls 15121->15122 15123 40caac 15122->15123 15124 40f04e 4 API calls 15123->15124 15125 40cab2 15124->15125 15126 40ea84 30 API calls 15125->15126 15127 40caca 15126->15127 15128 40ea84 30 API calls 15127->15128 15129 40cad9 15128->15129 15673 40c65c 15129->15673 15132 40cb60 closesocket 15132->15103 15134 40dad2 closesocket 15135 40e318 23 API calls 15134->15135 15135->15103 15136 40df4c 20 API calls 15196 40cb70 15136->15196 15142 40e654 13 API calls 15142->15196 15143 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15143->15196 15148 40ea84 30 API calls 15148->15196 15149 40d569 closesocket Sleep 15720 40e318 15149->15720 15150 40d815 wsprintfA 15150->15196 15151 40cc1c GetTempPathA 15151->15196 15152 40c517 23 API calls 15152->15196 15154 407ead 6 API calls 15154->15196 15155 40e8a1 30 API calls 15155->15196 15156 40d582 ExitProcess 15157 40c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15157->15196 15158 40cfe3 GetSystemDirectoryA 15158->15196 15159 40cfad GetEnvironmentVariableA 15159->15196 15160 40675c 21 API calls 15160->15196 15161 40d027 GetSystemDirectoryA 15161->15196 15162 40d105 lstrcatA 15162->15196 15163 40ef1e lstrlenA 15163->15196 15164 40cc9f CreateFileA 15166 40ccc6 WriteFile 15164->15166 15164->15196 15165 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15165->15196 15169 40cdcc CloseHandle 15166->15169 15170 40cced CloseHandle 15166->15170 15167 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15167->15196 15168 40d15b CreateFileA 15171 40d182 WriteFile CloseHandle 15168->15171 15168->15196 15169->15196 15176 40cd2f 15170->15176 15171->15196 15172 40cd16 wsprintfA 15172->15176 15173 40d149 SetFileAttributesA 15173->15168 15174 40d1bf SetFileAttributesA 15174->15196 15175 40d36e GetEnvironmentVariableA 15175->15196 15176->15172 15702 407fcf 15176->15702 15177 40d22d GetEnvironmentVariableA 15177->15196 15178 40d3af lstrcatA 15180 40d3f2 CreateFileA 15178->15180 15178->15196 15183 40d415 WriteFile CloseHandle 15180->15183 15180->15196 15182 407fcf 64 API calls 15182->15196 15183->15196 15184 40cd81 WaitForSingleObject CloseHandle CloseHandle 15186 40f04e 4 API calls 15184->15186 15185 40cda5 15187 407ee6 64 API calls 15185->15187 15186->15185 15190 40cdbd DeleteFileA 15187->15190 15188 40d3e0 SetFileAttributesA 15188->15180 15189 40d26e lstrcatA 15192 40d2b1 CreateFileA 15189->15192 15189->15196 15190->15196 15191 40d4b1 CreateProcessA 15193 40d4e8 CloseHandle CloseHandle 15191->15193 15191->15196 15192->15196 15197 40d2d8 WriteFile CloseHandle 15192->15197 15193->15196 15194 407ee6 64 API calls 15194->15196 15195 40d452 SetFileAttributesA 15195->15196 15196->15134 15196->15136 15196->15142 15196->15143 15196->15148 15196->15149 15196->15150 15196->15151 15196->15152 15196->15154 15196->15155 15196->15157 15196->15158 15196->15159 15196->15160 15196->15161 15196->15162 15196->15163 15196->15164 15196->15165 15196->15167 15196->15168 15196->15173 15196->15174 15196->15175 15196->15177 15196->15178 15196->15180 15196->15182 15196->15188 15196->15189 15196->15191 15196->15192 15196->15194 15196->15195 15199 40d29f SetFileAttributesA 15196->15199 15201 40d31d SetFileAttributesA 15196->15201 15681 40c75d 15196->15681 15693 407e2f 15196->15693 15715 407ead 15196->15715 15725 4031d0 15196->15725 15742 403c09 15196->15742 15752 403a00 15196->15752 15756 40e7b4 15196->15756 15759 40c06c 15196->15759 15765 406f5f GetUserNameA 15196->15765 15776 40e854 15196->15776 15786 407dd6 15196->15786 15197->15196 15199->15192 15201->15196 15203 40741b 15202->15203 15204 406dc2 6 API calls 15203->15204 15205 40743f 15204->15205 15206 407469 RegOpenKeyExA 15205->15206 15208 4077f9 15206->15208 15218 407487 ___ascii_stricmp 15206->15218 15207 407703 RegEnumKeyA 15209 407714 RegCloseKey 15207->15209 15207->15218 15208->14817 15209->15208 15210 40f1a5 lstrlenA 15210->15218 15211 4074d2 RegOpenKeyExA 15211->15218 15212 40772c 15214 407742 RegCloseKey 15212->15214 15215 40774b 15212->15215 15213 407521 RegQueryValueExA 15213->15218 15214->15215 15216 4077ec RegCloseKey 15215->15216 15216->15208 15217 4076e4 RegCloseKey 15217->15218 15218->15207 15218->15210 15218->15211 15218->15212 15218->15213 15218->15217 15220 40777e GetFileAttributesExA 15218->15220 15221 407769 15218->15221 15219 4077e3 RegCloseKey 15219->15216 15220->15221 15221->15219 15223 407073 15222->15223 15224 4070b9 RegOpenKeyExA 15223->15224 15225 4070d0 15224->15225 15239 4071b8 15224->15239 15226 406dc2 6 API calls 15225->15226 15229 4070d5 15226->15229 15227 40719b RegEnumValueA 15228 4071af RegCloseKey 15227->15228 15227->15229 15228->15239 15229->15227 15231 4071d0 15229->15231 15245 40f1a5 lstrlenA 15229->15245 15232 407205 RegCloseKey 15231->15232 15233 407227 15231->15233 15232->15239 15234 4072b8 ___ascii_stricmp 15233->15234 15235 40728e RegCloseKey 15233->15235 15236 4072cd RegCloseKey 15234->15236 15237 4072dd 15234->15237 15235->15239 15236->15239 15238 407311 RegCloseKey 15237->15238 15241 407335 15237->15241 15238->15239 15239->14818 15240 4073d5 RegCloseKey 15242 4073e4 15240->15242 15241->15240 15243 40737e GetFileAttributesExA 15241->15243 15244 407397 15241->15244 15243->15244 15244->15240 15246 40f1c3 15245->15246 15246->15229 15248 403ee2 15247->15248 15249 403edc 15247->15249 15248->14824 15250 406dc2 6 API calls 15249->15250 15250->15248 15252 40400b CreateFileA 15251->15252 15253 40402c GetLastError 15252->15253 15254 404052 15252->15254 15253->15254 15255 404037 15253->15255 15254->14822 15254->14827 15254->14828 15255->15254 15256 404041 Sleep 15255->15256 15256->15252 15256->15254 15258 403f7c 15257->15258 15259 403f4e GetLastError 15257->15259 15261 403f8c ReadFile 15258->15261 15259->15258 15260 403f5b WaitForSingleObject GetOverlappedResult 15259->15260 15260->15258 15262 403fc2 GetLastError 15261->15262 15264 403ff0 15261->15264 15263 403fcf WaitForSingleObject GetOverlappedResult 15262->15263 15262->15264 15263->15264 15264->14833 15264->14834 15268 40eb74 15265->15268 15269 40eb7b GetProcessHeap HeapSize 15268->15269 15270 404350 15268->15270 15269->15270 15270->14841 15272 401924 GetVersionExA 15271->15272 15272->14885 15274 406eef AllocateAndInitializeSid 15273->15274 15280 406f55 15273->15280 15275 406f44 15274->15275 15276 406f1c CheckTokenMembership 15274->15276 15275->15280 15307 406e36 GetUserNameW 15275->15307 15277 406f3b FreeSid 15276->15277 15278 406f2e 15276->15278 15277->15275 15278->15277 15280->14894 15283 40920e 15281->15283 15285 409308 15281->15285 15282 4092f1 Sleep 15282->15283 15283->15282 15283->15283 15284 4092bf ShellExecuteA 15283->15284 15283->15285 15284->15283 15284->15285 15285->14911 15287 40ef32 15286->15287 15287->14910 15289 40f0f1 15288->15289 15290 40f0ed 15288->15290 15291 40f119 15289->15291 15292 40f0fa lstrlenA SysAllocStringByteLen 15289->15292 15290->14917 15293 40f11c MultiByteToWideChar 15291->15293 15292->15293 15294 40f117 15292->15294 15293->15294 15294->14917 15296 401820 17 API calls 15295->15296 15297 4018f2 15296->15297 15298 4018f9 15297->15298 15310 401280 15297->15310 15298->14911 15300 401908 15300->14911 15322 401000 15301->15322 15303 401839 15304 401851 GetCurrentProcess 15303->15304 15305 40183d 15303->15305 15306 401864 15304->15306 15305->14904 15306->14904 15308 406e5f LookupAccountNameW 15307->15308 15309 406e97 15307->15309 15308->15309 15309->15280 15311 4012e1 15310->15311 15312 4016f9 GetLastError 15311->15312 15319 4013a8 15311->15319 15313 401699 15312->15313 15313->15300 15314 401570 lstrlenW 15314->15319 15315 4015be GetStartupInfoW 15315->15319 15316 4015ff CreateProcessWithLogonW 15317 4016bf GetLastError 15316->15317 15318 40163f WaitForSingleObject 15316->15318 15317->15313 15318->15319 15320 401659 CloseHandle 15318->15320 15319->15313 15319->15314 15319->15315 15319->15316 15321 401668 CloseHandle 15319->15321 15320->15319 15321->15319 15323 40100d LoadLibraryA 15322->15323 15331 401023 15322->15331 15324 401021 15323->15324 15323->15331 15324->15303 15325 4010b5 GetProcAddress 15326 4010d1 GetProcAddress 15325->15326 15327 40127b 15325->15327 15326->15327 15328 4010f0 GetProcAddress 15326->15328 15327->15303 15328->15327 15329 401110 GetProcAddress 15328->15329 15329->15327 15330 401130 GetProcAddress 15329->15330 15330->15327 15332 40114f GetProcAddress 15330->15332 15331->15325 15342 4010ae 15331->15342 15332->15327 15333 40116f GetProcAddress 15332->15333 15333->15327 15334 40118f GetProcAddress 15333->15334 15334->15327 15335 4011ae GetProcAddress 15334->15335 15335->15327 15336 4011ce GetProcAddress 15335->15336 15336->15327 15337 4011ee GetProcAddress 15336->15337 15337->15327 15338 401209 GetProcAddress 15337->15338 15338->15327 15339 401225 GetProcAddress 15338->15339 15339->15327 15340 401241 GetProcAddress 15339->15340 15340->15327 15341 40125c GetProcAddress 15340->15341 15341->15327 15342->15303 15345 4069b9 WriteFile 15343->15345 15346 406a3c 15345->15346 15348 4069ff 15345->15348 15346->14927 15346->14928 15347 406a10 WriteFile 15347->15346 15347->15348 15348->15346 15348->15347 15350 40eb17 15349->15350 15352 40eb21 15349->15352 15353 40eae4 15350->15353 15352->14931 15354 40eb02 GetProcAddress 15353->15354 15355 40eaed LoadLibraryA 15353->15355 15354->15352 15355->15354 15356 40eb01 15355->15356 15356->15352 15358 40eba7 GetProcessHeap HeapSize 15357->15358 15359 40ebbf GetProcessHeap HeapFree 15357->15359 15358->15359 15359->14960 15361 40908d 15360->15361 15362 4090e2 wsprintfA 15361->15362 15363 40ee2a 15362->15363 15364 4090fd CreateFileA 15363->15364 15365 40911a lstrlenA WriteFile CloseHandle 15364->15365 15366 40913f 15364->15366 15365->15366 15366->14969 15366->14970 15368 40ee2a 15367->15368 15369 409794 CreateProcessA 15368->15369 15370 4097bb 15369->15370 15371 4097c2 15369->15371 15370->14981 15372 4097d4 GetThreadContext 15371->15372 15373 409801 15372->15373 15374 4097f5 15372->15374 15381 40637c 15373->15381 15375 4097f6 TerminateProcess 15374->15375 15375->15370 15377 409816 15377->15375 15378 40981e WriteProcessMemory 15377->15378 15378->15374 15379 40983b SetThreadContext 15378->15379 15379->15374 15380 409858 ResumeThread 15379->15380 15380->15370 15382 406386 15381->15382 15383 40638a GetModuleHandleA VirtualAlloc 15381->15383 15382->15377 15384 4063b6 15383->15384 15385 4063f5 15383->15385 15386 4063be VirtualAllocEx 15384->15386 15385->15377 15386->15385 15387 4063d6 15386->15387 15388 4063df WriteProcessMemory 15387->15388 15388->15385 15390 40dd41 InterlockedExchange 15389->15390 15391 40dd20 GetCurrentThreadId 15390->15391 15392 40dd4a 15390->15392 15393 40dd53 GetCurrentThreadId 15391->15393 15394 40dd2e GetTickCount 15391->15394 15392->15393 15393->14984 15394->15392 15395 40dd39 Sleep 15394->15395 15395->15390 15397 40dbf0 15396->15397 15429 40db67 GetEnvironmentVariableA 15397->15429 15399 40dc19 15400 40dcda 15399->15400 15401 40db67 3 API calls 15399->15401 15400->14986 15402 40dc5c 15401->15402 15402->15400 15403 40db67 3 API calls 15402->15403 15404 40dc9b 15403->15404 15404->15400 15405 40db67 3 API calls 15404->15405 15405->15400 15407 40db3a 15406->15407 15409 40db55 15406->15409 15433 40ebed 15407->15433 15409->14988 15409->14993 15442 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15410->15442 15412 40e3be 15412->14988 15413 40e342 15413->15412 15445 40de24 15413->15445 15416 40e528 15415->15416 15417 40e3f4 15415->15417 15416->14996 15418 40e434 RegQueryValueExA 15417->15418 15419 40e458 15418->15419 15420 40e51d RegCloseKey 15418->15420 15421 40e46e RegQueryValueExA 15419->15421 15420->15416 15421->15419 15422 40e488 15421->15422 15422->15420 15423 40db2e 8 API calls 15422->15423 15424 40e499 15423->15424 15424->15420 15425 40e4b9 RegQueryValueExA 15424->15425 15426 40e4e8 15424->15426 15425->15424 15425->15426 15426->15420 15427 40e332 14 API calls 15426->15427 15428 40e513 15427->15428 15428->15420 15430 40dbca 15429->15430 15432 40db89 lstrcpyA CreateFileA 15429->15432 15430->15399 15432->15399 15434 40ec01 15433->15434 15435 40ebf6 15433->15435 15437 40eba0 codecvt 2 API calls 15434->15437 15436 40ebcc 4 API calls 15435->15436 15439 40ebfe 15436->15439 15438 40ec0a GetProcessHeap HeapReAlloc 15437->15438 15440 40eb74 2 API calls 15438->15440 15439->15409 15441 40ec28 15440->15441 15441->15409 15456 40eb41 15442->15456 15446 40de3a 15445->15446 15451 40de4e 15446->15451 15460 40dd84 15446->15460 15449 40de9e 15450 40ebed 8 API calls 15449->15450 15449->15451 15454 40def6 15450->15454 15451->15413 15452 40de76 15464 40ddcf 15452->15464 15454->15451 15455 40ddcf lstrcmpA 15454->15455 15455->15451 15457 40eb54 15456->15457 15458 40eb4a 15456->15458 15457->15413 15459 40eae4 2 API calls 15458->15459 15459->15457 15461 40ddc5 15460->15461 15462 40dd96 15460->15462 15461->15449 15461->15452 15462->15461 15463 40ddad lstrcmpiA 15462->15463 15463->15461 15463->15462 15465 40de20 15464->15465 15466 40dddd 15464->15466 15465->15451 15466->15465 15467 40ddfa lstrcmpA 15466->15467 15467->15466 15469 40dd05 6 API calls 15468->15469 15470 40e821 15469->15470 15471 40dd84 lstrcmpiA 15470->15471 15472 40e82c 15471->15472 15473 40e844 15472->15473 15516 402480 15472->15516 15473->15013 15476 40dd05 6 API calls 15475->15476 15477 40df7c 15476->15477 15478 40dd84 lstrcmpiA 15477->15478 15483 40df89 15478->15483 15479 40dfc4 15479->15019 15480 40ddcf lstrcmpA 15480->15483 15481 40ec2e codecvt 4 API calls 15481->15483 15482 40dd84 lstrcmpiA 15482->15483 15483->15479 15483->15480 15483->15481 15483->15482 15485 40ea98 15484->15485 15525 40e8a1 15485->15525 15487 401e84 15487->15022 15489 4019d5 GetProcAddress GetProcAddress GetProcAddress 15488->15489 15490 4019ce 15488->15490 15491 401ab3 FreeLibrary 15489->15491 15492 401a04 15489->15492 15490->15026 15491->15490 15492->15491 15493 401a14 GetProcessHeap 15492->15493 15493->15490 15495 401a2e HeapAlloc 15493->15495 15495->15490 15496 401a42 15495->15496 15497 401a52 HeapReAlloc 15496->15497 15499 401a62 15496->15499 15497->15499 15498 401aa1 FreeLibrary 15498->15490 15499->15498 15500 401a96 HeapFree 15499->15500 15500->15498 15553 401ac3 LoadLibraryA 15501->15553 15504 401bcf 15504->15038 15506 401ac3 12 API calls 15505->15506 15507 401c09 15506->15507 15508 401c0d GetComputerNameA 15507->15508 15511 401c41 15507->15511 15509 401c45 GetVolumeInformationA 15508->15509 15510 401c1f 15508->15510 15509->15511 15510->15509 15510->15511 15511->15045 15513 40ee2a 15512->15513 15514 4030d0 gethostname gethostbyname 15513->15514 15515 401f82 15514->15515 15515->15050 15515->15052 15519 402419 lstrlenA 15516->15519 15518 402491 15518->15473 15520 40243d lstrlenA 15519->15520 15521 402474 15519->15521 15522 402464 lstrlenA 15520->15522 15523 40244e lstrcmpiA 15520->15523 15521->15518 15522->15520 15522->15521 15523->15522 15524 40245c 15523->15524 15524->15521 15524->15522 15526 40dd05 6 API calls 15525->15526 15527 40e8b4 15526->15527 15528 40dd84 lstrcmpiA 15527->15528 15529 40e8c0 15528->15529 15530 40e90a 15529->15530 15531 40e8c8 lstrcpynA 15529->15531 15532 402419 4 API calls 15530->15532 15541 40ea27 15530->15541 15533 40e8f5 15531->15533 15534 40e926 lstrlenA lstrlenA 15532->15534 15546 40df4c 15533->15546 15535 40e96a 15534->15535 15536 40e94c lstrlenA 15534->15536 15540 40ebcc 4 API calls 15535->15540 15535->15541 15536->15535 15538 40e901 15539 40dd84 lstrcmpiA 15538->15539 15539->15530 15542 40e98f 15540->15542 15541->15487 15542->15541 15543 40df4c 20 API calls 15542->15543 15544 40ea1e 15543->15544 15545 40ec2e codecvt 4 API calls 15544->15545 15545->15541 15547 40dd05 6 API calls 15546->15547 15548 40df51 15547->15548 15549 40f04e 4 API calls 15548->15549 15550 40df58 15549->15550 15551 40de24 10 API calls 15550->15551 15552 40df63 15551->15552 15552->15538 15554 401ae2 GetProcAddress 15553->15554 15559 401b68 GetComputerNameA GetVolumeInformationA 15553->15559 15555 401af5 15554->15555 15554->15559 15556 40ebed 8 API calls 15555->15556 15557 401b29 15555->15557 15556->15555 15557->15557 15558 40ec2e codecvt 4 API calls 15557->15558 15557->15559 15558->15559 15559->15504 15561 406ec3 2 API calls 15560->15561 15562 407ef4 15561->15562 15563 4073ff 17 API calls 15562->15563 15572 407fc9 15562->15572 15564 407f16 15563->15564 15564->15572 15573 407809 GetUserNameA 15564->15573 15566 407f63 15567 40ef1e lstrlenA 15566->15567 15566->15572 15568 407fa6 15567->15568 15569 40ef1e lstrlenA 15568->15569 15570 407fb7 15569->15570 15597 407a95 RegOpenKeyExA 15570->15597 15572->15064 15574 40783d LookupAccountNameA 15573->15574 15575 407a8d 15573->15575 15574->15575 15576 407874 GetLengthSid GetFileSecurityA 15574->15576 15575->15566 15576->15575 15577 4078a8 GetSecurityDescriptorOwner 15576->15577 15578 4078c5 EqualSid 15577->15578 15579 40791d GetSecurityDescriptorDacl 15577->15579 15578->15579 15580 4078dc LocalAlloc 15578->15580 15579->15575 15594 407941 15579->15594 15580->15579 15581 4078ef InitializeSecurityDescriptor 15580->15581 15583 407916 LocalFree 15581->15583 15584 4078fb SetSecurityDescriptorOwner 15581->15584 15582 40795b GetAce 15582->15594 15583->15579 15584->15583 15585 40790b SetFileSecurityA 15584->15585 15585->15583 15586 407980 EqualSid 15586->15594 15587 407a3d 15587->15575 15590 407a43 LocalAlloc 15587->15590 15588 4079be EqualSid 15588->15594 15589 40799d DeleteAce 15589->15594 15590->15575 15591 407a56 InitializeSecurityDescriptor 15590->15591 15592 407a62 SetSecurityDescriptorDacl 15591->15592 15593 407a86 LocalFree 15591->15593 15592->15593 15595 407a73 SetFileSecurityA 15592->15595 15593->15575 15594->15575 15594->15582 15594->15586 15594->15587 15594->15588 15594->15589 15595->15593 15596 407a83 15595->15596 15596->15593 15598 407ac4 15597->15598 15599 407acb GetUserNameA 15597->15599 15598->15572 15600 407da7 RegCloseKey 15599->15600 15601 407aed LookupAccountNameA 15599->15601 15600->15598 15601->15600 15602 407b24 RegGetKeySecurity 15601->15602 15602->15600 15603 407b49 GetSecurityDescriptorOwner 15602->15603 15604 407b63 EqualSid 15603->15604 15605 407bb8 GetSecurityDescriptorDacl 15603->15605 15604->15605 15607 407b74 LocalAlloc 15604->15607 15606 407da6 15605->15606 15617 407bdc 15605->15617 15606->15600 15607->15605 15608 407b8a InitializeSecurityDescriptor 15607->15608 15610 407bb1 LocalFree 15608->15610 15611 407b96 SetSecurityDescriptorOwner 15608->15611 15609 407bf8 GetAce 15609->15617 15610->15605 15611->15610 15612 407ba6 RegSetKeySecurity 15611->15612 15612->15610 15613 407c1d EqualSid 15613->15617 15614 407cd9 15614->15606 15618 407d5a LocalAlloc 15614->15618 15620 407cf2 RegOpenKeyExA 15614->15620 15615 407c5f EqualSid 15615->15617 15616 407c3a DeleteAce 15616->15617 15617->15606 15617->15609 15617->15613 15617->15614 15617->15615 15617->15616 15618->15606 15619 407d70 InitializeSecurityDescriptor 15618->15619 15621 407d7c SetSecurityDescriptorDacl 15619->15621 15622 407d9f LocalFree 15619->15622 15620->15618 15625 407d0f 15620->15625 15621->15622 15623 407d8c RegSetKeySecurity 15621->15623 15622->15606 15623->15622 15624 407d9c 15623->15624 15624->15622 15626 407d43 RegSetValueExA 15625->15626 15626->15618 15627 407d54 15626->15627 15627->15618 15628->15080 15630 40dd05 6 API calls 15629->15630 15631 40e65f 15630->15631 15633 40e6a5 15631->15633 15634 40e68c lstrcmpA 15631->15634 15632 40ebcc 4 API calls 15635 40e6b0 15632->15635 15633->15632 15636 40e6f5 15633->15636 15634->15631 15635->15636 15638 40e6b7 15635->15638 15639 40e6e0 lstrcpynA 15635->15639 15637 40e71d lstrcmpA 15636->15637 15636->15638 15637->15636 15638->15082 15639->15636 15640->15088 15642 40c525 15641->15642 15643 40c532 15641->15643 15642->15643 15645 40ec2e codecvt 4 API calls 15642->15645 15644 40c548 15643->15644 15793 40e7ff 15643->15793 15646 40c54f 15644->15646 15648 40e7ff lstrcmpiA 15644->15648 15645->15643 15646->15101 15649 40c615 15648->15649 15649->15646 15651 40ebcc 4 API calls 15649->15651 15651->15646 15652 40c5d1 15653 40ebcc 4 API calls 15652->15653 15653->15646 15654 40e819 11 API calls 15655 40c5b7 15654->15655 15656 40f04e 4 API calls 15655->15656 15657 40c5bf 15656->15657 15657->15644 15657->15652 15659 402692 inet_addr 15658->15659 15660 40268e 15658->15660 15659->15660 15661 40269e gethostbyname 15659->15661 15662 40f428 15660->15662 15661->15660 15796 40f315 15662->15796 15667 40c8d2 15665->15667 15666 40c907 15666->15103 15667->15666 15668 40c517 23 API calls 15667->15668 15668->15666 15669 40f43e 15670 40f473 recv 15669->15670 15671 40f458 15670->15671 15672 40f47c 15670->15672 15671->15670 15671->15672 15672->15119 15674 40c670 15673->15674 15675 40c67d 15673->15675 15676 40ebcc 4 API calls 15674->15676 15677 40ebcc 4 API calls 15675->15677 15679 40c699 15675->15679 15676->15675 15677->15679 15678 40c6f3 15678->15132 15678->15196 15679->15678 15680 40c73c send 15679->15680 15680->15678 15682 40c770 15681->15682 15683 40c77d 15681->15683 15684 40ebcc 4 API calls 15682->15684 15685 40c799 15683->15685 15686 40ebcc 4 API calls 15683->15686 15684->15683 15687 40c7b5 15685->15687 15688 40ebcc 4 API calls 15685->15688 15686->15685 15689 40f43e recv 15687->15689 15688->15687 15690 40c7cb 15689->15690 15691 40f43e recv 15690->15691 15692 40c7d3 15690->15692 15691->15692 15692->15196 15809 407db7 15693->15809 15696 407e96 15696->15196 15697 407e70 15697->15696 15699 40f04e 4 API calls 15697->15699 15698 40f04e 4 API calls 15700 407e4c 15698->15700 15699->15696 15700->15697 15701 40f04e 4 API calls 15700->15701 15701->15697 15703 406ec3 2 API calls 15702->15703 15704 407fdd 15703->15704 15705 4073ff 17 API calls 15704->15705 15714 4080c2 CreateProcessA 15704->15714 15706 407fff 15705->15706 15707 407809 21 API calls 15706->15707 15706->15714 15708 40804d 15707->15708 15709 40ef1e lstrlenA 15708->15709 15708->15714 15710 40809e 15709->15710 15711 40ef1e lstrlenA 15710->15711 15712 4080af 15711->15712 15713 407a95 24 API calls 15712->15713 15713->15714 15714->15184 15714->15185 15716 407db7 2 API calls 15715->15716 15717 407eb8 15716->15717 15718 40f04e 4 API calls 15717->15718 15719 407ece DeleteFileA 15718->15719 15719->15196 15721 40dd05 6 API calls 15720->15721 15722 40e31d 15721->15722 15813 40e177 15722->15813 15724 40e326 15724->15156 15726 4031f3 15725->15726 15736 4031ec 15725->15736 15727 40ebcc 4 API calls 15726->15727 15734 4031fc 15727->15734 15728 403459 15730 40f04e 4 API calls 15728->15730 15729 40349d 15731 40ec2e codecvt 4 API calls 15729->15731 15732 40345f 15730->15732 15731->15736 15733 4030fa 4 API calls 15732->15733 15733->15736 15734->15734 15735 40ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 15734->15735 15734->15736 15737 40344d 15734->15737 15739 40344b 15734->15739 15741 403141 lstrcmpiA 15734->15741 15839 4030fa GetTickCount 15734->15839 15735->15734 15736->15196 15738 40ec2e codecvt 4 API calls 15737->15738 15738->15739 15739->15728 15739->15729 15741->15734 15743 4030fa 4 API calls 15742->15743 15744 403c1a 15743->15744 15745 403ce6 15744->15745 15844 403a72 15744->15844 15745->15196 15748 403a72 9 API calls 15750 403c5e 15748->15750 15749 403a72 9 API calls 15749->15750 15750->15745 15750->15749 15751 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15750->15751 15751->15750 15753 403a10 15752->15753 15754 4030fa 4 API calls 15753->15754 15755 403a1a 15754->15755 15755->15196 15757 40dd05 6 API calls 15756->15757 15758 40e7be 15757->15758 15758->15196 15760 40c07e wsprintfA 15759->15760 15764 40c105 15759->15764 15853 40bfce GetTickCount wsprintfA 15760->15853 15762 40c0ef 15854 40bfce GetTickCount wsprintfA 15762->15854 15764->15196 15766 406f88 LookupAccountNameA 15765->15766 15767 407047 15765->15767 15769 407025 15766->15769 15770 406fcb 15766->15770 15767->15196 15771 406edd 5 API calls 15769->15771 15772 406fdb ConvertSidToStringSidA 15770->15772 15773 40702a wsprintfA 15771->15773 15772->15769 15774 406ff1 15772->15774 15773->15767 15775 407013 LocalFree 15774->15775 15775->15769 15777 40dd05 6 API calls 15776->15777 15778 40e85c 15777->15778 15779 40dd84 lstrcmpiA 15778->15779 15780 40e867 15779->15780 15781 40e885 lstrcpyA 15780->15781 15855 4024a5 15780->15855 15858 40dd69 15781->15858 15787 407db7 2 API calls 15786->15787 15788 407de1 15787->15788 15789 407e16 15788->15789 15790 40f04e 4 API calls 15788->15790 15789->15196 15791 407df2 15790->15791 15791->15789 15792 40f04e 4 API calls 15791->15792 15792->15789 15794 40dd84 lstrcmpiA 15793->15794 15795 40c58e 15794->15795 15795->15644 15795->15652 15795->15654 15797 40ca1d 15796->15797 15798 40f33b 15796->15798 15797->15116 15797->15669 15799 40f347 htons socket 15798->15799 15800 40f382 ioctlsocket 15799->15800 15801 40f374 closesocket 15799->15801 15802 40f3aa connect select 15800->15802 15803 40f39d 15800->15803 15801->15797 15802->15797 15804 40f3f2 __WSAFDIsSet 15802->15804 15805 40f39f closesocket 15803->15805 15804->15805 15806 40f403 ioctlsocket 15804->15806 15805->15797 15808 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15806->15808 15808->15797 15810 407dc8 InterlockedExchange 15809->15810 15811 407dc0 Sleep 15810->15811 15812 407dd4 15810->15812 15811->15810 15812->15697 15812->15698 15814 40e184 15813->15814 15815 40e2e4 15814->15815 15816 40e223 15814->15816 15829 40dfe2 15814->15829 15815->15724 15816->15815 15818 40dfe2 8 API calls 15816->15818 15822 40e23c 15818->15822 15819 40e1be 15819->15816 15820 40dbcf 3 API calls 15819->15820 15823 40e1d6 15820->15823 15821 40e21a CloseHandle 15821->15816 15822->15815 15833 40e095 RegCreateKeyExA 15822->15833 15823->15816 15823->15821 15824 40e1f9 WriteFile 15823->15824 15824->15821 15826 40e213 15824->15826 15826->15821 15827 40e2a3 15827->15815 15828 40e095 4 API calls 15827->15828 15828->15815 15830 40dffc 15829->15830 15832 40e024 15829->15832 15831 40db2e 8 API calls 15830->15831 15830->15832 15831->15832 15832->15819 15834 40e172 15833->15834 15836 40e0c0 15833->15836 15834->15827 15835 40e13d 15837 40e14e RegDeleteValueA RegCloseKey 15835->15837 15836->15835 15838 40e115 RegSetValueExA 15836->15838 15837->15834 15838->15835 15838->15836 15840 403122 InterlockedExchange 15839->15840 15841 40312e 15840->15841 15842 40310f GetTickCount 15840->15842 15841->15734 15842->15841 15843 40311a Sleep 15842->15843 15843->15840 15845 40f04e 4 API calls 15844->15845 15852 403a83 15845->15852 15846 403ac1 15846->15745 15846->15748 15847 403be6 15850 40ec2e codecvt 4 API calls 15847->15850 15848 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15849 403bc0 15848->15849 15849->15847 15849->15848 15850->15846 15851 403b66 lstrlenA 15851->15846 15851->15852 15852->15846 15852->15849 15852->15851 15853->15762 15854->15764 15856 402419 4 API calls 15855->15856 15857 4024b6 15856->15857 15857->15781 15859 40dd79 lstrlenA 15858->15859 15859->15196 15861 404084 15860->15861 15862 40407d 15860->15862 15863 403ecd 6 API calls 15861->15863 15864 40408f 15863->15864 15865 404000 3 API calls 15864->15865 15867 404095 15865->15867 15866 404130 15868 403ecd 6 API calls 15866->15868 15867->15866 15872 403f18 4 API calls 15867->15872 15869 404159 CreateNamedPipeA 15868->15869 15870 404167 Sleep 15869->15870 15871 404188 ConnectNamedPipe 15869->15871 15870->15866 15873 404176 CloseHandle 15870->15873 15875 404195 GetLastError 15871->15875 15880 4041ab 15871->15880 15874 4040da 15872->15874 15873->15871 15876 403f8c 4 API calls 15874->15876 15877 40425e DisconnectNamedPipe 15875->15877 15875->15880 15878 4040ec 15876->15878 15877->15871 15879 404127 CloseHandle 15878->15879 15881 404101 15878->15881 15879->15866 15880->15871 15880->15877 15882 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15880->15882 15885 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15880->15885 15886 40426a CloseHandle CloseHandle 15880->15886 15883 403f18 4 API calls 15881->15883 15882->15880 15884 40411c ExitProcess 15883->15884 15885->15880 15887 40e318 23 API calls 15886->15887 15888 40427b 15887->15888 15888->15888 15890 408791 15889->15890 15891 40879f 15889->15891 15892 40f04e 4 API calls 15890->15892 15893 4087bc 15891->15893 15894 40f04e 4 API calls 15891->15894 15892->15891 15895 40e819 11 API calls 15893->15895 15894->15893 15896 4087d7 15895->15896 15905 408803 15896->15905 15910 4026b2 gethostbyaddr 15896->15910 15898 4087eb 15900 40e8a1 30 API calls 15898->15900 15898->15905 15900->15905 15903 40e819 11 API calls 15903->15905 15904 4088a0 Sleep 15904->15905 15905->15903 15905->15904 15906 4026b2 2 API calls 15905->15906 15908 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15905->15908 15909 40e8a1 30 API calls 15905->15909 15915 40c4d6 15905->15915 15918 40c4e2 15905->15918 15921 402011 15905->15921 15956 408328 15905->15956 15906->15905 15908->15905 15909->15905 15911 4026fb 15910->15911 15912 4026cd 15910->15912 15911->15898 15913 4026e1 inet_ntoa 15912->15913 15914 4026de 15912->15914 15913->15914 15914->15898 16008 40c2dc 15915->16008 15919 40c2dc 141 API calls 15918->15919 15920 40c4ec 15919->15920 15920->15905 15922 402020 15921->15922 15923 40202e 15921->15923 15925 40f04e 4 API calls 15922->15925 15924 40204b 15923->15924 15926 40f04e 4 API calls 15923->15926 15927 40206e GetTickCount 15924->15927 15928 40f04e 4 API calls 15924->15928 15925->15923 15926->15924 15929 402090 15927->15929 15930 4020db GetTickCount 15927->15930 15933 402068 15928->15933 15934 4020d4 GetTickCount 15929->15934 15937 402684 2 API calls 15929->15937 15944 4020ce 15929->15944 16343 401978 15929->16343 15931 402132 GetTickCount GetTickCount 15930->15931 15932 4020e7 15930->15932 15935 40f04e 4 API calls 15931->15935 15936 40212b GetTickCount 15932->15936 15949 401978 15 API calls 15932->15949 15950 402125 15932->15950 16348 402ef8 15932->16348 15933->15927 15934->15930 15938 402159 15935->15938 15936->15931 15937->15929 15939 4021b4 15938->15939 15941 40e854 13 API calls 15938->15941 15942 40f04e 4 API calls 15939->15942 15945 40218e 15941->15945 15943 4021d1 15942->15943 15947 4021f2 15943->15947 15951 40ea84 30 API calls 15943->15951 15944->15934 15948 40e819 11 API calls 15945->15948 15947->15905 15952 40219c 15948->15952 15949->15932 15950->15936 15953 4021ec 15951->15953 15952->15939 16356 401c5f 15952->16356 15954 40f04e 4 API calls 15953->15954 15954->15947 15957 407dd6 6 API calls 15956->15957 15958 40833c 15957->15958 15959 406ec3 2 API calls 15958->15959 15965 408340 15958->15965 15960 40834f 15959->15960 15961 40835c 15960->15961 15967 40846b 15960->15967 15962 4073ff 17 API calls 15961->15962 15982 408373 15962->15982 15963 4085df 15964 408626 GetTempPathA 15963->15964 15969 408638 15963->15969 15976 408762 15963->15976 15964->15969 15965->15905 15966 40675c 21 API calls 15966->15963 15970 4084a7 RegOpenKeyExA 15967->15970 15989 408450 15967->15989 16428 406ba7 IsBadCodePtr 15969->16428 15972 4084c0 RegQueryValueExA 15970->15972 15973 40852f 15970->15973 15971 4086ad 15971->15976 15977 407e2f 6 API calls 15971->15977 15974 408521 RegCloseKey 15972->15974 15975 4084dd 15972->15975 15978 408564 RegOpenKeyExA 15973->15978 15980 4085a5 15973->15980 15974->15973 15975->15974 15983 40ebcc 4 API calls 15975->15983 15976->15965 15985 40ec2e codecvt 4 API calls 15976->15985 15981 4086bb 15977->15981 15979 408573 RegSetValueExA RegCloseKey 15978->15979 15978->15980 15979->15980 15980->15989 15993 40ec2e codecvt 4 API calls 15980->15993 15984 40875b DeleteFileA 15981->15984 15997 4086e0 lstrcpyA lstrlenA 15981->15997 15982->15965 15982->15989 15990 4083ea RegOpenKeyExA 15982->15990 15987 4084f0 15983->15987 15984->15976 15985->15965 15987->15974 15988 4084f8 RegQueryValueExA 15987->15988 15988->15974 15992 408515 15988->15992 15989->15963 15989->15966 15990->15989 15991 4083fd RegQueryValueExA 15990->15991 15994 40842d RegSetValueExA 15991->15994 15995 40841e 15991->15995 15996 40ec2e codecvt 4 API calls 15992->15996 15993->15989 15998 408447 RegCloseKey 15994->15998 15995->15994 15995->15998 15999 40851d 15996->15999 16000 407fcf 64 API calls 15997->16000 15998->15989 15999->15974 16001 408719 CreateProcessA 16000->16001 16002 40873d CloseHandle CloseHandle 16001->16002 16003 40874f 16001->16003 16002->15976 16004 407ee6 64 API calls 16003->16004 16005 408754 16004->16005 16006 407ead 6 API calls 16005->16006 16007 40875a 16006->16007 16007->15984 16024 40a4c7 GetTickCount 16008->16024 16011 40c45e 16016 40c4d2 16011->16016 16017 40c4ab InterlockedIncrement CreateThread 16011->16017 16012 40c300 GetTickCount 16014 40c337 16012->16014 16013 40c326 16013->16014 16015 40c32b GetTickCount 16013->16015 16014->16011 16019 40c363 GetTickCount 16014->16019 16015->16014 16016->15905 16017->16016 16018 40c4cb CloseHandle 16017->16018 16029 40b535 16017->16029 16018->16016 16019->16011 16020 40c373 16019->16020 16021 40c378 GetTickCount 16020->16021 16022 40c37f 16020->16022 16021->16022 16023 40c43b GetTickCount 16022->16023 16023->16011 16025 40a4f7 InterlockedExchange 16024->16025 16026 40a500 16025->16026 16027 40a4e4 GetTickCount 16025->16027 16026->16011 16026->16012 16026->16013 16027->16026 16028 40a4ef Sleep 16027->16028 16028->16025 16030 40b566 16029->16030 16031 40ebcc 4 API calls 16030->16031 16032 40b587 16031->16032 16033 40ebcc 4 API calls 16032->16033 16084 40b590 16033->16084 16034 40bdcd InterlockedDecrement 16035 40bde2 16034->16035 16037 40ec2e codecvt 4 API calls 16035->16037 16038 40bdea 16037->16038 16039 40ec2e codecvt 4 API calls 16038->16039 16041 40bdf2 16039->16041 16040 40bdb7 Sleep 16040->16084 16042 40be05 16041->16042 16044 40ec2e codecvt 4 API calls 16041->16044 16043 40bdcc 16043->16034 16044->16042 16045 40ebed 8 API calls 16045->16084 16048 40b6b6 lstrlenA 16048->16084 16049 4030b5 2 API calls 16049->16084 16050 40b6ed lstrcpyA 16104 405ce1 16050->16104 16051 40e819 11 API calls 16051->16084 16054 40b731 lstrlenA 16054->16084 16055 40b71f lstrcmpA 16055->16054 16055->16084 16056 40b772 GetTickCount 16056->16084 16057 40bd49 InterlockedIncrement 16201 40a628 16057->16201 16060 40bc5b InterlockedIncrement 16060->16084 16061 40b7ce InterlockedIncrement 16114 40acd7 16061->16114 16062 4038f0 6 API calls 16062->16084 16065 40b912 GetTickCount 16065->16084 16066 40b826 InterlockedIncrement 16066->16056 16067 40b932 GetTickCount 16069 40bc6d InterlockedIncrement 16067->16069 16067->16084 16068 40bcdc closesocket 16068->16084 16069->16084 16071 40bba6 InterlockedIncrement 16071->16084 16074 40bc4c closesocket 16074->16084 16076 405ce1 22 API calls 16076->16084 16077 40ba71 wsprintfA 16135 40a7c1 16077->16135 16078 405ded 12 API calls 16078->16084 16079 40ab81 lstrcpynA InterlockedIncrement 16079->16084 16082 40a7c1 22 API calls 16082->16084 16083 40ef1e lstrlenA 16083->16084 16084->16034 16084->16040 16084->16043 16084->16045 16084->16048 16084->16049 16084->16050 16084->16051 16084->16054 16084->16055 16084->16056 16084->16057 16084->16060 16084->16061 16084->16062 16084->16065 16084->16066 16084->16067 16084->16068 16084->16071 16084->16074 16084->16076 16084->16077 16084->16078 16084->16079 16084->16082 16084->16083 16086 403e10 16084->16086 16089 403e4f 16084->16089 16092 40384f 16084->16092 16112 40a7a3 inet_ntoa 16084->16112 16119 40abee 16084->16119 16131 401feb GetTickCount 16084->16131 16132 40a688 16084->16132 16155 403cfb 16084->16155 16158 40b3c5 16084->16158 16189 40ab81 16084->16189 16087 4030fa 4 API calls 16086->16087 16088 403e1d 16087->16088 16088->16084 16090 4030fa 4 API calls 16089->16090 16091 403e5c 16090->16091 16091->16084 16093 4030fa 4 API calls 16092->16093 16094 403863 16093->16094 16095 4038b9 16094->16095 16096 403889 16094->16096 16103 4038b2 16094->16103 16210 4035f9 16095->16210 16204 403718 16096->16204 16101 4035f9 6 API calls 16101->16103 16102 403718 6 API calls 16102->16103 16103->16084 16105 405cf4 16104->16105 16106 405cec 16104->16106 16108 404bd1 4 API calls 16105->16108 16216 404bd1 GetTickCount 16106->16216 16109 405d02 16108->16109 16221 405472 16109->16221 16113 40a7b9 16112->16113 16113->16084 16115 40f315 14 API calls 16114->16115 16116 40aceb 16115->16116 16117 40acff 16116->16117 16118 40f315 14 API calls 16116->16118 16117->16084 16118->16117 16120 40abfb 16119->16120 16123 40ac65 16120->16123 16284 402f22 16120->16284 16122 40f315 14 API calls 16122->16123 16123->16122 16124 40ac8a 16123->16124 16125 40ac6f 16123->16125 16124->16084 16127 40ab81 2 API calls 16125->16127 16126 40ac23 16126->16123 16128 402684 2 API calls 16126->16128 16129 40ac81 16127->16129 16128->16126 16292 4038f0 16129->16292 16131->16084 16306 40a63d 16132->16306 16134 40a696 16134->16084 16136 40a87d lstrlenA send 16135->16136 16137 40a7df 16135->16137 16139 40a899 16136->16139 16140 40a8bf 16136->16140 16137->16136 16138 40a80a 16137->16138 16144 40a7fa wsprintfA 16137->16144 16147 40a8f2 16137->16147 16138->16136 16141 40a8a5 wsprintfA 16139->16141 16148 40a89e 16139->16148 16142 40a8c4 send 16140->16142 16140->16147 16141->16148 16145 40a8d8 wsprintfA 16142->16145 16142->16147 16143 40a978 recv 16143->16147 16149 40a982 16143->16149 16144->16138 16145->16148 16146 40a9b0 wsprintfA 16146->16148 16147->16143 16147->16146 16147->16149 16148->16084 16149->16148 16150 4030b5 2 API calls 16149->16150 16151 40ab05 16150->16151 16152 40e819 11 API calls 16151->16152 16153 40ab17 16152->16153 16154 40a7a3 inet_ntoa 16153->16154 16154->16148 16156 4030fa 4 API calls 16155->16156 16157 403d0b 16156->16157 16157->16084 16159 405ce1 22 API calls 16158->16159 16160 40b3e6 16159->16160 16161 405ce1 22 API calls 16160->16161 16163 40b404 16161->16163 16162 40b440 16165 40ef7c 3 API calls 16162->16165 16163->16162 16164 40ef7c 3 API calls 16163->16164 16166 40b42b 16164->16166 16167 40b458 wsprintfA 16165->16167 16168 40ef7c 3 API calls 16166->16168 16169 40ef7c 3 API calls 16167->16169 16168->16162 16170 40b480 16169->16170 16171 40ef7c 3 API calls 16170->16171 16172 40b493 16171->16172 16173 40ef7c 3 API calls 16172->16173 16174 40b4bb 16173->16174 16311 40ad89 GetLocalTime SystemTimeToFileTime 16174->16311 16178 40b4cc 16179 40ef7c 3 API calls 16178->16179 16180 40b4dd 16179->16180 16181 40b211 7 API calls 16180->16181 16182 40b4ec 16181->16182 16183 40ef7c 3 API calls 16182->16183 16184 40b4fd 16183->16184 16185 40b211 7 API calls 16184->16185 16186 40b509 16185->16186 16187 40ef7c 3 API calls 16186->16187 16188 40b51a 16187->16188 16188->16084 16190 40abe9 GetTickCount 16189->16190 16192 40ab8c 16189->16192 16194 40a51d 16190->16194 16191 40aba8 lstrcpynA 16191->16192 16192->16190 16192->16191 16193 40abe1 InterlockedIncrement 16192->16193 16193->16192 16195 40a4c7 4 API calls 16194->16195 16196 40a52c 16195->16196 16197 40a542 GetTickCount 16196->16197 16199 40a539 GetTickCount 16196->16199 16197->16199 16200 40a56c 16199->16200 16200->16084 16202 40a4c7 4 API calls 16201->16202 16203 40a633 16202->16203 16203->16084 16205 40f04e 4 API calls 16204->16205 16208 40372a 16205->16208 16206 403847 16206->16102 16206->16103 16207 4037b3 GetCurrentThreadId 16207->16208 16209 4037c8 GetCurrentThreadId 16207->16209 16208->16206 16208->16207 16209->16208 16211 40f04e 4 API calls 16210->16211 16215 40360c 16211->16215 16212 4036f1 16212->16101 16212->16103 16213 4036da GetCurrentThreadId 16213->16212 16214 4036e5 GetCurrentThreadId 16213->16214 16214->16212 16215->16212 16215->16213 16217 404bff InterlockedExchange 16216->16217 16218 404c08 16217->16218 16219 404bec GetTickCount 16217->16219 16218->16105 16219->16218 16220 404bf7 Sleep 16219->16220 16220->16217 16240 404763 16221->16240 16223 405b58 16250 404699 16223->16250 16226 404763 lstrlenA 16227 405b6e 16226->16227 16271 404f9f 16227->16271 16229 405b79 16229->16084 16231 405549 lstrlenA 16239 40548a 16231->16239 16232 404ae6 8 API calls 16232->16239 16234 40558d lstrcpynA 16234->16239 16235 405a9f lstrcpyA 16235->16239 16236 405472 13 API calls 16236->16239 16237 405935 lstrcpynA 16237->16239 16238 4058e7 lstrcpyA 16238->16239 16239->16223 16239->16232 16239->16234 16239->16235 16239->16236 16239->16237 16239->16238 16244 404ae6 16239->16244 16248 40ef7c lstrlenA lstrlenA lstrlenA 16239->16248 16242 40477a 16240->16242 16241 404859 16241->16239 16242->16241 16243 40480d lstrlenA 16242->16243 16243->16242 16245 404af3 16244->16245 16247 404b03 16244->16247 16246 40ebed 8 API calls 16245->16246 16246->16247 16247->16231 16249 40efb4 16248->16249 16249->16239 16276 4045b3 16250->16276 16253 4045b3 7 API calls 16254 4046c6 16253->16254 16255 4045b3 7 API calls 16254->16255 16256 4046d8 16255->16256 16257 4045b3 7 API calls 16256->16257 16258 4046ea 16257->16258 16259 4045b3 7 API calls 16258->16259 16260 4046ff 16259->16260 16261 4045b3 7 API calls 16260->16261 16262 404711 16261->16262 16263 4045b3 7 API calls 16262->16263 16264 404723 16263->16264 16265 40ef7c 3 API calls 16264->16265 16266 404735 16265->16266 16267 40ef7c 3 API calls 16266->16267 16268 40474a 16267->16268 16269 40ef7c 3 API calls 16268->16269 16270 40475c 16269->16270 16270->16226 16272 404fac 16271->16272 16275 404fb0 16271->16275 16272->16229 16273 404ffd 16273->16229 16274 404fd5 IsBadCodePtr 16274->16275 16275->16273 16275->16274 16277 4045c1 16276->16277 16278 4045c8 16276->16278 16279 40ebcc 4 API calls 16277->16279 16280 40ebcc 4 API calls 16278->16280 16282 4045e1 16278->16282 16279->16278 16280->16282 16281 404691 16281->16253 16282->16281 16283 40ef7c 3 API calls 16282->16283 16283->16282 16299 402d21 GetModuleHandleA 16284->16299 16287 402fcf GetProcessHeap HeapFree 16291 402f44 16287->16291 16288 402f4f 16290 402f6b GetProcessHeap HeapFree 16288->16290 16289 402f85 16289->16287 16289->16289 16290->16291 16291->16126 16293 403900 16292->16293 16294 403980 16292->16294 16295 4030fa 4 API calls 16293->16295 16294->16124 16298 40390a 16295->16298 16296 40391b GetCurrentThreadId 16296->16298 16297 403939 GetCurrentThreadId 16297->16298 16298->16294 16298->16296 16298->16297 16300 402d46 LoadLibraryA 16299->16300 16301 402d5b GetProcAddress 16299->16301 16300->16301 16303 402d54 16300->16303 16301->16303 16305 402d6b 16301->16305 16302 402d97 GetProcessHeap HeapAlloc 16302->16303 16302->16305 16303->16288 16303->16289 16303->16291 16304 402db5 lstrcpynA 16304->16305 16305->16302 16305->16303 16305->16304 16307 40a645 16306->16307 16308 40a64d 16306->16308 16307->16134 16309 40a65e GetTickCount 16308->16309 16310 40a66e 16308->16310 16309->16310 16310->16134 16312 40adbf 16311->16312 16336 40ad08 gethostname 16312->16336 16315 4030b5 2 API calls 16316 40add3 16315->16316 16317 40a7a3 inet_ntoa 16316->16317 16319 40ade4 16316->16319 16317->16319 16318 40ae85 wsprintfA 16320 40ef7c 3 API calls 16318->16320 16319->16318 16321 40ae36 wsprintfA wsprintfA 16319->16321 16322 40aebb 16320->16322 16323 40ef7c 3 API calls 16321->16323 16324 40ef7c 3 API calls 16322->16324 16323->16319 16325 40aed2 16324->16325 16326 40b211 16325->16326 16327 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16326->16327 16328 40b2af GetLocalTime 16326->16328 16329 40b2d2 16327->16329 16328->16329 16330 40b2d9 SystemTimeToFileTime 16329->16330 16331 40b31c GetTimeZoneInformation 16329->16331 16332 40b2ec 16330->16332 16333 40b33a wsprintfA 16331->16333 16334 40b312 FileTimeToSystemTime 16332->16334 16333->16178 16334->16331 16337 40ad71 16336->16337 16342 40ad26 lstrlenA 16336->16342 16339 40ad85 16337->16339 16340 40ad79 lstrcpyA 16337->16340 16339->16315 16340->16339 16341 40ad68 lstrlenA 16341->16337 16342->16337 16342->16341 16344 40f428 14 API calls 16343->16344 16345 40198a 16344->16345 16346 401990 closesocket 16345->16346 16347 401998 16345->16347 16346->16347 16347->15929 16349 402d21 6 API calls 16348->16349 16350 402f01 16349->16350 16354 402f0f 16350->16354 16364 402df2 GetModuleHandleA 16350->16364 16351 402684 2 API calls 16353 402f1d 16351->16353 16353->15932 16354->16351 16355 402f1f 16354->16355 16355->15932 16357 401c80 16356->16357 16358 401d1c 16357->16358 16359 401cc2 wsprintfA 16357->16359 16363 401d79 16357->16363 16358->16358 16361 401d47 wsprintfA 16358->16361 16360 402684 2 API calls 16359->16360 16360->16357 16362 402684 2 API calls 16361->16362 16362->16363 16363->15939 16365 402e10 LoadLibraryA 16364->16365 16366 402e0b 16364->16366 16367 402e17 16365->16367 16366->16365 16366->16367 16368 402ef1 16367->16368 16369 402e28 GetProcAddress 16367->16369 16368->16354 16369->16368 16370 402e3e GetProcessHeap HeapAlloc 16369->16370 16372 402e62 16370->16372 16371 402ede GetProcessHeap HeapFree 16371->16368 16372->16368 16372->16371 16373 402e7f htons inet_addr 16372->16373 16374 402ea5 gethostbyname 16372->16374 16376 402ceb 16372->16376 16373->16372 16373->16374 16374->16372 16377 402cf2 16376->16377 16379 402d1c 16377->16379 16380 402d0e Sleep 16377->16380 16381 402a62 GetProcessHeap HeapAlloc 16377->16381 16379->16372 16380->16377 16380->16379 16382 402a92 16381->16382 16383 402a99 socket 16381->16383 16382->16377 16384 402cd3 GetProcessHeap HeapFree 16383->16384 16385 402ab4 16383->16385 16384->16382 16385->16384 16399 402abd 16385->16399 16386 402adb htons 16401 4026ff 16386->16401 16388 402b04 select 16388->16399 16389 402ca4 16390 402cb3 GetProcessHeap HeapFree closesocket 16389->16390 16390->16382 16391 402b3f recv 16391->16399 16392 402b66 htons 16392->16389 16392->16399 16393 402b87 htons 16393->16389 16393->16399 16396 402bf3 GetProcessHeap HeapAlloc 16396->16399 16397 402c17 htons 16416 402871 16397->16416 16399->16386 16399->16388 16399->16389 16399->16390 16399->16391 16399->16392 16399->16393 16399->16396 16399->16397 16400 402c4d GetProcessHeap HeapFree 16399->16400 16408 402923 16399->16408 16420 402904 16399->16420 16400->16399 16402 40271d 16401->16402 16403 402717 16401->16403 16405 40272b GetTickCount htons 16402->16405 16404 40ebcc 4 API calls 16403->16404 16404->16402 16406 4027cc htons htons sendto 16405->16406 16407 40278a 16405->16407 16406->16399 16407->16406 16409 402944 16408->16409 16411 40293d 16408->16411 16424 402816 htons 16409->16424 16411->16399 16412 402871 htons 16413 402950 16412->16413 16413->16411 16413->16412 16414 4029bd htons htons htons 16413->16414 16414->16411 16415 4029f6 GetProcessHeap HeapAlloc 16414->16415 16415->16411 16415->16413 16417 4028e3 16416->16417 16419 402889 16416->16419 16417->16399 16418 4028c3 htons 16418->16417 16418->16419 16419->16417 16419->16418 16421 402921 16420->16421 16422 402908 16420->16422 16421->16399 16423 402909 GetProcessHeap HeapFree 16422->16423 16423->16421 16423->16423 16425 40286b 16424->16425 16426 402836 16424->16426 16425->16413 16426->16425 16427 40285c htons 16426->16427 16427->16425 16427->16426 16429 406bc0 16428->16429 16430 406bbc 16428->16430 16431 40ebcc 4 API calls 16429->16431 16433 406bd4 16429->16433 16430->15971 16432 406be4 16431->16432 16432->16433 16434 406c07 CreateFileA 16432->16434 16435 406bfc 16432->16435 16433->15971 16436 406c34 WriteFile 16434->16436 16437 406c2a 16434->16437 16438 40ec2e codecvt 4 API calls 16435->16438 16440 406c49 CloseHandle DeleteFileA 16436->16440 16441 406c5a CloseHandle 16436->16441 16439 40ec2e codecvt 4 API calls 16437->16439 16438->16433 16439->16433 16440->16437 16442 40ec2e codecvt 4 API calls 16441->16442 16442->16433 16443 25e0005 16448 25e092b GetPEB 16443->16448 16445 25e0030 16450 25e003c 16445->16450 16449 25e0972 16448->16449 16449->16445 16451 25e0049 16450->16451 16465 25e0e0f SetErrorMode SetErrorMode 16451->16465 16456 25e0265 16457 25e02ce VirtualProtect 16456->16457 16459 25e030b 16457->16459 16458 25e0439 VirtualFree 16463 25e05f4 LoadLibraryA 16458->16463 16464 25e04be 16458->16464 16459->16458 16460 25e04e3 LoadLibraryA 16460->16464 16462 25e08c7 16463->16462 16464->16460 16464->16463 16466 25e0223 16465->16466 16467 25e0d90 16466->16467 16468 25e0dad 16467->16468 16469 25e0dbb GetPEB 16468->16469 16470 25e0238 VirtualAlloc 16468->16470 16469->16470 16470->16456 16471 26516f9 16472 2651708 16471->16472 16475 2651e99 16472->16475 16476 2651eb4 16475->16476 16477 2651ebd CreateToolhelp32Snapshot 16476->16477 16478 2651ed9 Module32First 16476->16478 16477->16476 16477->16478 16479 2651711 16478->16479 16480 2651ee8 16478->16480 16482 2651b58 16480->16482 16483 2651b83 16482->16483 16484 2651b94 VirtualAlloc 16483->16484 16485 2651bcc 16483->16485 16484->16485

                                                                        Executed Functions

                                                                        Function 00409A6B Relevance: 98.8, APIs: 48, Strings: 8, Instructions: 799stringsleepregistryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                        • DeleteFileA.KERNEL32(004133D8), ref: 0040A407
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                        • String ID: "$"$"$%X%08X$D$P$PromptOnSecureDesktop$\
                                                                        • API String ID: 2089075347-2824936573
                                                                        • Opcode ID: 1766690efc88ce29846324f8dfd8ebf0ff4b658a314e2c6797e2be59256e70c4
                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                        • Opcode Fuzzy Hash: 1766690efc88ce29846324f8dfd8ebf0ff4b658a314e2c6797e2be59256e70c4
                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                        Function 00409326 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 284registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 497 409326-409348 call 401910 GetVersionExA 500 409358-40935c 497->500 501 40934a-409356 497->501 502 409360-40937d GetModuleHandleA GetModuleFileNameA 500->502 501->502 503 409385-4093a2 502->503 504 40937f 502->504 505 4093a4-4093d7 call 402544 wsprintfA 503->505 506 4093d9-409412 call 402544 wsprintfA 503->506 504->503 511 409415-40942c call 40ee2a 505->511 506->511 514 4094a3-4094b3 call 406edd 511->514 515 40942e-409432 511->515 520 4094b9-4094f9 call 402544 RegOpenKeyExA 514->520 521 40962f-409632 514->521 515->514 517 409434-4094a0 call 406cc9 call 40ef00 call 402544 call 40ef1e call 402544 wsprintfA call 40ee2a 515->517 517->514 531 409502-40952e call 402544 RegQueryValueExA 520->531 532 4094fb-409500 520->532 523 409634-409637 521->523 526 409639-40964a call 401820 523->526 527 40967b-409682 523->527 543 40964c-409662 526->543 544 40966d-409679 526->544 534 409683 call 4091eb 527->534 552 409530-409537 531->552 553 409539-409565 call 402544 RegQueryValueExA 531->553 536 40957a-40957f 532->536 540 409688-409690 534->540 541 409581-409584 536->541 542 40958a-40958d 536->542 547 409692 540->547 548 409698-4096a0 540->548 541->523 541->542 542->527 549 409593-40959a 542->549 550 409664-40966b 543->550 551 40962b-40962d 543->551 544->534 547->548 557 4096a2-4096a9 548->557 558 40961a-40961f 549->558 559 40959c-4095a1 549->559 550->551 551->557 560 40956e-409577 RegCloseKey 552->560 553->560 565 409567 553->565 563 409625 558->563 559->558 564 4095a3-4095c0 call 40f0e4 559->564 560->536 563->551 570 4095c2-4095db call 4018e0 564->570 571 40960c-409618 564->571 565->560 570->557 574 4095e1-4095f9 570->574 571->563 574->557 575 4095ff-409607 574->575 575->557
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                        • String ID: PromptOnSecureDesktop$runas
                                                                        • API String ID: 3696105349-2220793183
                                                                        • Opcode ID: 97af48ab48525fb617f5abd17424ad614edf633f88179256e16c2771f2badf11
                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                        • Opcode Fuzzy Hash: 97af48ab48525fb617f5abd17424ad614edf633f88179256e16c2771f2badf11
                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                        Function 00406A60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 614 406a60-406a89 CreateFileA 615 406b8c-406ba1 GetLastError 614->615 616 406a8f-406ac3 GetDiskFreeSpaceA 614->616 619 406ba3-406ba6 615->619 617 406ac5-406adc call 40eb0e 616->617 618 406b1d-406b34 call 406987 616->618 617->618 626 406ade 617->626 624 406b56-406b63 FindCloseChangeNotification 618->624 625 406b36-406b54 GetLastError CloseHandle 618->625 628 406b65-406b7d GetLastError CloseHandle 624->628 629 406b86-406b8a 624->629 627 406b7f-406b80 DeleteFileA 625->627 630 406ae0-406ae5 626->630 631 406ae7-406afb call 40eca5 626->631 627->629 628->627 629->619 630->631 632 406afd-406aff 630->632 631->618 632->618 635 406b01 632->635 636 406b03-406b08 635->636 637 406b0a-406b17 call 40eca5 635->637 636->618 636->637 637->618
                                                                        APIs
                                                                        • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                        • GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                        • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseErrorLast$FileHandle$ChangeCreateDeleteDiskFindFreeNotificationSpace
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 1251348514-2980165447
                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                        Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                        • String ID:
                                                                        • API String ID: 1209300637-0
                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                        Function 02651E99 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 820 2651e99-2651eb2 821 2651eb4-2651eb6 820->821 822 2651ebd-2651ec9 CreateToolhelp32Snapshot 821->822 823 2651eb8 821->823 824 2651ed9-2651ee6 Module32First 822->824 825 2651ecb-2651ed1 822->825 823->822 826 2651eef-2651ef7 824->826 827 2651ee8-2651ee9 call 2651b58 824->827 825->824 830 2651ed3-2651ed7 825->830 831 2651eee 827->831 830->821 830->824 831->826
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02651EC1
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 02651EE1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760365617.000000000264D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_264d000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 04a35835b5f39a0bb073a89ee4899d88763a6d6ac9d54911b7ca01cdcd65ddf5
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: D0F096355007256BD7203BF9DC8CB6F76ECAF4A625F100668EA4B921C0DBB4E8454AA1
                                                                        Function 0040EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 836 40ebcc-40ebec GetProcessHeap RtlAllocateHeap call 40eb74
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                        • RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                          • Part of subcall function 0040EB74: GetProcessHeap.KERNEL32(00000000,00000000,0040EC28,00000000,?,0040DB55,7FFF0001), ref: 0040EB81
                                                                          • Part of subcall function 0040EB74: HeapSize.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EB88
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$Process$AllocateSize
                                                                        • String ID:
                                                                        • API String ID: 2559512979-0
                                                                        • Opcode ID: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                        • Instruction ID: 42103369b453d960252fa070f8f6fdc0a0ffae9c693debdf4c74a5c852f77059
                                                                        • Opcode Fuzzy Hash: ee98881387dc159fbc66546a2e4b1eb81700a9f94495ef156612fafc796680c8
                                                                        • Instruction Fuzzy Hash: 54C0803210422077C60127A57C0CEDA3E74DF04352F084425F505C1160CB794880879D
                                                                        Function 004073FF Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 286 4074a2-4074b1 call 406cad 283->286 287 407714-40771d RegCloseKey 283->287 285 407804-407808 284->285 290 4074b7-4074cc call 40f1a5 286->290 291 4076ed-407700 286->291 287->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 304 407536-40753c 296->304 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 304->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->285 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 330 4075d8-4075da 323->330 324->330 332 4075dc 330->332 333 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 330->333 332->333 342 407626-40762b 333->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 364 4076dd 361->364 368 4076c1-4076c7 362->368 369 4076d8 362->369 364->309 368->369 370 4076c9-4076d2 368->370 369->364 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 379 4077d7-4077dc 376->379 380 4077ca-4077d6 call 40ef00 376->380 377->376 383 4077e0-4077e2 379->383 384 4077de 379->384 380->379 383->359 384->383
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                        • RegCloseKey.ADVAPI32(?), ref: 004077E6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                        • String ID: "$PromptOnSecureDesktop
                                                                        • API String ID: 3433985886-3108538426
                                                                        • Opcode ID: fb0f2a9e6fd52b701184d9b1120ae1b26139c4ce9695fa828964d471d7998326
                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                        • Opcode Fuzzy Hash: fb0f2a9e6fd52b701184d9b1120ae1b26139c4ce9695fa828964d471d7998326
                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                        Function 0040704C Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 332registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 386 40704c-407071 387 407073 386->387 388 407075-40707a 386->388 387->388 389 40707c 388->389 390 40707e-407083 388->390 389->390 391 407085 390->391 392 407087-40708c 390->392 391->392 393 407090-4070ca call 402544 RegOpenKeyExA 392->393 394 40708e 392->394 397 4070d0-4070f6 call 406dc2 393->397 398 4071b8-4071c8 call 40ee2a 393->398 394->393 404 40719b-4071a9 RegEnumValueA 397->404 403 4071cb-4071cf 398->403 405 4070fb-4070fd 404->405 406 4071af-4071b2 RegCloseKey 404->406 407 40716e-407194 405->407 408 4070ff-407102 405->408 406->398 407->404 408->407 409 407104-407107 408->409 409->407 410 407109-40710d 409->410 410->407 411 40710f-407133 call 402544 call 40eed1 410->411 416 4071d0-407203 call 402544 call 40ee95 call 40ee2a 411->416 417 407139-407145 call 406cad 411->417 432 407205-407212 RegCloseKey 416->432 433 407227-40722e 416->433 423 407147-40715c call 40f1a5 417->423 424 40715e-40716b call 40ee2a 417->424 423->416 423->424 424->407 436 407222-407225 432->436 437 407214-407221 call 40ef00 432->437 434 407230-407256 call 40ef00 call 40ed23 433->434 435 40725b-40728c call 402544 call 40ee95 call 40ee2a 433->435 434->435 448 407258 434->448 451 4072b8-4072cb call 40ed77 435->451 452 40728e-40729a RegCloseKey 435->452 436->403 437->436 448->435 459 4072dd-4072f4 call 40ed23 451->459 460 4072cd-4072d8 RegCloseKey 451->460 453 4072aa-4072b3 452->453 454 40729c-4072a9 call 40ef00 452->454 453->403 454->453 463 407301 459->463 464 4072f6-4072ff 459->464 460->403 465 407304-40730f call 406cad 463->465 464->465 468 407311-40731d RegCloseKey 465->468 469 407335-40735d call 406c96 465->469 470 40732d-407330 468->470 471 40731f-40732c call 40ef00 468->471 476 4073d5-4073e2 RegCloseKey 469->476 477 40735f-407365 469->477 470->453 471->470 479 4073f2-4073f7 476->479 480 4073e4-4073f1 call 40ef00 476->480 477->476 478 407367-407370 477->478 478->476 481 407372-40737c 478->481 480->479 483 40739d-4073a2 481->483 484 40737e-407395 GetFileAttributesExA 481->484 487 4073a4 483->487 488 4073a6-4073a9 483->488 484->483 486 407397 484->486 486->483 487->488 489 4073b9-4073bc 488->489 490 4073ab-4073b8 call 40ef00 488->490 492 4073cb-4073cd 489->492 493 4073be-4073ca call 40ef00 489->493 490->489 492->476 493->492
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                        • RegEnumValueA.KERNELBASE(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                        • RegCloseKey.KERNELBASE(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,PromptOnSecureDesktop,000000C8,00407150,?), ref: 0040F1AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                        • String ID: $"$PromptOnSecureDesktop
                                                                        • API String ID: 4293430545-98143240
                                                                        • Opcode ID: 844d959b869107477598dc7fc3fd0898fc590bab3c8716b4da34f6361cc296a8
                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                        • Opcode Fuzzy Hash: 844d959b869107477598dc7fc3fd0898fc590bab3c8716b4da34f6361cc296a8
                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                        Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 576 40675c-406778 577 406784-4067a2 CreateFileA 576->577 578 40677a-40677e SetFileAttributesA 576->578 579 4067a4-4067b2 CreateFileA 577->579 580 4067b5-4067b8 577->580 578->577 579->580 581 4067c5-4067c9 580->581 582 4067ba-4067bf SetFileAttributesA 580->582 583 406977-406986 581->583 584 4067cf-4067df GetFileSize 581->584 582->581 585 4067e5-4067e7 584->585 586 40696b 584->586 585->586 587 4067ed-40680b ReadFile 585->587 588 40696e-406971 FindCloseChangeNotification 586->588 587->586 589 406811-406824 SetFilePointer 587->589 588->583 589->586 590 40682a-406842 ReadFile 589->590 590->586 591 406848-406861 SetFilePointer 590->591 591->586 592 406867-406876 591->592 593 4068d5-4068df 592->593 594 406878-40688f ReadFile 592->594 593->588 595 4068e5-4068eb 593->595 596 406891-40689e 594->596 597 4068d2 594->597 598 4068f0-4068fe call 40ebcc 595->598 599 4068ed 595->599 600 4068a0-4068b5 596->600 601 4068b7-4068ba 596->601 597->593 598->586 607 406900-40690b SetFilePointer 598->607 599->598 603 4068bd-4068c3 600->603 601->603 605 4068c5 603->605 606 4068c8-4068ce 603->606 605->606 606->594 608 4068d0 606->608 609 40695a-406969 call 40ec2e 607->609 610 40690d-406920 ReadFile 607->610 608->593 609->588 610->609 611 406922-406958 610->611 611->588
                                                                        APIs
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                        • ReadFile.KERNEL32(000000FF,004121A8,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                        • String ID:
                                                                        • API String ID: 1400801100-0
                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                        Function 025E003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 640 25e003c-25e0047 641 25e004c-25e0263 call 25e0a3f call 25e0e0f call 25e0d90 VirtualAlloc 640->641 642 25e0049 640->642 657 25e028b-25e0292 641->657 658 25e0265-25e0289 call 25e0a69 641->658 642->641 659 25e02a1-25e02b0 657->659 661 25e02ce-25e03c2 VirtualProtect call 25e0cce call 25e0ce7 658->661 659->661 662 25e02b2-25e02cc 659->662 669 25e03d1-25e03e0 661->669 662->659 670 25e0439-25e04b8 VirtualFree 669->670 671 25e03e2-25e0437 call 25e0ce7 669->671 673 25e04be-25e04cd 670->673 674 25e05f4-25e05fe 670->674 671->669 675 25e04d3-25e04dd 673->675 676 25e077f-25e0789 674->676 677 25e0604-25e060d 674->677 675->674 681 25e04e3-25e0505 LoadLibraryA 675->681 679 25e078b-25e07a3 676->679 680 25e07a6-25e07b0 676->680 677->676 682 25e0613-25e0637 677->682 679->680 684 25e086e-25e08be LoadLibraryA 680->684 685 25e07b6-25e07cb 680->685 686 25e0517-25e0520 681->686 687 25e0507-25e0515 681->687 688 25e063e-25e0648 682->688 692 25e08c7-25e08f9 684->692 689 25e07d2-25e07d5 685->689 690 25e0526-25e0547 686->690 687->690 688->676 691 25e064e-25e065a 688->691 693 25e07d7-25e07e0 689->693 694 25e0824-25e0833 689->694 695 25e054d-25e0550 690->695 691->676 696 25e0660-25e066a 691->696 697 25e08fb-25e0901 692->697 698 25e0902-25e091d 692->698 699 25e07e4-25e0822 693->699 700 25e07e2 693->700 704 25e0839-25e083c 694->704 701 25e0556-25e056b 695->701 702 25e05e0-25e05ef 695->702 703 25e067a-25e0689 696->703 697->698 699->689 700->694 705 25e056f-25e057a 701->705 706 25e056d 701->706 702->675 707 25e068f-25e06b2 703->707 708 25e0750-25e077a 703->708 704->684 709 25e083e-25e0847 704->709 711 25e057c-25e0599 705->711 712 25e059b-25e05bb 705->712 706->702 713 25e06ef-25e06fc 707->713 714 25e06b4-25e06ed 707->714 708->688 715 25e084b-25e086c 709->715 716 25e0849 709->716 723 25e05bd-25e05db 711->723 712->723 717 25e06fe-25e0748 713->717 718 25e074b 713->718 714->713 715->704 716->684 717->718 718->703 723->695
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 025E024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: c97db3b646984794bd1160e20933eaed74d62d05f938e549ae04c2f16b3e5529
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: 2C526974A01229DFDB64CF58C985BACBBB1BF09314F1480D9E54EAB391DB70AA85CF14
                                                                        Function 004099D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 54stringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • lstrcpyA.KERNEL32(?,?,00000100,PromptOnSecureDesktop,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                        • lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                        • lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                          • Part of subcall function 00406A60: CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                          • Part of subcall function 00406A60: GetDiskFreeSpaceA.KERNELBASE(00409E9D,00409A60,?,?,?,PromptOnSecureDesktop,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                          • Part of subcall function 00406A60: GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                          • Part of subcall function 00406A60: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                          • Part of subcall function 00406A60: DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Filelstrcat$CloseCreateDeleteDiskErrorFreeHandleLastSpacelstrcpy
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 4131120076-2980165447
                                                                        • Opcode ID: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                        • Instruction ID: c4e01e0c9c22f42140b45f86cbdbc152d24ce0e59ed2090f1037bb69612005af
                                                                        • Opcode Fuzzy Hash: e18185d0f37ace2058eb608823ad36cbc71581f24a02a40a50f5e6d881590964
                                                                        • Instruction Fuzzy Hash: 0501A27294020877EA103F62EC47F9F3F1DEB44728F00483AF619790D2D9BA95709AAC
                                                                        Function 00404000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35sleepfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 739 404000-404008 740 40400b-40402a CreateFileA 739->740 741 404057 740->741 742 40402c-404035 GetLastError 740->742 743 404059-40405c 741->743 744 404052 742->744 745 404037-40403a 742->745 746 404054-404056 743->746 744->746 745->744 747 40403c-40403f 745->747 747->743 748 404041-404050 Sleep 747->748 748->740 748->744
                                                                        APIs
                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,PromptOnSecureDesktop,004042B6,00000000,00000001,PromptOnSecureDesktop,00000000,?,004098FD), ref: 00404021
                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 0040402C
                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404046
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateErrorFileLastSleep
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 408151869-2980165447
                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                        Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 749 406987-4069b7 750 4069e0 749->750 751 4069b9-4069be 749->751 753 4069e4-4069fd WriteFile 750->753 751->750 752 4069c0-4069d0 751->752 754 4069d2 752->754 755 4069d5-4069de 752->755 756 406a4d-406a51 753->756 757 4069ff-406a02 753->757 754->755 755->753 758 406a53-406a56 756->758 759 406a59 756->759 757->756 760 406a04-406a08 757->760 758->759 763 406a5b-406a5f 759->763 761 406a0a-406a0d 760->761 762 406a3c-406a3e 760->762 764 406a10-406a2e WriteFile 761->764 762->763 765 406a40-406a4b 764->765 766 406a30-406a33 764->766 765->763 766->765 767 406a35-406a3a 766->767 767->762 767->764
                                                                        APIs
                                                                        • WriteFile.KERNELBASE(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                        • WriteFile.KERNELBASE(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID: ,k@
                                                                        • API String ID: 3934441357-1053005162
                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                        Function 004091EB Relevance: 3.1, APIs: 2, Instructions: 119sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 778 4091eb-409208 779 409308 778->779 780 40920e-40921c call 40ed03 778->780 781 40930b-40930f 779->781 784 40921e-40922c call 40ed03 780->784 785 40923f-409249 780->785 784->785 792 40922e-409230 784->792 786 409250-409270 call 40ee08 785->786 787 40924b 785->787 794 409272-40927f 786->794 795 4092dd-4092e1 786->795 787->786 793 409233-409238 792->793 793->793 796 40923a-40923c 793->796 797 409281-409285 794->797 798 40929b-40929e 794->798 799 4092e3-4092e5 795->799 800 4092e7-4092e8 795->800 796->785 797->797 801 409287 797->801 803 4092a0 798->803 804 40928e-409293 798->804 799->800 802 4092ea-4092ef 799->802 800->795 801->798 808 4092f1-4092f6 Sleep 802->808 809 4092fc-409302 802->809 805 4092a8-4092ab 803->805 806 409295-409298 804->806 807 409289-40928c 804->807 810 4092a2-4092a5 805->810 811 4092ad-4092b0 805->811 806->805 812 40929a 806->812 807->804 807->812 808->809 809->779 809->780 813 4092b2 810->813 814 4092a7 810->814 811->813 815 4092bd 811->815 812->798 816 4092b5-4092b9 813->816 814->805 817 4092bf-4092db ShellExecuteA 815->817 816->816 818 4092bb 816->818 817->795 819 409310-409324 817->819 818->817 819->781
                                                                        APIs
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000023,00000000,00000000), ref: 004092CF
                                                                        • Sleep.KERNELBASE(000001F4,00000000,00000000,000000C8), ref: 004092F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShellSleep
                                                                        • String ID:
                                                                        • API String ID: 4194306370-0
                                                                        • Opcode ID: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                        • Instruction ID: 2238cefa34e52eac0eed51a1b9fc18e9663c37cde2c16e9a3df151323357230f
                                                                        • Opcode Fuzzy Hash: 3372c8ca0f183eb5491d8b73672d2af1eba7a86cb059b25099cdfc4087d6fc87
                                                                        • Instruction Fuzzy Hash: E941EE718083497EEB269664988C7E73BA49B52300F2809FFD492B72D3D7BC4D818759
                                                                        Function 025E0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 833 25e0e0f-25e0e24 SetErrorMode * 2 834 25e0e2b-25e0e2c 833->834 835 25e0e26 833->835 835->834
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,025E0223,?,?), ref: 025E0E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,025E0223,?,?), ref: 025E0E1E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: 1cacf028484974530ae65c6e85c24824324feaa6d5fdbaaae33983dc66bd837b
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: 9AD0123114512877DB003A94DC09BCD7F1CDF05B66F008021FB0DE9080C7B0954046E9
                                                                        Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                        • String ID:
                                                                        • API String ID: 1823874839-0
                                                                        • Opcode ID: 05478fb9babea3aedd85a8edb4ab166fddf6c1b165fd5123cd32555987dcb6f6
                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                        • Opcode Fuzzy Hash: 05478fb9babea3aedd85a8edb4ab166fddf6c1b165fd5123cd32555987dcb6f6
                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                        Function 02651B58 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02651BA9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760365617.000000000264D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_264d000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: d1ced0da1bc2b1cb4333946a869cc36e531b88a440730cce5febef7716b0ddfa
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: BB113979A00208EFDB01DF98C985E98BBF5AF08351F0580A4FA489B361D371EA90DF84

                                                                        Non-executed Functions

                                                                        Function 0040C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • closesocket.WS2_32(?), ref: 0040CA4E
                                                                        • closesocket.WS2_32(?), ref: 0040CB63
                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 0040CC28
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040CCB4
                                                                        • WriteFile.KERNEL32(0040A4B3,?,-000000E8,?,00000000), ref: 0040CCDC
                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CCED
                                                                        • wsprintfA.USER32 ref: 0040CD21
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040CD77
                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 0040CD89
                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD98
                                                                        • CloseHandle.KERNEL32(?), ref: 0040CD9D
                                                                        • DeleteFileA.KERNEL32(?), ref: 0040CDC4
                                                                        • CloseHandle.KERNEL32(0040A4B3), ref: 0040CDCC
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040CFB1
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040CFEF
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 0040D033
                                                                        • lstrcatA.KERNEL32(?,?), ref: 0040D10C
                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 0040D155
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D171
                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040D195
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0040D19C
                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 0040D1C8
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D231
                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D27C
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D2AB
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2C7
                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2EB
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D2F2
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D326
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 0040D372
                                                                        • lstrcatA.KERNEL32(?,?,?,?,?,?,?,?,?,00000100), ref: 0040D3BD
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 0040D3EC
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D408
                                                                        • WriteFile.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 0040D428
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 0040D42F
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 0040D45B
                                                                        • CreateProcessA.KERNEL32(?,00410264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040D4DE
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4F4
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D4FC
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 0040D513
                                                                        • closesocket.WS2_32(?), ref: 0040D56C
                                                                        • Sleep.KERNEL32(000003E8), ref: 0040D577
                                                                        • ExitProcess.KERNEL32 ref: 0040D583
                                                                        • wsprintfA.USER32 ref: 0040D81F
                                                                          • Part of subcall function 0040C65C: send.WS2_32(00000000,?,00000000), ref: 0040C74B
                                                                        • closesocket.WS2_32(?), ref: 0040DAD5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                        • String ID: .dat$.sys$4$@$PromptOnSecureDesktop$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                        • API String ID: 562065436-3791576231
                                                                        • Opcode ID: 08388a96a0613bf8d27a9a5b88df5728e1ce957ca3804cc8d4ec0e6dce1f5215
                                                                        • Instruction ID: 1bec03d5b3261cfbda03ea9d0ba23ae7472bbf6119f1c93de8fbd0284471d070
                                                                        • Opcode Fuzzy Hash: 08388a96a0613bf8d27a9a5b88df5728e1ce957ca3804cc8d4ec0e6dce1f5215
                                                                        • Instruction Fuzzy Hash: 1BB2B471D00209BBEB209FA4DD85FEA7BB9EB08304F14457BF505B22D1D7789A898B5C
                                                                        Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                        • GetProcAddress.KERNEL32(?,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                        • GetProcAddress.KERNEL32(?,RtlSetLastWin32Error), ref: 004010E1
                                                                        • GetProcAddress.KERNEL32(?,NtTerminateProcess), ref: 00401101
                                                                        • GetProcAddress.KERNEL32(?,RtlFreeSid), ref: 00401121
                                                                        • GetProcAddress.KERNEL32(?,RtlInitUnicodeString), ref: 00401140
                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationThread), ref: 00401160
                                                                        • GetProcAddress.KERNEL32(?,NtSetInformationToken), ref: 00401180
                                                                        • GetProcAddress.KERNEL32(?,RtlNtStatusToDosError), ref: 0040119F
                                                                        • GetProcAddress.KERNEL32(?,NtClose), ref: 004011BF
                                                                        • GetProcAddress.KERNEL32(?,NtOpenProcessToken), ref: 004011DF
                                                                        • GetProcAddress.KERNEL32(?,NtDuplicateToken), ref: 004011FE
                                                                        • GetProcAddress.KERNEL32(?,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$LibraryLoad
                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                        • API String ID: 2238633743-3228201535
                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                        Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                        • API String ID: 766114626-2976066047
                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                        Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                        • String ID: D
                                                                        • API String ID: 3722657555-2746444292
                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                        Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShelllstrlen
                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                        • API String ID: 1628651668-179334549
                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                        Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                        • API String ID: 4207808166-1381319158
                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                        Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                        • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                        • select.WS2_32 ref: 00402B28
                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                        • String ID:
                                                                        • API String ID: 1639031587-0
                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                        Function 0040405E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEventExitProcess
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 2404124870-2980165447
                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                        Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                        • String ID:
                                                                        • API String ID: 2438460464-0
                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                        Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                        • String ID: *p@
                                                                        • API String ID: 3429775523-2474123842
                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                        Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 1965334864-0
                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                        Function 025E65E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 025E65F6
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 025E6610
                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 025E6631
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 025E6652
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 1965334864-0
                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                        • Instruction ID: 373864ace6abbfffcafdd7fd10633e789074b9677d6f88353d8f0fe976f4afe5
                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                        • Instruction Fuzzy Hash: EA1191B1600219BFDB259F65DC09F9B3FACFB047A5F104025FA09A7290DBB1DD008AA8
                                                                        Function 00408E26 Relevance: 4.6, APIs: 3, Instructions: 63fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000100), ref: 00408E5F
                                                                        • DeviceIoControl.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00408EAB
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00408EB4
                                                                          • Part of subcall function 00408DF1: GetSystemTime.KERNEL32(?,004129F8,?,?,00408E8B,?), ref: 00408DFC
                                                                          • Part of subcall function 00408DF1: SystemTimeToFileTime.KERNEL32(?,00408E8B,?,?,00408E8B,?), ref: 00408E0A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$FileSystem$CloseControlCreateDeviceHandle
                                                                        • String ID:
                                                                        • API String ID: 3754425949-0
                                                                        • Opcode ID: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                        • Instruction ID: 6158522553dbc768b3fa764069f531a078bfca64040c8912efb0c234455cb59d
                                                                        • Opcode Fuzzy Hash: 2cf703b3f3d70fe1d21397a344fcfe55e6ffa78bdc2e74738428da1b6bf63eb9
                                                                        • Instruction Fuzzy Hash: CD11C8726402047BEB115F95CD4EEDB3F6DEB85714F00452AF611B62C1DAB9985087A8
                                                                        Function 025E092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .$GetProcAddress.$l
                                                                        • API String ID: 0-2784972518
                                                                        • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                        • Instruction ID: fc5b48697e139aa503d4e7ed2b31dba268f8bea0036869d3efbd2890e3e86d25
                                                                        • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                        • Instruction Fuzzy Hash: D13137B6900609DFDB14CF99C880AAEBBF5FF58324F54404AD442B7250D7B1EA45CBA8
                                                                        Function 004088B0 Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                        • Instruction ID: 64893a5cec851924fefc00027ac9d8258265f32e823952a4835c6918c3f2ac29
                                                                        • Opcode Fuzzy Hash: b87d996b03424d41ecd054f3042c71836826564e4b1ffe17874333ad5a991b34
                                                                        • Instruction Fuzzy Hash: 59714BB4501B41CFD360CF66D548782BBE0BB54308F10CD6ED5AAAB790DBB86588DF98
                                                                        Function 02651776 Relevance: .1, Instructions: 61COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760365617.000000000264D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0264D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_264d000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                        • Instruction ID: 986dcdf874dfcc0873addfd17d72cc1818e4dc616ec5052521489a0bf9968e76
                                                                        • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                        • Instruction Fuzzy Hash: 1D118272340110AFD744DF59DCC0FA673EAEB8A364B198095ED08CB311D675E802C760
                                                                        Function 025E0D90 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                        • Instruction ID: df0410c61a203207abd4ddf3c82edefc2bc19500901f7bae37740177d3c213eb
                                                                        • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                        • Instruction Fuzzy Hash: 6E018F76A106048FDF25DF24C904BAE33A5FB86316F4544B5D90BE7281E7B4A9418B94
                                                                        Function 025E9EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32 ref: 025E9E6D
                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 025E9FE1
                                                                        • lstrcat.KERNEL32(?,?), ref: 025E9FF2
                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 025EA004
                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 025EA054
                                                                        • DeleteFileA.KERNEL32(?), ref: 025EA09F
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 025EA0D6
                                                                        • lstrcpy.KERNEL32 ref: 025EA12F
                                                                        • lstrlen.KERNEL32(00000022), ref: 025EA13C
                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 025E9F13
                                                                          • Part of subcall function 025E7029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 025E7081
                                                                          • Part of subcall function 025E6F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wukhxvso,025E7043), ref: 025E6F4E
                                                                          • Part of subcall function 025E6F30: GetProcAddress.KERNEL32(00000000), ref: 025E6F55
                                                                          • Part of subcall function 025E6F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 025E6F7B
                                                                          • Part of subcall function 025E6F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 025E6F92
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 025EA1A2
                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 025EA1C5
                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 025EA214
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 025EA21B
                                                                        • GetDriveTypeA.KERNEL32(?), ref: 025EA265
                                                                        • lstrcat.KERNEL32(?,00000000), ref: 025EA29F
                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 025EA2C5
                                                                        • lstrcat.KERNEL32(?,00000022), ref: 025EA2D9
                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 025EA2F4
                                                                        • wsprintfA.USER32 ref: 025EA31D
                                                                        • lstrcat.KERNEL32(?,00000000), ref: 025EA345
                                                                        • lstrcat.KERNEL32(?,?), ref: 025EA364
                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 025EA387
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 025EA398
                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 025EA1D1
                                                                          • Part of subcall function 025E9966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 025E999D
                                                                          • Part of subcall function 025E9966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 025E99BD
                                                                          • Part of subcall function 025E9966: RegCloseKey.ADVAPI32(?), ref: 025E99C6
                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 025EA3DB
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 025EA3E2
                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 025EA41D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                        • String ID: "$"$"$D$P$\
                                                                        • API String ID: 1653845638-2605685093
                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                        • Instruction ID: 4b1be3a0c8320cbc4fc28b6e41c9cdded7a3fa96aa5ccfc2813adf84633cbff9
                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                        • Instruction Fuzzy Hash: 11F150B1D40259AFDF25DBB0CC48EEF7BBDBB48304F1444A6E606E2141E7758A848F69
                                                                        Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,004133B0,?), ref: 00407B16
                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                        • String ID: D$PromptOnSecureDesktop
                                                                        • API String ID: 2976863881-1403908072
                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                        Function 025E7CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 025E7D21
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 025E7D46
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 025E7D7D
                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 025E7DA2
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 025E7DC0
                                                                        • EqualSid.ADVAPI32(?,?), ref: 025E7DD1
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 025E7DE5
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025E7DF3
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 025E7E03
                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 025E7E12
                                                                        • LocalFree.KERNEL32(00000000), ref: 025E7E19
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 025E7E35
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                        • String ID: D$PromptOnSecureDesktop
                                                                        • API String ID: 2976863881-1403908072
                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                        • Instruction ID: c6f09873c3805284feb27b0d065540eef070ecb9ae4a6319b128c04334f3d38d
                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                        • Instruction Fuzzy Hash: 94A17C71900219AFDF25DFA0DC88FEEBFB9FB08304F048569E516E6150E7758A84CB68
                                                                        Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                        • API String ID: 2400214276-165278494
                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                        Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                        • API String ID: 3650048968-2394369944
                                                                        • Opcode ID: 746662ae2e07b1e187343bb9806b09eabb2692b1532a6a4bb231cefe9db8a9a3
                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                        • Opcode Fuzzy Hash: 746662ae2e07b1e187343bb9806b09eabb2692b1532a6a4bb231cefe9db8a9a3
                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                        Function 025E7A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 025E7A96
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 025E7ACD
                                                                        • GetLengthSid.ADVAPI32(?), ref: 025E7ADF
                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 025E7B01
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 025E7B1F
                                                                        • EqualSid.ADVAPI32(?,?), ref: 025E7B39
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 025E7B4A
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025E7B58
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 025E7B68
                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 025E7B77
                                                                        • LocalFree.KERNEL32(00000000), ref: 025E7B7E
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 025E7B9A
                                                                        • GetAce.ADVAPI32(?,?,?), ref: 025E7BCA
                                                                        • EqualSid.ADVAPI32(?,?), ref: 025E7BF1
                                                                        • DeleteAce.ADVAPI32(?,?), ref: 025E7C0A
                                                                        • EqualSid.ADVAPI32(?,?), ref: 025E7C2C
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 025E7CB1
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 025E7CBF
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 025E7CD0
                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 025E7CE0
                                                                        • LocalFree.KERNEL32(00000000), ref: 025E7CEE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                        • String ID: D
                                                                        • API String ID: 3722657555-2746444292
                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction ID: b310a3a8b125a3acc7d31f7b1559025591981f4ba4c088d3b54f87ec39b616db
                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction Fuzzy Hash: F2812B7190021AABEF25CFA4DD44BEEBFBCBF0C304F04816AE51AE6150E7759645CB68
                                                                        Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseOpenQuery
                                                                        • String ID: PromptOnSecureDesktop$localcfg
                                                                        • API String ID: 237177642-1678164370
                                                                        • Opcode ID: f2b0532c569203f409dfb511051bc380affeba1dca504a90a769f383188acf62
                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                        • Opcode Fuzzy Hash: f2b0532c569203f409dfb511051bc380affeba1dca504a90a769f383188acf62
                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                        Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                        • API String ID: 835516345-270533642
                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                        Function 025E858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 025E865A
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 025E867B
                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 025E86A8
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 025E86B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseOpenQuery
                                                                        • String ID: "$PromptOnSecureDesktop
                                                                        • API String ID: 237177642-3108538426
                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                        • Instruction ID: 0923b23fe54b11b111ed42bbc55020b8abfa771338e35e7e442ce1c66879669b
                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                        • Instruction Fuzzy Hash: C9C1C2B1D00209BEEF15ABA4DD89EEF7FBDFB54300F144465F502E6060EB714A848B69
                                                                        Function 025E14E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 025E1601
                                                                        • lstrlenW.KERNEL32(-00000003), ref: 025E17D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShelllstrlen
                                                                        • String ID: $<$@$D
                                                                        • API String ID: 1628651668-1974347203
                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                        • Instruction ID: 6411c629166de4a316ad91131e87f53e6f55888c2b1791c4d39924ee40bdea97
                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                        • Instruction Fuzzy Hash: E2F18CB15087419FDB24CF64C888BABBBE5FB88704F00892DF59AD7290D7B49D44CB5A
                                                                        Function 025E7666 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 345registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 025E76D9
                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 025E7757
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 025E778F
                                                                        • ___ascii_stricmp.LIBCMT ref: 025E78B4
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E794E
                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 025E796D
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E797E
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E79AC
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E7A56
                                                                          • Part of subcall function 025EF40C: lstrlen.KERNEL32(000000E4,00000000,PromptOnSecureDesktop,000000E4,025E772A,?), ref: 025EF414
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 025E79F6
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E7A4D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                        • String ID: "$PromptOnSecureDesktop
                                                                        • API String ID: 3433985886-3108538426
                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                        • Instruction ID: dd6e97f73c1990ab52a90ed9f135ec4a51d87441ddcd8b671b251a93e64459d9
                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                        • Instruction Fuzzy Hash: 0DC1837190020AABDF19DFA4DC45FEEBFB9FF59310F1040A5E506E6150EB719A84CB68
                                                                        Function 025E2CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 025E2CED
                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 025E2D07
                                                                        • htons.WS2_32(00000000), ref: 025E2D42
                                                                        • select.WS2_32 ref: 025E2D8F
                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 025E2DB1
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 025E2E62
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                        • String ID:
                                                                        • API String ID: 127016686-0
                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                        • Instruction ID: ddffff7a46212f1a2e8d0bd249d0f013e32ce4a2edbcbd25b09b684216ca84e9
                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                        • Instruction Fuzzy Hash: 3961CF71508315ABDB24AF60DC09B7BBBECFB88745F044819FD86D6254D7B4D8808BAA
                                                                        Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                        • API String ID: 3631595830-1816598006
                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                        Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                        • API String ID: 929413710-2099955842
                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                        Function 025E958D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32(?), ref: 025E95A7
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 025E95D5
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 025E95DC
                                                                        • wsprintfA.USER32 ref: 025E9635
                                                                        • wsprintfA.USER32 ref: 025E9673
                                                                        • wsprintfA.USER32 ref: 025E96F4
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 025E9758
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 025E978D
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 025E97D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 3696105349-2980165447
                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                        • Instruction ID: b4791a228ba2d809b2f690eebd052f650d5319d515b8391664f7f022016da54e
                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                        • Instruction Fuzzy Hash: 28A17BB2900249ABEF29DFA0CC45FDA3BADFB44740F104026FA16D2151E7B5D984CFA9
                                                                        Function 0040BE31 Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 152stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmpi
                                                                        • String ID: 06A$46A$86A$smtp_ban$smtp_herr$smtp_retr
                                                                        • API String ID: 1586166983-142018493
                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                        Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$wsprintf
                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                        • API String ID: 1220175532-2340906255
                                                                        • Opcode ID: 491365892f8bb9f782b1eadb0c053184f090b87ac727cff77266b05d33f425ed
                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                        • Opcode Fuzzy Hash: 491365892f8bb9f782b1eadb0c053184f090b87ac727cff77266b05d33f425ed
                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                        Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4), ref: 0040F089
                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,?,?,?,000000E4,000000C8), ref: 0040F093
                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                        • API String ID: 3976553417-1522128867
                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                        Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: closesockethtonssocket
                                                                        • String ID: time_cfg
                                                                        • API String ID: 311057483-2401304539
                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                        Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                        • String ID: localcfg
                                                                        • API String ID: 1553760989-1857712256
                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                        Function 025E3059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 025E3068
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 025E3078
                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 025E3095
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 025E30B6
                                                                        • htons.WS2_32(00000035), ref: 025E30EF
                                                                        • inet_addr.WS2_32(?), ref: 025E30FA
                                                                        • gethostbyname.WS2_32(?), ref: 025E310D
                                                                        • HeapFree.KERNEL32(00000000), ref: 025E314D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                        • String ID: iphlpapi.dll
                                                                        • API String ID: 2869546040-3565520932
                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                        • Instruction ID: d324134c5c4e9bfca9e7fa03fcabbc5990372939809308646a65d40d5d52855e
                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                        • Instruction Fuzzy Hash: 6631A431E00206BBDF199BB89C48BBE7FB8BF04764F1441A9E51AE7290DB74D9418B5C
                                                                        Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                        • API String ID: 3560063639-3847274415
                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                        Function 00406CC9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 84libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,PromptOnSecureDesktop,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$PromptOnSecureDesktop$kernel32
                                                                        • API String ID: 1082366364-2834986871
                                                                        • Opcode ID: 08590bedac40c171af98f9ef71e4763ddedd3488e6be67803c08e43eb8f6ec67
                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                        • Opcode Fuzzy Hash: 08590bedac40c171af98f9ef71e4763ddedd3488e6be67803c08e43eb8f6ec67
                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                        Function 0040977C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82threadinjectionprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,PromptOnSecureDesktop), ref: 004097B1
                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097EB
                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 004097F9
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 00409831
                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040984E
                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,PromptOnSecureDesktop), ref: 0040985B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                        • String ID: D$PromptOnSecureDesktop
                                                                        • API String ID: 2981417381-1403908072
                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                        Function 025E6778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 025E67C3
                                                                        • htonl.WS2_32(?), ref: 025E67DF
                                                                        • htonl.WS2_32(?), ref: 025E67EE
                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 025E68F1
                                                                        • ExitProcess.KERNEL32 ref: 025E69BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Processhtonl$CurrentExitHugeRead
                                                                        • String ID: except_info$localcfg
                                                                        • API String ID: 1150517154-3605449297
                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                        • Instruction ID: e5773fdeb5622d1d62b74c12d11b2f37e8daacd954c8ba42da88e3f2c7131c50
                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                        • Instruction Fuzzy Hash: 95617E72A40208AFDF649FB4DC45FEA7BE9FB48300F148066FA6DD2161EB7599908F14
                                                                        Function 025EF57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • htons.WS2_32(025ECC84), ref: 025EF5B4
                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 025EF5CE
                                                                        • closesocket.WS2_32(00000000), ref: 025EF5DC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: closesockethtonssocket
                                                                        • String ID: time_cfg
                                                                        • API String ID: 311057483-2401304539
                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                        • Instruction ID: 1032d1b826cee421fb3061f14e7967d0950d5fce9d2f1a6c506001ce015045e0
                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                        • Instruction Fuzzy Hash: 663160B1900119ABDB10DFA5EC85DEE7BBCFF88310F104566F916D3150EB709A818BA8
                                                                        Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                        • wsprintfA.USER32 ref: 00407036
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                        • String ID: /%d$|
                                                                        • API String ID: 676856371-4124749705
                                                                        • Opcode ID: 50e1d0fd506a25f4fcf020f7626363f0e34832197d4c239b412bec30e638236e
                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                        • Opcode Fuzzy Hash: 50e1d0fd506a25f4fcf020f7626363f0e34832197d4c239b412bec30e638236e
                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                        Function 025E2F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?), ref: 025E2FA1
                                                                        • LoadLibraryA.KERNEL32(?), ref: 025E2FB1
                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 025E2FC8
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 025E3000
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 025E3007
                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 025E3032
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                        • String ID: dnsapi.dll
                                                                        • API String ID: 1242400761-3175542204
                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                        • Instruction ID: 8c02e6f187229336ed978c45e0d6158fde6eb556150a27928978bb5cbd97832c
                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                        • Instruction Fuzzy Hash: 31217C71900229BBCF229B94DC49ABEBFBDFF48B10F004461F906E7140D7B49A8187E8
                                                                        Function 00406BA7 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Code
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 3609698214-2980165447
                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                        Function 025E6F30 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wukhxvso,025E7043), ref: 025E6F4E
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 025E6F55
                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 025E6F7B
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 025E6F92
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                        • String ID: C:\Windows\SysWOW64\$PromptOnSecureDesktop$\\.\pipe\wukhxvso
                                                                        • API String ID: 1082366364-1686062893
                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                        • Instruction ID: 2ead2fe5265e6cccd5b5e5ca9a802e43d66a6a1031994f842a083e4686842421
                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                        • Instruction Fuzzy Hash: 6E2138617403413EFF2A5731DC88FFB3E4DAB96764F1840A5F806D5480EBD984D6866E
                                                                        Function 00409064 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 2439722600-2980165447
                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                        Function 025E92CB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 025E92E2
                                                                        • wsprintfA.USER32 ref: 025E9350
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 025E9375
                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 025E9389
                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 025E9394
                                                                        • CloseHandle.KERNEL32(00000000), ref: 025E939B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 2439722600-2980165447
                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                        • Instruction ID: f4d9e1310c78de484fa183fb705e2c1beb965daf9058b3192c31138ac2c0bd62
                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                        • Instruction Fuzzy Hash: 89119DB17401147BEB256B31DC0DFEF3A6EEBC8710F00C065BB16E5090EEB44A418A69
                                                                        Function 025E99E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 025E9A18
                                                                        • GetThreadContext.KERNEL32(?,?), ref: 025E9A52
                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 025E9A60
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 025E9A98
                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 025E9AB5
                                                                        • ResumeThread.KERNEL32(?), ref: 025E9AC2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                        • String ID: D
                                                                        • API String ID: 2981417381-2746444292
                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                        • Instruction ID: f1c2065ce2cafc3af22ca24699c6b92e57d7cafcfba8c56bcf0d2c16df5dba60
                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                        • Instruction Fuzzy Hash: 54213D71A01219BBDF119BA1DC09EEFBFBCFF04750F404461BA1AE1050EB758A84CBA8
                                                                        Function 025E1C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WS2_32(004102D8), ref: 025E1C18
                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 025E1C26
                                                                        • GetProcessHeap.KERNEL32 ref: 025E1C84
                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 025E1C9D
                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 025E1CC1
                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 025E1D02
                                                                        • FreeLibrary.KERNEL32(?), ref: 025E1D0B
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                        • String ID:
                                                                        • API String ID: 2324436984-0
                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                        • Instruction ID: 3f3679cb079f64434dee62ad55372c9fd0144f4c76ecf8fe0070730e94c6ad2d
                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                        • Instruction Fuzzy Hash: 85315E31E00219BFCF159FA4DD888EEBFB9FB45305B24847AE50AE6110D7B54E80DB98
                                                                        Function 0040E3CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,PromptOnSecureDesktop), ref: 0040E3E6
                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: QueryValue$CloseOpen
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 1586453840-2980165447
                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                        Function 00404280 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,PromptOnSecureDesktop,0040A3C7), ref: 00404290
                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreateEvent
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 1371578007-2980165447
                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                        Function 025E6CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 025E6CE4
                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 025E6D22
                                                                        • GetLastError.KERNEL32 ref: 025E6DA7
                                                                        • CloseHandle.KERNEL32(?), ref: 025E6DB5
                                                                        • GetLastError.KERNEL32 ref: 025E6DD6
                                                                        • DeleteFileA.KERNEL32(?), ref: 025E6DE7
                                                                        • GetLastError.KERNEL32 ref: 025E6DFD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                        • String ID:
                                                                        • API String ID: 3873183294-0
                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction ID: 02f64e8b94740b522be43c05c228c15ab18c9a190ba2a902a8fde2a26074b25e
                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction Fuzzy Hash: 9E310172900249BFCF05DFA4DE48ADE7F7DFB98350F1480A5E212E3250D7708A858B69
                                                                        Function 00409145 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,PromptOnSecureDesktop), ref: 0040915F
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,PromptOnSecureDesktop), ref: 0040907B
                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 3857584221-2980165447
                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                        Function 025E93AC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 025E93C6
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 025E93CD
                                                                        • CharToOemA.USER32(?,?), ref: 025E93DB
                                                                        • wsprintfA.USER32 ref: 025E9410
                                                                          • Part of subcall function 025E92CB: GetTempPathA.KERNEL32(00000400,?), ref: 025E92E2
                                                                          • Part of subcall function 025E92CB: wsprintfA.USER32 ref: 025E9350
                                                                          • Part of subcall function 025E92CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 025E9375
                                                                          • Part of subcall function 025E92CB: lstrlen.KERNEL32(?,?,00000000), ref: 025E9389
                                                                          • Part of subcall function 025E92CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 025E9394
                                                                          • Part of subcall function 025E92CB: CloseHandle.KERNEL32(00000000), ref: 025E939B
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 025E9448
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 3857584221-2980165447
                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                        • Instruction ID: e375900ed1bb6486d4a95c2a243019aef532d7d4b1228624d3706302d9ea62c9
                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                        • Instruction Fuzzy Hash: 810152F69001197BDB21A761DD49EDF3B7CEBD5701F0040A1BB4AE2080EAB496C58F75
                                                                        Function 025EAA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen
                                                                        • String ID: $localcfg
                                                                        • API String ID: 1659193697-2018645984
                                                                        • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                        • Instruction ID: 753f7b77fcc690198295260d4a40d4bdd53e88c012304e2c69d7a95f58d7c12f
                                                                        • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                        • Instruction Fuzzy Hash: 35715A72A00309AADF298B74DD85FEE3F6EBB40319F244466F907A2090DF6285C4CB5D
                                                                        Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                        • String ID: flags_upd$localcfg
                                                                        • API String ID: 204374128-3505511081
                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                        Function 025EE8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 025EDF6C: GetCurrentThreadId.KERNEL32 ref: 025EDFBA
                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 025EE8FA
                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,025E6128), ref: 025EE950
                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 025EE989
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                        • String ID: A$ A$ A
                                                                        • API String ID: 2920362961-1846390581
                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                        • Instruction ID: 1a88cd713a3bc56ebe39eccb7922b188e06b67c6db1188bc6f54dbea020d0aa2
                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                        • Instruction Fuzzy Hash: DD31AA31A107169BCF798F24C886BA67BE8FB15734F00892AE5A7C7550D371E880CB89
                                                                        Function 025E6E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Code
                                                                        • String ID:
                                                                        • API String ID: 3609698214-0
                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                        • Instruction ID: 020e12823431d5965ea7972a90c1880a7ba5d61346a31ed422d6a44060689680
                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                        • Instruction Fuzzy Hash: FA211D72104115BFDF18AB70EC49EDF7FADEB496A5B108465F503D1090EB71DA409678
                                                                        Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                        • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 3819781495-0
                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                        Function 025EC543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 025EC6B4
                                                                        • InterlockedIncrement.KERNEL32(025EC74B), ref: 025EC715
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,025EC747), ref: 025EC728
                                                                        • CloseHandle.KERNEL32(00000000,?,025EC747,00413588,025E8A77), ref: 025EC733
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                        • String ID: localcfg
                                                                        • API String ID: 1026198776-1857712256
                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                        • Instruction ID: 8b02f0403206de7662327523911b0427919cfec80921682442ddee50d9c7127c
                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                        • Instruction Fuzzy Hash: 8A514CB1A01B418FDB288F69C5D562BBBE9FB88305B50593FE18BC7A90D774E840CB14
                                                                        Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                          • Part of subcall function 0040675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                          • Part of subcall function 0040675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 124786226-2980165447
                                                                        • Opcode ID: 8c18a3b068088e326932d6bb7448d6999afe88f1a57d3caa8edfbced1390b2d2
                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                        • Opcode Fuzzy Hash: 8c18a3b068088e326932d6bb7448d6999afe88f1a57d3caa8edfbced1390b2d2
                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                        Function 0040E095 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseCreateDelete
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 2667537340-2980165447
                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                        Function 025EE2FC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 92registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExA.ADVAPI32(80000001,025EE50A,00000000,00000000,00000000,00020106,00000000,025EE50A,00000000,000000E4), ref: 025EE319
                                                                        • RegSetValueExA.ADVAPI32(025EE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 025EE38E
                                                                        • RegDeleteValueA.ADVAPI32(025EE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 025EE3BF
                                                                        • RegCloseKey.ADVAPI32(025EE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,025EE50A), ref: 025EE3C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseCreateDelete
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 2667537340-2980165447
                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                        • Instruction ID: bad357c0ccc61cd0caf35ac216e2e3cceb5394eefc787abfd030515c858d2e2a
                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                        • Instruction Fuzzy Hash: 04217C71A1021DABDF209FA4EC89EEE7F79FF08760F008021F905E6150E7719A54CBA4
                                                                        Function 025E71C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 025E71E1
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 025E7228
                                                                        • LocalFree.KERNEL32(?,?,?), ref: 025E7286
                                                                        • wsprintfA.USER32 ref: 025E729D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                        • String ID: |
                                                                        • API String ID: 2539190677-2343686810
                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                        • Instruction ID: 7e399aa61878840c37983007861a8c4b6168dfaa5e1f558fa2b718171fe13eda
                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                        • Instruction Fuzzy Hash: 31311A72900209BBDF15DFA8DC45BDA7BADFF08314F148066F95ADB100EB75D6488B98
                                                                        Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                        • String ID: LocalHost
                                                                        • API String ID: 3695455745-3154191806
                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                        Function 025EB478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 025EB51A
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 025EB529
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 025EB548
                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 025EB590
                                                                        • wsprintfA.USER32 ref: 025EB61E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                        • String ID:
                                                                        • API String ID: 4026320513-0
                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction ID: 10b2013febbba6dcc5e1e75c368d10b48d909696b07807be27c72f4c1f7bd86d
                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction Fuzzy Hash: 99511FB1D0021DAACF18DFD5D8885EEBBB9BF48305F10856BF505A6150E7B84AC9CF98
                                                                        Function 025E62D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 025E6303
                                                                        • LoadLibraryA.KERNEL32(?), ref: 025E632A
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 025E63B1
                                                                        • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 025E6405
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HugeRead$AddressLibraryLoadProc
                                                                        • String ID:
                                                                        • API String ID: 3498078134-0
                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                        • Instruction ID: 0166341c598df8cf57d585d772f7dc0af31cf969f38eb52ec9fb0817034b055d
                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                        • Instruction Fuzzy Hash: 6E416DB1A10216EFDF18CF58C884BA9BBB8FF18398F148569E866D7290D771E940CB54
                                                                        Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                        Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                        • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                        • String ID: A$ A
                                                                        • API String ID: 3343386518-686259309
                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                        Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                          • Part of subcall function 0040EBCC: RtlAllocateHeap.NTDLL(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                        • String ID:
                                                                        • API String ID: 1128258776-0
                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                        Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: setsockopt
                                                                        • String ID:
                                                                        • API String ID: 3981526788-0
                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                        Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$lstrcmpi
                                                                        • String ID: localcfg
                                                                        • API String ID: 1808961391-1857712256
                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                        Function 0040E52E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E558
                                                                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E583
                                                                        • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,0040A445), ref: 0040E5B2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 3683885500-2980165447
                                                                        • Opcode ID: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                        • Instruction ID: 336cca8f28a0ae06816d6806ca3c094c6326420f96deeb8fe64773c8e7208e17
                                                                        • Opcode Fuzzy Hash: ea61079883e1d137724bdb03d89989e3cb326a6ab799ec698869bd57d3053e24
                                                                        • Instruction Fuzzy Hash: F321EAB19402047AE2207B639C0AFAB3D1CDF54758F10093EBA09B11E3E9BDD96082BD
                                                                        Function 025EE795 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 025EDF6C: GetCurrentThreadId.KERNEL32 ref: 025EDFBA
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,00410170,?,00000000,?,025EA6AC), ref: 025EE7BF
                                                                        • ReadFile.KERNEL32(00000000,004136C4,00000000,?,00000000,?,00410170,?,00000000,?,025EA6AC), ref: 025EE7EA
                                                                        • CloseHandle.KERNEL32(00000000,?,00410170,?,00000000,?,025EA6AC), ref: 025EE819
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCurrentHandleReadSizeThread
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 1396056608-2980165447
                                                                        • Opcode ID: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                        • Instruction ID: 5c6848700505fbefec900b5af6b9fc541e0b7cf01d2d3844d26336d2c7974e66
                                                                        • Opcode Fuzzy Hash: 7902eb09b18f90ff15814c2c52a49d831fada2081c22b3094fea9a8900fad251
                                                                        • Instruction Fuzzy Hash: 4121E7F1A443027AEA247721DC07FEB3E1DEBE5770F100025BA1BA51D2EA9594508ABD
                                                                        Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                        • API String ID: 2574300362-1087626847
                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                        Function 025E7665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 025E76D9
                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 025E796D
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E797E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseEnumOpen
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 1332880857-2980165447
                                                                        • Opcode ID: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                        • Instruction ID: 3f9a05575478d4e20f9aea38b0a96e1cc4cdc3a1839b5b2eaf59457217eeaa59
                                                                        • Opcode Fuzzy Hash: 6add54f53aa26b9129486f5997ff6e8fcd40a3645fc937a9d882d7137db5ef12
                                                                        • Instruction Fuzzy Hash: 5511AF70A00109AFDF118FA9DC45FAFBF79FB99718F140561F516EA290E7B189408B68
                                                                        Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                        • String ID: hi_id$localcfg
                                                                        • API String ID: 2777991786-2393279970
                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                        Function 004096FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,PromptOnSecureDesktop,00000000,?,?,0040A14A), ref: 00409736
                                                                        • RegDeleteValueA.ADVAPI32(0040A14A,00000000,?,?,?,?,?,?,?,?,?,0040A14A), ref: 00409756
                                                                        • RegCloseKey.ADVAPI32(0040A14A,?,?,?,?,?,?,?,?,?,0040A14A), ref: 0040975F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseDeleteOpenValue
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 849931509-2980165447
                                                                        • Opcode ID: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                        • Instruction ID: 5e38ed9511aa8cc069582274463af9cddeeab7037fd65aad7bdf8be664a95ff7
                                                                        • Opcode Fuzzy Hash: 2a8abeb1ae8c575472f9bd74b3adb91cbf41d09789710805d0faf142c4fb6012
                                                                        • Instruction Fuzzy Hash: 5AF0C8B2680118BBF3106B51AC0BFDF3A2CDB44704F100075F605B50D2E6E55E9082BD
                                                                        Function 025E9966 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 025E999D
                                                                        • RegDeleteValueA.ADVAPI32(?,00000000), ref: 025E99BD
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025E99C6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseDeleteOpenValue
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 849931509-2980165447
                                                                        • Opcode ID: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                        • Instruction ID: 9f49543741207bb97dbf147fc88be86995b5bedf2bd679fd3a5c10bfb68e7f6c
                                                                        • Opcode Fuzzy Hash: ecc939a75216a7bc4a9662cd8f3630595b0eae10caf242afcee65d599bec8ec6
                                                                        • Instruction Fuzzy Hash: C4F09CB2640108BBF7116754EC07FDB3E2DEB95754F104061FA06F5091F6E55A9046FD
                                                                        Function 025E28EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbynameinet_addr
                                                                        • String ID: time_cfg$u6A
                                                                        • API String ID: 1594361348-1940331995
                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction ID: 25beefd5fa0a6110532e3ab9418d81832a50e9416be7c6c01923a126ba77eabf
                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction Fuzzy Hash: FCE08C306082218FDB008B28F848AC53BA9BF0A230F018181F851C31A5C7349CC09648
                                                                        Function 025E69C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 025E69E5
                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 025E6A26
                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 025E6A3A
                                                                        • CloseHandle.KERNEL32(000000FF), ref: 025E6BD8
                                                                          • Part of subcall function 025EEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,025E1DCF,?), ref: 025EEEA8
                                                                          • Part of subcall function 025EEE95: HeapFree.KERNEL32(00000000), ref: 025EEEAF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                        • String ID:
                                                                        • API String ID: 3384756699-0
                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                        • Instruction ID: aca50a13f7c203a2d56c6c1e53d83dc25234b9517b21aeaeb4e53dc488bc17a3
                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                        • Instruction Fuzzy Hash: EB7115B190022DEFDF149FA4CC80AEEBBBDFB04354F1045AAE516A6190D7749E92CB64
                                                                        Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf
                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                        • API String ID: 2111968516-120809033
                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                        Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                        • String ID:
                                                                        • API String ID: 3373104450-0
                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                        Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                        • String ID:
                                                                        • API String ID: 888215731-0
                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                        Function 025E417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 025E41AB
                                                                        • GetLastError.KERNEL32 ref: 025E41B5
                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 025E41C6
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 025E41D9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                        • String ID:
                                                                        • API String ID: 3373104450-0
                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction ID: 7325546f40643011e5270622d3e81cad1d1fd68bbd7c9e290fb339c02a1d7dcf
                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction Fuzzy Hash: 0701087691110AAFDF05DF90ED84BEF7BACFB18259F008061F902E2050D770DA648BBA
                                                                        Function 025E41F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 025E421F
                                                                        • GetLastError.KERNEL32 ref: 025E4229
                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 025E423A
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 025E424D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                        • String ID:
                                                                        • API String ID: 888215731-0
                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction ID: 55b06d1d327631adaf3fb7ab44b6d56ce05e57a159bc593b7ac897402f02b6de
                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction Fuzzy Hash: 1A01C872511109AFDF01DF90ED84BEF7BACFB08255F1084A1F902E2050D770EA549BBA
                                                                        Function 025EE036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 025EE066
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp
                                                                        • String ID: A$ A$ A
                                                                        • API String ID: 1534048567-1846390581
                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                        • Instruction ID: fdd17aacfea24a38fc4c07ca3680e6a9ea0ca67b5b2e536801fe8761bf10dcd1
                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                        • Instruction Fuzzy Hash: 7AF06232200712DBCF34CF25D884AA2BBE9FB05335B44866AE556C3060D374A499CB59
                                                                        Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                        Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                        Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                        Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                        Function 0040E177 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000001,0040DAE0,00000000,00000000,00000000), ref: 0040E209
                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 0040E21D
                                                                          • Part of subcall function 0040E095: RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                          • Part of subcall function 0040E095: RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E127
                                                                          • Part of subcall function 0040E095: RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 0040E158
                                                                          • Part of subcall function 0040E095: RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 4151426672-2980165447
                                                                        • Opcode ID: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                        • Instruction ID: b34283ca0245a4d5345772c7626065eb71a791ff6ac24fd5689ebe733b27dfc9
                                                                        • Opcode Fuzzy Hash: b35f9f727470473fe34b0fcdae204b38b052469ea0fd64ba9bdd2db24e4b8a6b
                                                                        • Instruction Fuzzy Hash: 5D41DB71940214BADB205E938C06FDB3F6CEB44754F1084BEFA09B41D2E6B99A60D6BD
                                                                        Function 025EE3DE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000001,025E44E2,00000000,00000000,00000000), ref: 025EE470
                                                                        • CloseHandle.KERNEL32(00000001,00000003), ref: 025EE484
                                                                          • Part of subcall function 025EE2FC: RegCreateKeyExA.ADVAPI32(80000001,025EE50A,00000000,00000000,00000000,00020106,00000000,025EE50A,00000000,000000E4), ref: 025EE319
                                                                          • Part of subcall function 025EE2FC: RegSetValueExA.ADVAPI32(025EE50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 025EE38E
                                                                          • Part of subcall function 025EE2FC: RegDeleteValueA.ADVAPI32(025EE50A,?,?,?,?,?,000000C8,PromptOnSecureDesktop), ref: 025EE3BF
                                                                          • Part of subcall function 025EE2FC: RegCloseKey.ADVAPI32(025EE50A,?,?,?,?,000000C8,PromptOnSecureDesktop,?,?,?,?,?,?,?,?,025EE50A), ref: 025EE3C8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseValue$CreateDeleteFileHandleWrite
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 4151426672-2980165447
                                                                        • Opcode ID: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                        • Instruction ID: dd8d151b11a3e072e3e7ac62087e7e042e8930babcdb681f364299c582cfeb9f
                                                                        • Opcode Fuzzy Hash: f9347908c3accb151d66d4a2045a2710535659ff764f1ec32379916764927f64
                                                                        • Instruction Fuzzy Hash: 9041B2B2D10215BAEF246E51CC47FEB3E6CFF44774F148065FA0BA4091E7B58650DAA8
                                                                        Function 025E8330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 025E83C6
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 025E8477
                                                                          • Part of subcall function 025E69C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 025E69E5
                                                                          • Part of subcall function 025E69C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 025E6A26
                                                                          • Part of subcall function 025E69C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 025E6A3A
                                                                          • Part of subcall function 025EEE95: GetProcessHeap.KERNEL32(00000000,?,00000000,025E1DCF,?), ref: 025EEEA8
                                                                          • Part of subcall function 025EEE95: HeapFree.KERNEL32(00000000), ref: 025EEEAF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 359188348-2980165447
                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                        • Instruction ID: cd0d6466c9b38358c92c494a1f6a08a9bbd1f81e40c156d52143f554c6f15790
                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                        • Instruction Fuzzy Hash: 344172B2900109BFDF18EBA0DE85EFF7B6DFB44348F0444A6E506D6060E7B15A548B58
                                                                        Function 025EE631 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 136registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,025EE859,00000000,00020119,025EE859,PromptOnSecureDesktop), ref: 025EE64D
                                                                        • RegCloseKey.ADVAPI32(025EE859,?,?,?,?,000000C8,000000E4), ref: 025EE787
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseOpen
                                                                        • String ID: PromptOnSecureDesktop
                                                                        • API String ID: 47109696-2980165447
                                                                        • Opcode ID: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                        • Instruction ID: 237de98ee643ff751faa13644d4849d0c95ec579afe51b8f6cd9ec323990b307
                                                                        • Opcode Fuzzy Hash: ca61599b3ee270ad7d52ab6b22e6fbb0cb95010ae32332e4c3022532ab02544e
                                                                        • Instruction Fuzzy Hash: 1C4128B2D0021DBFDF11EF94DC82EEEBB7DFB04314F104466EA02A6150E7719A558B64
                                                                        Function 025EAFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 025EAFFF
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 025EB00D
                                                                          • Part of subcall function 025EAF6F: gethostname.WS2_32(?,00000080), ref: 025EAF83
                                                                          • Part of subcall function 025EAF6F: lstrcpy.KERNEL32(?,00410B90), ref: 025EAFE6
                                                                          • Part of subcall function 025E331C: gethostname.WS2_32(?,00000080), ref: 025E333F
                                                                          • Part of subcall function 025E331C: gethostbyname.WS2_32(?), ref: 025E3349
                                                                          • Part of subcall function 025EAA0A: inet_ntoa.WS2_32(00000000), ref: 025EAA10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                        • String ID: %OUTLOOK_BND_
                                                                        • API String ID: 1981676241-3684217054
                                                                        • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                        • Instruction ID: cb2f19bfb209e34987e2a253ff2ffa03e015dd080f68d88ab4cc018a9cd5e84c
                                                                        • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                        • Instruction Fuzzy Hash: 2D414F7290020DABDF29EFA0DC45EEE3BADFF48304F144426F92692151EA75E6548F58
                                                                        Function 025E9452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 025E9536
                                                                        • Sleep.KERNEL32(000001F4), ref: 025E955D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShellSleep
                                                                        • String ID:
                                                                        • API String ID: 4194306370-3916222277
                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                        • Instruction ID: 83463a513ec37598ada0b568ef7099430e37bb8c7890aa979b0999f417174584
                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                        • Instruction Fuzzy Hash: 9941F3B18083956EEF3E8A64D8887B67FA5BF02314F1801A6D487971A2D7B44D81C759
                                                                        Function 025EBC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 025EB9D9
                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 025EBA3A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 025EBA94
                                                                        • GetTickCount.KERNEL32 ref: 025EBB79
                                                                        • GetTickCount.KERNEL32 ref: 025EBB99
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 025EBE15
                                                                        • closesocket.WS2_32(00000000), ref: 025EBEB4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 1869671989-2903620461
                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                        • Instruction ID: 3c855f4e27795f0972e004423acd55466e016c50b491ea3707bfedfa6679f7a9
                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                        • Instruction Fuzzy Hash: E9316D71800248DFDF29DFA4DC84AEDBBA9FB44705F204456FA2682160DB309685CF19
                                                                        Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTickwsprintf
                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                        • API String ID: 2424974917-1012700906
                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                        Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 3716169038-2903620461
                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                        Function 025E709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 025E70BC
                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 025E70F4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountLookupUser
                                                                        • String ID: |
                                                                        • API String ID: 2370142434-2343686810
                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                        • Instruction ID: df69b910675fc693c1a6ce6c21f2574b725d9c55d1985d85bf52cdfddf093c59
                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                        • Instruction Fuzzy Hash: 7E112E72900258EBDF19CBD4DC84ADEB7BCBB08305F1451A6E502E6054E7709744EBA5
                                                                        Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                        • String ID: localcfg
                                                                        • API String ID: 2777991786-1857712256
                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                        Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 224340156-2903620461
                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                        Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                        • String ID: localcfg
                                                                        • API String ID: 2112563974-1857712256
                                                                        • Opcode ID: eb36c4684a50d41e83146847fb5b55aa5c7421795727ebfadd0c8b1e870b45ea
                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                        • Opcode Fuzzy Hash: eb36c4684a50d41e83146847fb5b55aa5c7421795727ebfadd0c8b1e870b45ea
                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                        Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbynameinet_addr
                                                                        • String ID: time_cfg
                                                                        • API String ID: 1594361348-2401304539
                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                        Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 0040EB07
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ntdll.dll
                                                                        • API String ID: 2574300362-2227199552
                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                        Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1758477438.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                        • Associated: 00000000.00000002.1758477438.0000000000414000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_400000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                        • String ID:
                                                                        • API String ID: 1017166417-0
                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                        Function 025E3189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 025E2F88: GetModuleHandleA.KERNEL32(?), ref: 025E2FA1
                                                                          • Part of subcall function 025E2F88: LoadLibraryA.KERNEL32(?), ref: 025E2FB1
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 025E31DA
                                                                        • HeapFree.KERNEL32(00000000), ref: 025E31E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1760247720.00000000025E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 025E0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_25e0000_ewdWlNc8TL.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                        • String ID:
                                                                        • API String ID: 1017166417-0
                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                        • Instruction ID: 8f552b7992a4acaadc52c7d6283ae96e8e569a8fec01425ed63b8b56510599d7
                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                        • Instruction Fuzzy Hash: 73516D7190024AAFCF099F64D884AFABB75FF45305F1445A9EC96C7210E732DA19CB98

                                                                        Execution Graph

                                                                        Execution Coverage:2.9%
                                                                        Dynamic/Decrypted Code Coverage:2%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:1562
                                                                        Total number of Limit Nodes:13
                                                                        execution_graph 14736 409961 RegisterServiceCtrlHandlerA 14737 40997d 14736->14737 14738 4099cb 14736->14738 14746 409892 14737->14746 14740 40999a 14741 4099ba 14740->14741 14742 409892 SetServiceStatus 14740->14742 14741->14738 14744 409892 SetServiceStatus 14741->14744 14743 4099aa 14742->14743 14743->14741 14749 4098f2 14743->14749 14744->14738 14747 4098c2 SetServiceStatus 14746->14747 14747->14740 14750 4098f6 14749->14750 14752 409904 Sleep 14750->14752 14754 409917 14750->14754 14757 404280 CreateEventA 14750->14757 14752->14750 14753 409915 14752->14753 14753->14754 14756 409947 14754->14756 14784 40977c 14754->14784 14756->14741 14758 4042a5 14757->14758 14764 40429d 14757->14764 14798 403ecd 14758->14798 14760 4042b0 14802 404000 14760->14802 14763 4043c1 CloseHandle 14763->14764 14764->14750 14765 4042ce 14808 403f18 WriteFile 14765->14808 14770 4043ba CloseHandle 14770->14763 14771 404318 14772 403f18 4 API calls 14771->14772 14773 404331 14772->14773 14774 403f18 4 API calls 14773->14774 14775 40434a 14774->14775 14816 40ebcc GetProcessHeap HeapAlloc 14775->14816 14778 403f18 4 API calls 14779 404389 14778->14779 14819 40ec2e 14779->14819 14782 403f8c 4 API calls 14783 40439f CloseHandle CloseHandle 14782->14783 14783->14764 14848 40ee2a 14784->14848 14787 4097c2 14789 4097d4 Wow64GetThreadContext 14787->14789 14788 4097bb 14788->14756 14790 409801 14789->14790 14791 4097f5 14789->14791 14850 40637c 14790->14850 14792 4097f6 TerminateProcess 14791->14792 14792->14788 14794 409816 14794->14792 14795 40981e WriteProcessMemory 14794->14795 14795->14791 14796 40983b Wow64SetThreadContext 14795->14796 14796->14791 14797 409858 ResumeThread 14796->14797 14797->14788 14799 403ee2 14798->14799 14800 403edc 14798->14800 14799->14760 14824 406dc2 14800->14824 14803 40400b CreateFileA 14802->14803 14804 40402c GetLastError 14803->14804 14805 404052 14803->14805 14804->14805 14806 404037 14804->14806 14805->14763 14805->14764 14805->14765 14806->14805 14807 404041 Sleep 14806->14807 14807->14803 14807->14805 14809 403f4e GetLastError 14808->14809 14811 403f7c 14808->14811 14810 403f5b WaitForSingleObject GetOverlappedResult 14809->14810 14809->14811 14810->14811 14812 403f8c ReadFile 14811->14812 14813 403ff0 14812->14813 14814 403fc2 GetLastError 14812->14814 14813->14770 14813->14771 14814->14813 14815 403fcf WaitForSingleObject GetOverlappedResult 14814->14815 14815->14813 14842 40eb74 14816->14842 14820 40ec37 14819->14820 14821 40438f 14819->14821 14845 40eba0 14820->14845 14821->14782 14825 406dd7 14824->14825 14829 406e24 14824->14829 14830 406cc9 14825->14830 14827 406ddc 14828 406e02 GetVolumeInformationA 14827->14828 14827->14829 14828->14829 14829->14799 14831 406cdc GetModuleHandleA GetProcAddress 14830->14831 14832 406dbe 14830->14832 14833 406d12 GetSystemDirectoryA 14831->14833 14834 406cfd 14831->14834 14832->14827 14835 406d27 GetWindowsDirectoryA 14833->14835 14836 406d1e 14833->14836 14834->14833 14838 406d8b 14834->14838 14837 406d42 14835->14837 14836->14835 14836->14838 14840 40ef1e lstrlenA 14837->14840 14838->14832 14841 40ef32 14840->14841 14841->14838 14843 40eb7b GetProcessHeap HeapSize 14842->14843 14844 404350 14842->14844 14843->14844 14844->14778 14846 40eba7 GetProcessHeap HeapSize 14845->14846 14847 40ebbf GetProcessHeap HeapFree 14845->14847 14846->14847 14847->14821 14849 409794 CreateProcessA 14848->14849 14849->14787 14849->14788 14851 406386 14850->14851 14852 40638a GetModuleHandleA VirtualAlloc 14850->14852 14851->14794 14853 4063b6 14852->14853 14854 4063f5 14852->14854 14855 4063be VirtualAllocEx 14853->14855 14854->14794 14855->14854 14856 4063d6 14855->14856 14857 4063df WriteProcessMemory 14856->14857 14857->14854 14858 409a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 14975 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 14858->14975 14860 409a95 14861 409aa3 GetModuleHandleA GetModuleFileNameA 14860->14861 14867 40a3c7 14860->14867 14874 409ac4 14861->14874 14862 40a41c CreateThread WSAStartup 15086 40e52e 14862->15086 15913 40405e CreateEventA 14862->15913 14863 409afd GetCommandLineA 14875 409b22 14863->14875 14864 40a406 DeleteFileA 14864->14867 14868 40a40d 14864->14868 14866 40a445 15105 40eaaf 14866->15105 14867->14862 14867->14864 14867->14868 14870 40a3ed GetLastError 14867->14870 14868->14862 14870->14868 14872 40a3f8 Sleep 14870->14872 14871 40a44d 15109 401d96 14871->15109 14872->14864 14874->14863 14878 409c0c 14875->14878 14885 409b47 14875->14885 14876 40a457 15157 4080c9 14876->15157 14976 4096aa 14878->14976 14889 409b96 lstrlenA 14885->14889 14892 409b58 14885->14892 14886 40a1d2 14893 40a1e3 GetCommandLineA 14886->14893 14887 409c39 14890 40a167 GetModuleHandleA GetModuleFileNameA 14887->14890 14896 409c4b 14887->14896 14889->14892 14891 409c05 ExitProcess 14890->14891 14895 40a189 14890->14895 14892->14891 14898 409bd2 14892->14898 14920 40a205 14893->14920 14895->14891 14903 40a1b2 GetDriveTypeA 14895->14903 14896->14890 14897 404280 30 API calls 14896->14897 14900 409c5b 14897->14900 14988 40675c 14898->14988 14900->14890 14907 40675c 21 API calls 14900->14907 14903->14891 14906 40a1c5 14903->14906 15078 409145 GetModuleHandleA GetModuleFileNameA CharToOemA 14906->15078 14909 409c79 14907->14909 14909->14890 14916 409ca0 GetTempPathA 14909->14916 14917 409e3e 14909->14917 14910 409bff 14910->14891 14912 40a491 14913 40a49f GetTickCount 14912->14913 14914 40a4be Sleep 14912->14914 14919 40a4b7 GetTickCount 14912->14919 15203 40c913 14912->15203 14913->14912 14913->14914 14914->14912 14916->14917 14918 409cba 14916->14918 14923 409e6b GetEnvironmentVariableA 14917->14923 14927 409e04 14917->14927 15026 4099d2 lstrcpyA 14918->15026 14919->14914 14924 40a285 lstrlenA 14920->14924 14936 40a239 14920->14936 14921 40ec2e codecvt 4 API calls 14925 40a15d 14921->14925 14923->14927 14928 409e7d 14923->14928 14924->14936 14925->14890 14925->14891 14927->14921 14929 4099d2 16 API calls 14928->14929 14930 409e9d 14929->14930 14930->14927 14935 409eb0 lstrcpyA lstrlenA 14930->14935 14931 406dc2 6 API calls 14933 409d5f 14931->14933 14939 406cc9 5 API calls 14933->14939 14934 40a3c2 14937 4098f2 41 API calls 14934->14937 14938 409ef4 14935->14938 14984 406ec3 14936->14984 14937->14867 14941 406dc2 6 API calls 14938->14941 14944 409f03 14938->14944 14940 409d72 lstrcpyA lstrcatA lstrcatA 14939->14940 14943 409cf6 14940->14943 14941->14944 14942 40a39d StartServiceCtrlDispatcherA 14942->14934 15033 409326 14943->15033 14945 409f32 RegOpenKeyExA 14944->14945 14946 409f48 RegSetValueExA RegCloseKey 14945->14946 14950 409f70 14945->14950 14946->14950 14947 40a35f 14947->14934 14947->14942 14955 409f9d GetModuleHandleA GetModuleFileNameA 14950->14955 14951 409e0c DeleteFileA 14951->14917 14952 409dde GetFileAttributesExA 14952->14951 14953 409df7 14952->14953 14953->14927 15070 4096ff 14953->15070 14957 409fc2 14955->14957 14958 40a093 14955->14958 14957->14958 14964 409ff1 GetDriveTypeA 14957->14964 14959 40a103 CreateProcessA 14958->14959 14962 40a0a4 wsprintfA 14958->14962 14960 40a13a 14959->14960 14961 40a12a DeleteFileA 14959->14961 14960->14927 14967 4096ff 3 API calls 14960->14967 14961->14960 15076 402544 14962->15076 14964->14958 14965 40a00d 14964->14965 14969 40a02d lstrcatA 14965->14969 14967->14927 14968 40ee2a 14970 40a0ec lstrcatA 14968->14970 14971 40a046 14969->14971 14970->14959 14972 40a052 lstrcatA 14971->14972 14973 40a064 lstrcatA 14971->14973 14972->14973 14973->14958 14974 40a081 lstrcatA 14973->14974 14974->14958 14975->14860 14977 4096b9 14976->14977 15306 4073ff 14977->15306 14979 4096e2 14980 4096e9 14979->14980 14981 4096fa 14979->14981 15326 40704c 14980->15326 14981->14886 14981->14887 14983 4096f7 14983->14981 14985 406ed5 14984->14985 14986 406ecc 14984->14986 14985->14947 15351 406e36 GetUserNameW 14986->15351 14989 406784 CreateFileA 14988->14989 14990 40677a SetFileAttributesA 14988->14990 14991 4067a4 CreateFileA 14989->14991 14992 4067b5 14989->14992 14990->14989 14991->14992 14993 4067c5 14992->14993 14994 4067ba SetFileAttributesA 14992->14994 14995 406977 14993->14995 14996 4067cf GetFileSize 14993->14996 14994->14993 14995->14891 15013 406a60 CreateFileA 14995->15013 14997 4067e5 14996->14997 15011 406922 14996->15011 14998 4067ed ReadFile 14997->14998 14997->15011 15000 406811 SetFilePointer 14998->15000 14998->15011 14999 40696e CloseHandle 14999->14995 15001 40682a ReadFile 15000->15001 15000->15011 15002 406848 SetFilePointer 15001->15002 15001->15011 15007 406867 15002->15007 15002->15011 15003 406878 ReadFile 15004 4068d0 15003->15004 15003->15007 15004->14999 15005 40ebcc 4 API calls 15004->15005 15006 4068f8 15005->15006 15008 406900 SetFilePointer 15006->15008 15006->15011 15007->15003 15007->15004 15009 40695a 15008->15009 15010 40690d ReadFile 15008->15010 15012 40ec2e codecvt 4 API calls 15009->15012 15010->15009 15010->15011 15011->14999 15012->15011 15014 406b8c GetLastError 15013->15014 15015 406a8f GetDiskFreeSpaceA 15013->15015 15017 406b86 15014->15017 15016 406ac5 15015->15016 15025 406ad7 15015->15025 15354 40eb0e 15016->15354 15017->14910 15021 406b56 CloseHandle 15021->15017 15024 406b65 GetLastError CloseHandle 15021->15024 15022 406b36 GetLastError CloseHandle 15023 406b7f DeleteFileA 15022->15023 15023->15017 15024->15023 15358 406987 15025->15358 15027 4099eb 15026->15027 15028 409a2f lstrcatA 15027->15028 15029 40ee2a 15028->15029 15030 409a4b lstrcatA 15029->15030 15031 406a60 13 API calls 15030->15031 15032 409a60 15031->15032 15032->14917 15032->14931 15032->14943 15368 401910 15033->15368 15036 40934a GetModuleHandleA GetModuleFileNameA 15038 40937f 15036->15038 15039 4093a4 15038->15039 15040 4093d9 15038->15040 15041 4093c3 wsprintfA 15039->15041 15042 409401 wsprintfA 15040->15042 15043 409415 15041->15043 15042->15043 15046 406cc9 5 API calls 15043->15046 15066 4094a0 15043->15066 15045 4094ac 15047 40962f 15045->15047 15048 4094e8 RegOpenKeyExA 15045->15048 15049 409439 15046->15049 15057 409646 15047->15057 15391 401820 15047->15391 15051 409502 15048->15051 15053 4094fb 15048->15053 15055 40ef1e lstrlenA 15049->15055 15054 40951f RegQueryValueExA 15051->15054 15053->15047 15056 40958a 15053->15056 15058 409530 15054->15058 15059 409539 15054->15059 15060 409462 15055->15060 15056->15057 15061 409593 15056->15061 15063 4095d6 15057->15063 15397 4091eb 15057->15397 15062 40956e RegCloseKey 15058->15062 15064 409556 RegQueryValueExA 15059->15064 15065 40947e wsprintfA 15060->15065 15061->15063 15378 40f0e4 15061->15378 15062->15053 15063->14951 15063->14952 15064->15058 15064->15062 15065->15066 15370 406edd 15066->15370 15068 4095bb 15068->15063 15385 4018e0 15068->15385 15071 402544 15070->15071 15072 40972d RegOpenKeyExA 15071->15072 15073 409740 15072->15073 15074 409765 15072->15074 15075 40974f RegDeleteValueA RegCloseKey 15073->15075 15074->14927 15075->15074 15077 402554 lstrcatA 15076->15077 15077->14968 15079 402544 15078->15079 15080 40919e wsprintfA 15079->15080 15081 4091bb 15080->15081 15435 409064 GetTempPathA 15081->15435 15084 4091d5 ShellExecuteA 15085 4091e7 15084->15085 15085->14910 15442 40dd05 GetTickCount 15086->15442 15088 40e538 15449 40dbcf 15088->15449 15090 40e544 15091 40e555 GetFileSize 15090->15091 15095 40e5b8 15090->15095 15092 40e5b1 CloseHandle 15091->15092 15093 40e566 15091->15093 15092->15095 15459 40db2e 15093->15459 15468 40e3ca RegOpenKeyExA 15095->15468 15097 40e576 ReadFile 15097->15092 15099 40e58d 15097->15099 15463 40e332 15099->15463 15101 40e5f2 15103 40e3ca 19 API calls 15101->15103 15104 40e629 15101->15104 15103->15104 15104->14866 15106 40eabe 15105->15106 15108 40eaba 15105->15108 15107 40dd05 6 API calls 15106->15107 15106->15108 15107->15108 15108->14871 15110 40ee2a 15109->15110 15111 401db4 GetVersionExA 15110->15111 15112 401dd0 GetSystemInfo GetModuleHandleA GetProcAddress 15111->15112 15114 401e24 15112->15114 15115 401e16 GetCurrentProcess 15112->15115 15521 40e819 15114->15521 15115->15114 15117 401e3d 15118 40e819 11 API calls 15117->15118 15119 401e4e 15118->15119 15120 401e77 15119->15120 15528 40df70 15119->15528 15537 40ea84 15120->15537 15123 401e6c 15125 40df70 12 API calls 15123->15125 15125->15120 15126 40e819 11 API calls 15127 401e93 15126->15127 15541 40199c inet_addr LoadLibraryA 15127->15541 15130 40e819 11 API calls 15131 401eb9 15130->15131 15132 401ed8 15131->15132 15133 40f04e 4 API calls 15131->15133 15134 40e819 11 API calls 15132->15134 15135 401ec9 15133->15135 15136 401eee 15134->15136 15137 40ea84 30 API calls 15135->15137 15138 401f0a 15136->15138 15554 401b71 15136->15554 15137->15132 15139 40e819 11 API calls 15138->15139 15142 401f23 15139->15142 15141 401efd 15143 40ea84 30 API calls 15141->15143 15144 401f3f 15142->15144 15558 401bdf 15142->15558 15143->15138 15146 40e819 11 API calls 15144->15146 15148 401f5e 15146->15148 15150 401f77 15148->15150 15152 40ea84 30 API calls 15148->15152 15149 40ea84 30 API calls 15149->15144 15565 4030b5 15150->15565 15152->15150 15154 406ec3 2 API calls 15156 401f8e GetTickCount 15154->15156 15156->14876 15158 406ec3 2 API calls 15157->15158 15159 4080eb 15158->15159 15160 4080f9 15159->15160 15161 4080ef 15159->15161 15163 40704c 16 API calls 15160->15163 15613 407ee6 15161->15613 15164 408110 15163->15164 15166 408156 RegOpenKeyExA 15164->15166 15167 4080f4 15164->15167 15165 40675c 21 API calls 15171 408244 15165->15171 15166->15167 15168 40816d RegQueryValueExA 15166->15168 15167->15165 15175 408269 CreateThread 15167->15175 15169 4081f7 15168->15169 15170 40818d 15168->15170 15172 40820d RegCloseKey 15169->15172 15174 40ec2e codecvt 4 API calls 15169->15174 15170->15169 15176 40ebcc 4 API calls 15170->15176 15173 40ec2e codecvt 4 API calls 15171->15173 15171->15175 15172->15167 15173->15175 15181 4081dd 15174->15181 15182 405e6c 15175->15182 15942 40877e 15175->15942 15177 4081a0 15176->15177 15177->15172 15178 4081aa RegQueryValueExA 15177->15178 15178->15169 15179 4081c4 15178->15179 15180 40ebcc 4 API calls 15179->15180 15180->15181 15181->15172 15681 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15182->15681 15184 405e71 15682 40e654 15184->15682 15186 405ec1 15187 403132 15186->15187 15188 40df70 12 API calls 15187->15188 15189 40313b 15188->15189 15190 40c125 15189->15190 15693 40ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 15190->15693 15192 40c12d 15193 40e654 13 API calls 15192->15193 15194 40c2bd 15193->15194 15195 40e654 13 API calls 15194->15195 15196 40c2c9 15195->15196 15197 40e654 13 API calls 15196->15197 15198 40a47a 15197->15198 15199 408db1 15198->15199 15200 408dbc 15199->15200 15201 40e654 13 API calls 15200->15201 15202 408dec Sleep 15201->15202 15202->14912 15204 40c92f 15203->15204 15205 40c93c 15204->15205 15694 40c517 15204->15694 15207 40ca2b 15205->15207 15208 40e819 11 API calls 15205->15208 15207->14912 15209 40c96a 15208->15209 15210 40e819 11 API calls 15209->15210 15211 40c97d 15210->15211 15212 40e819 11 API calls 15211->15212 15213 40c990 15212->15213 15214 40c9aa 15213->15214 15215 40ebcc 4 API calls 15213->15215 15214->15207 15711 402684 15214->15711 15215->15214 15220 40ca26 15718 40c8aa 15220->15718 15223 40ca44 15224 40ca4b closesocket 15223->15224 15225 40ca83 15223->15225 15224->15220 15226 40ea84 30 API calls 15225->15226 15227 40caac 15226->15227 15228 40f04e 4 API calls 15227->15228 15229 40cab2 15228->15229 15230 40ea84 30 API calls 15229->15230 15231 40caca 15230->15231 15232 40ea84 30 API calls 15231->15232 15233 40cad9 15232->15233 15726 40c65c 15233->15726 15236 40cb60 closesocket 15236->15207 15238 40dad2 closesocket 15239 40e318 23 API calls 15238->15239 15239->15207 15240 40df4c 20 API calls 15266 40cb70 15240->15266 15245 40e654 13 API calls 15245->15266 15251 40d815 wsprintfA 15251->15266 15252 40cc1c GetTempPathA 15252->15266 15253 40ea84 30 API calls 15253->15266 15254 40d569 closesocket Sleep 15773 40e318 15254->15773 15256 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15256->15266 15257 40c517 23 API calls 15257->15266 15258 40d582 ExitProcess 15259 40e8a1 30 API calls 15259->15266 15260 40c65c send GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15260->15266 15261 40cfe3 GetSystemDirectoryA 15261->15266 15262 40675c 21 API calls 15262->15266 15263 40d027 GetSystemDirectoryA 15263->15266 15264 40cfad GetEnvironmentVariableA 15264->15266 15265 40d105 lstrcatA 15265->15266 15266->15238 15266->15240 15266->15245 15266->15251 15266->15252 15266->15253 15266->15254 15266->15256 15266->15257 15266->15259 15266->15260 15266->15261 15266->15262 15266->15263 15266->15264 15266->15265 15267 40ef1e lstrlenA 15266->15267 15268 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15266->15268 15269 40cc9f CreateFileA 15266->15269 15270 408e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 15266->15270 15271 40d15b CreateFileA 15266->15271 15277 40d149 SetFileAttributesA 15266->15277 15278 40d36e GetEnvironmentVariableA 15266->15278 15279 40d1bf SetFileAttributesA 15266->15279 15281 407ead 6 API calls 15266->15281 15282 40d22d GetEnvironmentVariableA 15266->15282 15284 40d3af lstrcatA 15266->15284 15286 407fcf 64 API calls 15266->15286 15287 40d3f2 CreateFileA 15266->15287 15293 40d26e lstrcatA 15266->15293 15295 40d4b1 CreateProcessA 15266->15295 15296 40d3e0 SetFileAttributesA 15266->15296 15297 40d2b1 CreateFileA 15266->15297 15299 40d452 SetFileAttributesA 15266->15299 15301 407ee6 64 API calls 15266->15301 15302 40d29f SetFileAttributesA 15266->15302 15305 40d31d SetFileAttributesA 15266->15305 15734 40c75d 15266->15734 15746 407e2f 15266->15746 15768 407ead 15266->15768 15778 4031d0 15266->15778 15795 403c09 15266->15795 15805 403a00 15266->15805 15809 40e7b4 15266->15809 15812 40c06c 15266->15812 15818 406f5f GetUserNameA 15266->15818 15829 40e854 15266->15829 15839 407dd6 15266->15839 15267->15266 15268->15266 15269->15266 15272 40ccc6 WriteFile 15269->15272 15270->15266 15271->15266 15275 40d182 WriteFile CloseHandle 15271->15275 15273 40cdcc CloseHandle 15272->15273 15274 40cced CloseHandle 15272->15274 15273->15266 15280 40cd2f 15274->15280 15275->15266 15276 40cd16 wsprintfA 15276->15280 15277->15271 15278->15266 15279->15266 15280->15276 15755 407fcf 15280->15755 15281->15266 15282->15266 15284->15266 15284->15287 15286->15266 15287->15266 15288 40d415 WriteFile CloseHandle 15287->15288 15288->15266 15289 40cd81 WaitForSingleObject CloseHandle CloseHandle 15291 40f04e 4 API calls 15289->15291 15290 40cda5 15292 407ee6 64 API calls 15290->15292 15291->15290 15294 40cdbd DeleteFileA 15292->15294 15293->15266 15293->15297 15294->15266 15295->15266 15298 40d4e8 CloseHandle CloseHandle 15295->15298 15296->15287 15297->15266 15300 40d2d8 WriteFile CloseHandle 15297->15300 15298->15266 15299->15266 15300->15266 15301->15266 15302->15297 15305->15266 15307 40741b 15306->15307 15308 406dc2 6 API calls 15307->15308 15309 40743f 15308->15309 15310 407469 RegOpenKeyExA 15309->15310 15312 4077f9 15310->15312 15321 407487 ___ascii_stricmp 15310->15321 15311 407703 RegEnumKeyA 15313 407714 RegCloseKey 15311->15313 15311->15321 15312->14979 15313->15312 15314 4074d2 RegOpenKeyExA 15314->15321 15315 40772c 15317 407742 RegCloseKey 15315->15317 15318 40774b 15315->15318 15316 407521 RegQueryValueExA 15316->15321 15317->15318 15319 4077ec RegCloseKey 15318->15319 15319->15312 15320 4076e4 RegCloseKey 15320->15321 15321->15311 15321->15314 15321->15315 15321->15316 15321->15320 15323 40f1a5 lstrlenA 15321->15323 15324 40777e GetFileAttributesExA 15321->15324 15325 407769 15321->15325 15322 4077e3 RegCloseKey 15322->15319 15323->15321 15324->15325 15325->15322 15327 407073 15326->15327 15328 4070b9 RegOpenKeyExA 15327->15328 15329 4070d0 15328->15329 15343 4071b8 15328->15343 15330 406dc2 6 API calls 15329->15330 15333 4070d5 15330->15333 15331 40719b RegEnumValueA 15332 4071af RegCloseKey 15331->15332 15331->15333 15332->15343 15333->15331 15335 4071d0 15333->15335 15349 40f1a5 lstrlenA 15333->15349 15336 407205 RegCloseKey 15335->15336 15337 407227 15335->15337 15336->15343 15338 4072b8 ___ascii_stricmp 15337->15338 15339 40728e RegCloseKey 15337->15339 15340 4072cd RegCloseKey 15338->15340 15341 4072dd 15338->15341 15339->15343 15340->15343 15342 407311 RegCloseKey 15341->15342 15345 407335 15341->15345 15342->15343 15343->14983 15344 4073d5 RegCloseKey 15346 4073e4 15344->15346 15345->15344 15347 40737e GetFileAttributesExA 15345->15347 15348 407397 15345->15348 15347->15348 15348->15344 15350 40f1c3 15349->15350 15350->15333 15350->15350 15352 406e5f LookupAccountNameW 15351->15352 15353 406e97 15351->15353 15352->15353 15353->14985 15355 40eb17 15354->15355 15356 40eb21 15354->15356 15364 40eae4 15355->15364 15356->15025 15360 4069b9 WriteFile 15358->15360 15361 406a3c 15360->15361 15363 4069ff 15360->15363 15361->15021 15361->15022 15362 406a10 WriteFile 15362->15361 15362->15363 15363->15361 15363->15362 15365 40eb02 GetProcAddress 15364->15365 15366 40eaed LoadLibraryA 15364->15366 15365->15356 15366->15365 15367 40eb01 15366->15367 15367->15356 15369 401924 GetVersionExA 15368->15369 15369->15036 15371 406eef AllocateAndInitializeSid 15370->15371 15377 406f55 15370->15377 15372 406f44 15371->15372 15373 406f1c CheckTokenMembership 15371->15373 15376 406e36 2 API calls 15372->15376 15372->15377 15374 406f3b FreeSid 15373->15374 15375 406f2e 15373->15375 15374->15372 15375->15374 15376->15377 15377->15045 15379 40f0f1 15378->15379 15380 40f0ed 15378->15380 15381 40f119 15379->15381 15382 40f0fa lstrlenA SysAllocStringByteLen 15379->15382 15380->15068 15384 40f11c MultiByteToWideChar 15381->15384 15383 40f117 15382->15383 15382->15384 15383->15068 15384->15383 15386 401820 17 API calls 15385->15386 15387 4018f2 15386->15387 15388 4018f9 15387->15388 15402 401280 15387->15402 15388->15063 15390 401908 15390->15063 15414 401000 15391->15414 15393 401839 15394 401851 GetCurrentProcess 15393->15394 15395 40183d 15393->15395 15396 401864 15394->15396 15395->15057 15396->15057 15399 40920e 15397->15399 15401 409308 15397->15401 15398 4092f1 Sleep 15398->15399 15399->15398 15400 4092bf ShellExecuteA 15399->15400 15399->15401 15400->15399 15400->15401 15401->15063 15403 4012e1 15402->15403 15404 4016f9 GetLastError 15403->15404 15405 4013a8 15403->15405 15406 401699 15404->15406 15405->15406 15407 401570 lstrlenW 15405->15407 15408 4015be GetStartupInfoW 15405->15408 15409 4015ff CreateProcessWithLogonW 15405->15409 15413 401668 CloseHandle 15405->15413 15406->15390 15407->15405 15408->15405 15410 4016bf GetLastError 15409->15410 15411 40163f WaitForSingleObject 15409->15411 15410->15406 15411->15405 15412 401659 CloseHandle 15411->15412 15412->15405 15413->15405 15415 401023 15414->15415 15416 40100d LoadLibraryA 15414->15416 15418 4010b5 GetProcAddress 15415->15418 15434 4010ae 15415->15434 15416->15415 15417 401021 15416->15417 15417->15393 15419 4010d1 GetProcAddress 15418->15419 15420 40127b 15418->15420 15419->15420 15421 4010f0 GetProcAddress 15419->15421 15420->15393 15421->15420 15422 401110 GetProcAddress 15421->15422 15422->15420 15423 401130 GetProcAddress 15422->15423 15423->15420 15424 40114f GetProcAddress 15423->15424 15424->15420 15425 40116f GetProcAddress 15424->15425 15425->15420 15426 40118f GetProcAddress 15425->15426 15426->15420 15427 4011ae GetProcAddress 15426->15427 15427->15420 15428 4011ce GetProcAddress 15427->15428 15428->15420 15429 4011ee GetProcAddress 15428->15429 15429->15420 15430 401209 GetProcAddress 15429->15430 15430->15420 15431 401225 GetProcAddress 15430->15431 15431->15420 15432 401241 GetProcAddress 15431->15432 15432->15420 15433 40125c GetProcAddress 15432->15433 15433->15420 15434->15393 15436 40908d 15435->15436 15437 4090e2 wsprintfA 15436->15437 15438 40ee2a 15437->15438 15439 4090fd CreateFileA 15438->15439 15440 40911a lstrlenA WriteFile CloseHandle 15439->15440 15441 40913f 15439->15441 15440->15441 15441->15084 15441->15085 15443 40dd41 InterlockedExchange 15442->15443 15444 40dd20 GetCurrentThreadId 15443->15444 15445 40dd4a 15443->15445 15446 40dd53 GetCurrentThreadId 15444->15446 15447 40dd2e GetTickCount 15444->15447 15445->15446 15446->15088 15447->15445 15448 40dd39 Sleep 15447->15448 15448->15443 15450 40dbf0 15449->15450 15482 40db67 GetEnvironmentVariableA 15450->15482 15452 40dc19 15453 40dcda 15452->15453 15454 40db67 3 API calls 15452->15454 15453->15090 15455 40dc5c 15454->15455 15455->15453 15456 40db67 3 API calls 15455->15456 15457 40dc9b 15456->15457 15457->15453 15458 40db67 3 API calls 15457->15458 15458->15453 15460 40db55 15459->15460 15461 40db3a 15459->15461 15460->15092 15460->15097 15486 40ebed 15461->15486 15495 40f04e SystemTimeToFileTime GetSystemTimeAsFileTime 15463->15495 15465 40e3be 15465->15092 15466 40e342 15466->15465 15498 40de24 15466->15498 15469 40e528 15468->15469 15470 40e3f4 15468->15470 15469->15101 15471 40e434 RegQueryValueExA 15470->15471 15472 40e458 15471->15472 15473 40e51d RegCloseKey 15471->15473 15474 40e46e RegQueryValueExA 15472->15474 15473->15469 15474->15472 15475 40e488 15474->15475 15475->15473 15476 40db2e 8 API calls 15475->15476 15477 40e499 15476->15477 15477->15473 15478 40e4b9 RegQueryValueExA 15477->15478 15479 40e4e8 15477->15479 15478->15477 15478->15479 15479->15473 15480 40e332 14 API calls 15479->15480 15481 40e513 15480->15481 15481->15473 15483 40dbca 15482->15483 15485 40db89 lstrcpyA CreateFileA 15482->15485 15483->15452 15485->15452 15487 40ec01 15486->15487 15488 40ebf6 15486->15488 15490 40eba0 codecvt 2 API calls 15487->15490 15489 40ebcc 4 API calls 15488->15489 15491 40ebfe 15489->15491 15492 40ec0a GetProcessHeap HeapReAlloc 15490->15492 15491->15460 15493 40eb74 2 API calls 15492->15493 15494 40ec28 15493->15494 15494->15460 15509 40eb41 15495->15509 15499 40de3a 15498->15499 15504 40de4e 15499->15504 15513 40dd84 15499->15513 15502 40de9e 15503 40ebed 8 API calls 15502->15503 15502->15504 15507 40def6 15503->15507 15504->15466 15505 40de76 15517 40ddcf 15505->15517 15507->15504 15508 40ddcf lstrcmpA 15507->15508 15508->15504 15510 40eb54 15509->15510 15511 40eb4a 15509->15511 15510->15466 15512 40eae4 2 API calls 15511->15512 15512->15510 15514 40dd96 15513->15514 15515 40ddc5 15513->15515 15514->15515 15516 40ddad lstrcmpiA 15514->15516 15515->15502 15515->15505 15516->15514 15516->15515 15518 40dddd 15517->15518 15520 40de20 15517->15520 15519 40ddfa lstrcmpA 15518->15519 15518->15520 15519->15518 15520->15504 15522 40dd05 6 API calls 15521->15522 15523 40e821 15522->15523 15524 40dd84 lstrcmpiA 15523->15524 15525 40e82c 15524->15525 15526 40e844 15525->15526 15569 402480 15525->15569 15526->15117 15529 40dd05 6 API calls 15528->15529 15530 40df7c 15529->15530 15531 40dd84 lstrcmpiA 15530->15531 15535 40df89 15531->15535 15532 40dfc4 15532->15123 15533 40ddcf lstrcmpA 15533->15535 15534 40ec2e codecvt 4 API calls 15534->15535 15535->15532 15535->15533 15535->15534 15536 40dd84 lstrcmpiA 15535->15536 15536->15535 15538 40ea98 15537->15538 15578 40e8a1 15538->15578 15540 401e84 15540->15126 15542 4019d5 GetProcAddress GetProcAddress GetProcAddress 15541->15542 15545 4019ce 15541->15545 15543 401ab3 FreeLibrary 15542->15543 15544 401a04 15542->15544 15543->15545 15544->15543 15546 401a14 GetProcessHeap 15544->15546 15545->15130 15546->15545 15548 401a2e HeapAlloc 15546->15548 15548->15545 15549 401a42 15548->15549 15550 401a52 HeapReAlloc 15549->15550 15552 401a62 15549->15552 15550->15552 15551 401aa1 FreeLibrary 15551->15545 15552->15551 15553 401a96 HeapFree 15552->15553 15553->15551 15606 401ac3 LoadLibraryA 15554->15606 15557 401bcf 15557->15141 15559 401ac3 12 API calls 15558->15559 15560 401c09 15559->15560 15561 401c41 15560->15561 15562 401c0d GetComputerNameA 15560->15562 15561->15149 15563 401c45 GetVolumeInformationA 15562->15563 15564 401c1f 15562->15564 15563->15561 15564->15561 15564->15563 15566 40ee2a 15565->15566 15567 4030d0 gethostname gethostbyname 15566->15567 15568 401f82 15567->15568 15568->15154 15568->15156 15572 402419 lstrlenA 15569->15572 15571 402491 15571->15526 15573 402474 15572->15573 15574 40243d lstrlenA 15572->15574 15573->15571 15575 402464 lstrlenA 15574->15575 15576 40244e lstrcmpiA 15574->15576 15575->15573 15575->15574 15576->15575 15577 40245c 15576->15577 15577->15573 15577->15575 15579 40dd05 6 API calls 15578->15579 15580 40e8b4 15579->15580 15581 40dd84 lstrcmpiA 15580->15581 15582 40e8c0 15581->15582 15583 40e90a 15582->15583 15584 40e8c8 lstrcpynA 15582->15584 15586 402419 4 API calls 15583->15586 15595 40ea27 15583->15595 15585 40e8f5 15584->15585 15599 40df4c 15585->15599 15587 40e926 lstrlenA lstrlenA 15586->15587 15589 40e96a 15587->15589 15590 40e94c lstrlenA 15587->15590 15593 40ebcc 4 API calls 15589->15593 15589->15595 15590->15589 15591 40e901 15592 40dd84 lstrcmpiA 15591->15592 15592->15583 15594 40e98f 15593->15594 15594->15595 15596 40df4c 20 API calls 15594->15596 15595->15540 15597 40ea1e 15596->15597 15598 40ec2e codecvt 4 API calls 15597->15598 15598->15595 15600 40dd05 6 API calls 15599->15600 15601 40df51 15600->15601 15602 40f04e 4 API calls 15601->15602 15603 40df58 15602->15603 15604 40de24 10 API calls 15603->15604 15605 40df63 15604->15605 15605->15591 15607 401ae2 GetProcAddress 15606->15607 15612 401b68 GetComputerNameA GetVolumeInformationA 15606->15612 15608 401af5 15607->15608 15607->15612 15609 40ebed 8 API calls 15608->15609 15610 401b29 15608->15610 15609->15608 15610->15610 15611 40ec2e codecvt 4 API calls 15610->15611 15610->15612 15611->15612 15612->15557 15614 406ec3 2 API calls 15613->15614 15615 407ef4 15614->15615 15616 407fc9 15615->15616 15617 4073ff 17 API calls 15615->15617 15616->15167 15618 407f16 15617->15618 15618->15616 15626 407809 GetUserNameA 15618->15626 15620 407f63 15620->15616 15621 40ef1e lstrlenA 15620->15621 15622 407fa6 15621->15622 15623 40ef1e lstrlenA 15622->15623 15624 407fb7 15623->15624 15650 407a95 RegOpenKeyExA 15624->15650 15627 40783d LookupAccountNameA 15626->15627 15632 407a8d 15626->15632 15628 407874 GetLengthSid GetFileSecurityA 15627->15628 15627->15632 15629 4078a8 GetSecurityDescriptorOwner 15628->15629 15628->15632 15630 4078c5 EqualSid 15629->15630 15631 40791d GetSecurityDescriptorDacl 15629->15631 15630->15631 15633 4078dc LocalAlloc 15630->15633 15631->15632 15640 407941 15631->15640 15632->15620 15633->15631 15634 4078ef InitializeSecurityDescriptor 15633->15634 15635 407916 LocalFree 15634->15635 15636 4078fb SetSecurityDescriptorOwner 15634->15636 15635->15631 15636->15635 15638 40790b SetFileSecurityA 15636->15638 15637 40795b GetAce 15637->15640 15638->15635 15639 407980 EqualSid 15639->15640 15640->15632 15640->15637 15640->15639 15641 407a3d 15640->15641 15642 4079be EqualSid 15640->15642 15643 40799d DeleteAce 15640->15643 15641->15632 15644 407a43 LocalAlloc 15641->15644 15642->15640 15643->15640 15644->15632 15645 407a56 InitializeSecurityDescriptor 15644->15645 15646 407a62 SetSecurityDescriptorDacl 15645->15646 15647 407a86 LocalFree 15645->15647 15646->15647 15648 407a73 SetFileSecurityA 15646->15648 15647->15632 15648->15647 15649 407a83 15648->15649 15649->15647 15651 407ac4 15650->15651 15652 407acb GetUserNameA 15650->15652 15651->15616 15653 407da7 RegCloseKey 15652->15653 15654 407aed LookupAccountNameA 15652->15654 15653->15651 15654->15653 15655 407b24 RegGetKeySecurity 15654->15655 15655->15653 15656 407b49 GetSecurityDescriptorOwner 15655->15656 15657 407b63 EqualSid 15656->15657 15658 407bb8 GetSecurityDescriptorDacl 15656->15658 15657->15658 15659 407b74 LocalAlloc 15657->15659 15660 407da6 15658->15660 15667 407bdc 15658->15667 15659->15658 15661 407b8a InitializeSecurityDescriptor 15659->15661 15660->15653 15662 407bb1 LocalFree 15661->15662 15663 407b96 SetSecurityDescriptorOwner 15661->15663 15662->15658 15663->15662 15665 407ba6 RegSetKeySecurity 15663->15665 15664 407bf8 GetAce 15664->15667 15665->15662 15666 407c1d EqualSid 15666->15667 15667->15660 15667->15664 15667->15666 15668 407c5f EqualSid 15667->15668 15669 407cd9 15667->15669 15670 407c3a DeleteAce 15667->15670 15668->15667 15669->15660 15671 407d5a LocalAlloc 15669->15671 15673 407cf2 RegOpenKeyExA 15669->15673 15670->15667 15671->15660 15672 407d70 InitializeSecurityDescriptor 15671->15672 15674 407d7c SetSecurityDescriptorDacl 15672->15674 15675 407d9f LocalFree 15672->15675 15673->15671 15678 407d0f 15673->15678 15674->15675 15676 407d8c RegSetKeySecurity 15674->15676 15675->15660 15676->15675 15677 407d9c 15676->15677 15677->15675 15679 407d43 RegSetValueExA 15678->15679 15679->15671 15680 407d54 15679->15680 15680->15671 15681->15184 15683 40dd05 6 API calls 15682->15683 15686 40e65f 15683->15686 15684 40e6a5 15685 40ebcc 4 API calls 15684->15685 15689 40e6f5 15684->15689 15688 40e6b0 15685->15688 15686->15684 15687 40e68c lstrcmpA 15686->15687 15687->15686 15688->15689 15691 40e6b7 15688->15691 15692 40e6e0 lstrcpynA 15688->15692 15690 40e71d lstrcmpA 15689->15690 15689->15691 15690->15689 15691->15186 15692->15689 15693->15192 15695 40c525 15694->15695 15696 40c532 15694->15696 15695->15696 15698 40ec2e codecvt 4 API calls 15695->15698 15697 40c548 15696->15697 15846 40e7ff 15696->15846 15700 40e7ff lstrcmpiA 15697->15700 15707 40c54f 15697->15707 15698->15696 15701 40c615 15700->15701 15702 40ebcc 4 API calls 15701->15702 15701->15707 15702->15707 15703 40c5d1 15705 40ebcc 4 API calls 15703->15705 15705->15707 15706 40e819 11 API calls 15708 40c5b7 15706->15708 15707->15205 15709 40f04e 4 API calls 15708->15709 15710 40c5bf 15709->15710 15710->15697 15710->15703 15712 402692 inet_addr 15711->15712 15713 40268e 15711->15713 15712->15713 15714 40269e gethostbyname 15712->15714 15715 40f428 15713->15715 15714->15713 15849 40f315 15715->15849 15720 40c8d2 15718->15720 15719 40c907 15719->15207 15720->15719 15721 40c517 23 API calls 15720->15721 15721->15719 15722 40f43e 15723 40f473 recv 15722->15723 15724 40f47c 15723->15724 15725 40f458 15723->15725 15724->15223 15725->15723 15725->15724 15727 40c670 15726->15727 15729 40c67d 15726->15729 15728 40ebcc 4 API calls 15727->15728 15728->15729 15730 40ebcc 4 API calls 15729->15730 15732 40c699 15729->15732 15730->15732 15731 40c6f3 15731->15236 15731->15266 15732->15731 15733 40c73c send 15732->15733 15733->15731 15735 40c770 15734->15735 15736 40c77d 15734->15736 15737 40ebcc 4 API calls 15735->15737 15738 40c799 15736->15738 15739 40ebcc 4 API calls 15736->15739 15737->15736 15740 40c7b5 15738->15740 15741 40ebcc 4 API calls 15738->15741 15739->15738 15742 40f43e recv 15740->15742 15741->15740 15744 40c7cb 15742->15744 15743 40c7d3 15743->15266 15744->15743 15745 40f43e recv 15744->15745 15745->15743 15862 407db7 15746->15862 15749 40f04e 4 API calls 15752 407e4c 15749->15752 15750 40f04e 4 API calls 15751 407e96 15750->15751 15751->15266 15753 40f04e 4 API calls 15752->15753 15754 407e70 15752->15754 15753->15754 15754->15750 15754->15751 15756 406ec3 2 API calls 15755->15756 15757 407fdd 15756->15757 15758 4080c2 CreateProcessA 15757->15758 15759 4073ff 17 API calls 15757->15759 15758->15289 15758->15290 15760 407fff 15759->15760 15760->15758 15761 407809 21 API calls 15760->15761 15762 40804d 15761->15762 15762->15758 15763 40ef1e lstrlenA 15762->15763 15764 40809e 15763->15764 15765 40ef1e lstrlenA 15764->15765 15766 4080af 15765->15766 15767 407a95 24 API calls 15766->15767 15767->15758 15769 407db7 2 API calls 15768->15769 15770 407eb8 15769->15770 15771 40f04e 4 API calls 15770->15771 15772 407ece DeleteFileA 15771->15772 15772->15266 15774 40dd05 6 API calls 15773->15774 15775 40e31d 15774->15775 15866 40e177 15775->15866 15777 40e326 15777->15258 15779 4031f3 15778->15779 15781 4031ec 15778->15781 15780 40ebcc 4 API calls 15779->15780 15782 4031fc 15780->15782 15781->15266 15782->15781 15789 40ebcc GetProcessHeap HeapSize GetProcessHeap HeapAlloc 15782->15789 15790 40344d 15782->15790 15792 40344b 15782->15792 15794 403141 lstrcmpiA 15782->15794 15892 4030fa GetTickCount 15782->15892 15783 403459 15786 40f04e 4 API calls 15783->15786 15784 40349d 15785 40ec2e codecvt 4 API calls 15784->15785 15785->15781 15787 40345f 15786->15787 15788 4030fa 4 API calls 15787->15788 15788->15781 15789->15782 15791 40ec2e codecvt 4 API calls 15790->15791 15791->15792 15792->15783 15792->15784 15794->15782 15796 4030fa 4 API calls 15795->15796 15797 403c1a 15796->15797 15801 403ce6 15797->15801 15897 403a72 15797->15897 15800 403a72 9 API calls 15804 403c5e 15800->15804 15801->15266 15802 403a72 9 API calls 15802->15804 15803 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15803->15804 15804->15801 15804->15802 15804->15803 15806 403a10 15805->15806 15807 4030fa 4 API calls 15806->15807 15808 403a1a 15807->15808 15808->15266 15810 40dd05 6 API calls 15809->15810 15811 40e7be 15810->15811 15811->15266 15813 40c105 15812->15813 15814 40c07e wsprintfA 15812->15814 15813->15266 15906 40bfce GetTickCount wsprintfA 15814->15906 15816 40c0ef 15907 40bfce GetTickCount wsprintfA 15816->15907 15819 407047 15818->15819 15820 406f88 LookupAccountNameA 15818->15820 15819->15266 15822 407025 15820->15822 15823 406fcb 15820->15823 15824 406edd 5 API calls 15822->15824 15825 406fdb ConvertSidToStringSidA 15823->15825 15826 40702a wsprintfA 15824->15826 15825->15822 15827 406ff1 15825->15827 15826->15819 15828 407013 LocalFree 15827->15828 15828->15822 15830 40dd05 6 API calls 15829->15830 15831 40e85c 15830->15831 15832 40dd84 lstrcmpiA 15831->15832 15833 40e867 15832->15833 15834 40e885 lstrcpyA 15833->15834 15908 4024a5 15833->15908 15911 40dd69 15834->15911 15840 407db7 2 API calls 15839->15840 15841 407de1 15840->15841 15842 40f04e 4 API calls 15841->15842 15845 407e16 15841->15845 15843 407df2 15842->15843 15844 40f04e 4 API calls 15843->15844 15843->15845 15844->15845 15845->15266 15847 40dd84 lstrcmpiA 15846->15847 15848 40c58e 15847->15848 15848->15697 15848->15703 15848->15706 15850 40f33b 15849->15850 15851 40ca1d 15849->15851 15852 40f347 htons socket 15850->15852 15851->15220 15851->15722 15853 40f382 ioctlsocket 15852->15853 15854 40f374 closesocket 15852->15854 15855 40f3aa connect select 15853->15855 15856 40f39d 15853->15856 15854->15851 15855->15851 15858 40f3f2 __WSAFDIsSet 15855->15858 15857 40f39f closesocket 15856->15857 15857->15851 15858->15857 15859 40f403 ioctlsocket 15858->15859 15861 40f26d setsockopt setsockopt setsockopt setsockopt setsockopt 15859->15861 15861->15851 15863 407dc8 InterlockedExchange 15862->15863 15864 407dc0 Sleep 15863->15864 15865 407dd4 15863->15865 15864->15863 15865->15749 15865->15754 15867 40e184 15866->15867 15868 40e2e4 15867->15868 15869 40e223 15867->15869 15882 40dfe2 15867->15882 15868->15777 15869->15868 15871 40dfe2 8 API calls 15869->15871 15876 40e23c 15871->15876 15872 40e1be 15872->15869 15873 40dbcf 3 API calls 15872->15873 15875 40e1d6 15873->15875 15874 40e21a CloseHandle 15874->15869 15875->15869 15875->15874 15877 40e1f9 WriteFile 15875->15877 15876->15868 15886 40e095 RegCreateKeyExA 15876->15886 15877->15874 15879 40e213 15877->15879 15879->15874 15880 40e2a3 15880->15868 15881 40e095 4 API calls 15880->15881 15881->15868 15883 40dffc 15882->15883 15885 40e024 15882->15885 15884 40db2e 8 API calls 15883->15884 15883->15885 15884->15885 15885->15872 15887 40e172 15886->15887 15889 40e0c0 15886->15889 15887->15880 15888 40e13d 15890 40e14e RegDeleteValueA RegCloseKey 15888->15890 15889->15888 15891 40e115 RegSetValueExA 15889->15891 15890->15887 15891->15888 15891->15889 15893 403122 InterlockedExchange 15892->15893 15894 40312e 15893->15894 15895 40310f GetTickCount 15893->15895 15894->15782 15895->15894 15896 40311a Sleep 15895->15896 15896->15893 15898 40f04e 4 API calls 15897->15898 15905 403a83 15898->15905 15899 403bc0 15900 403be6 15899->15900 15902 40ec2e GetProcessHeap HeapSize GetProcessHeap HeapFree codecvt 15899->15902 15903 40ec2e codecvt 4 API calls 15900->15903 15901 403ac1 15901->15800 15901->15801 15902->15899 15903->15901 15904 403b66 lstrlenA 15904->15901 15904->15905 15905->15899 15905->15901 15905->15904 15906->15816 15907->15813 15909 402419 4 API calls 15908->15909 15910 4024b6 15909->15910 15910->15834 15912 40dd79 lstrlenA 15911->15912 15912->15266 15914 404084 15913->15914 15915 40407d 15913->15915 15916 403ecd 6 API calls 15914->15916 15917 40408f 15916->15917 15918 404000 3 API calls 15917->15918 15920 404095 15918->15920 15919 404130 15921 403ecd 6 API calls 15919->15921 15920->15919 15925 403f18 4 API calls 15920->15925 15922 404159 CreateNamedPipeA 15921->15922 15923 404167 Sleep 15922->15923 15924 404188 ConnectNamedPipe 15922->15924 15923->15919 15926 404176 CloseHandle 15923->15926 15928 404195 GetLastError 15924->15928 15937 4041ab 15924->15937 15927 4040da 15925->15927 15926->15924 15930 403f8c 4 API calls 15927->15930 15931 40425e DisconnectNamedPipe 15928->15931 15928->15937 15929 403f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 15929->15937 15932 4040ec 15930->15932 15931->15924 15933 404127 CloseHandle 15932->15933 15934 404101 15932->15934 15933->15919 15935 403f18 4 API calls 15934->15935 15936 40411c ExitProcess 15935->15936 15937->15924 15937->15929 15937->15931 15938 403f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 15937->15938 15939 40426a CloseHandle CloseHandle 15937->15939 15938->15937 15940 40e318 23 API calls 15939->15940 15941 40427b 15940->15941 15941->15941 15943 408791 15942->15943 15944 40879f 15942->15944 15945 40f04e 4 API calls 15943->15945 15946 4087bc 15944->15946 15947 40f04e 4 API calls 15944->15947 15945->15944 15948 40e819 11 API calls 15946->15948 15947->15946 15949 4087d7 15948->15949 15961 408803 15949->15961 15963 4026b2 gethostbyaddr 15949->15963 15951 4087eb 15953 40e8a1 30 API calls 15951->15953 15951->15961 15953->15961 15956 40e819 11 API calls 15956->15961 15957 4088a0 Sleep 15957->15961 15958 40f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 15958->15961 15960 4026b2 2 API calls 15960->15961 15961->15956 15961->15957 15961->15958 15961->15960 15962 40e8a1 30 API calls 15961->15962 15968 40c4d6 15961->15968 15971 40c4e2 15961->15971 15974 402011 15961->15974 16009 408328 15961->16009 15962->15961 15964 4026fb 15963->15964 15965 4026cd 15963->15965 15964->15951 15966 4026e1 inet_ntoa 15965->15966 15967 4026de 15965->15967 15966->15967 15967->15951 16061 40c2dc 15968->16061 15972 40c2dc 141 API calls 15971->15972 15973 40c4ec 15972->15973 15973->15961 15975 402020 15974->15975 15976 40202e 15974->15976 15977 40f04e 4 API calls 15975->15977 15979 40f04e 4 API calls 15976->15979 15982 40204b 15976->15982 15977->15976 15978 40206e GetTickCount 15981 4020db GetTickCount 15978->15981 15992 402090 15978->15992 15979->15982 15980 40f04e 4 API calls 15984 402068 15980->15984 15983 402132 GetTickCount GetTickCount 15981->15983 15994 4020e7 15981->15994 15982->15978 15982->15980 15987 40f04e 4 API calls 15983->15987 15984->15978 15985 4020d4 GetTickCount 15985->15981 15986 40212b GetTickCount 15986->15983 15989 402159 15987->15989 15988 402684 2 API calls 15988->15992 15990 4021b4 15989->15990 15993 40e854 13 API calls 15989->15993 15995 40f04e 4 API calls 15990->15995 15992->15985 15992->15988 15999 4020ce 15992->15999 16396 401978 15992->16396 15996 40218e 15993->15996 15994->15986 16001 401978 15 API calls 15994->16001 16002 402125 15994->16002 16401 402ef8 15994->16401 15998 4021d1 15995->15998 16000 40e819 11 API calls 15996->16000 16003 4021f2 15998->16003 16005 40ea84 30 API calls 15998->16005 15999->15985 16004 40219c 16000->16004 16001->15994 16002->15986 16003->15961 16004->15990 16409 401c5f 16004->16409 16006 4021ec 16005->16006 16007 40f04e 4 API calls 16006->16007 16007->16003 16010 407dd6 6 API calls 16009->16010 16011 40833c 16010->16011 16012 406ec3 2 API calls 16011->16012 16038 408340 16011->16038 16013 40834f 16012->16013 16014 40835c 16013->16014 16018 40846b 16013->16018 16015 4073ff 17 API calls 16014->16015 16039 408373 16015->16039 16016 4085df 16019 408626 GetTempPathA 16016->16019 16025 408762 16016->16025 16029 408638 16016->16029 16017 40675c 21 API calls 16017->16016 16020 4084a7 RegOpenKeyExA 16018->16020 16035 408450 16018->16035 16019->16029 16023 4084c0 RegQueryValueExA 16020->16023 16024 40852f 16020->16024 16022 4086ad 16022->16025 16028 407e2f 6 API calls 16022->16028 16026 408521 RegCloseKey 16023->16026 16027 4084dd 16023->16027 16030 408564 RegOpenKeyExA 16024->16030 16042 4085a5 16024->16042 16034 40ec2e codecvt 4 API calls 16025->16034 16025->16038 16026->16024 16027->16026 16036 40ebcc 4 API calls 16027->16036 16031 4086bb 16028->16031 16481 406ba7 IsBadCodePtr 16029->16481 16032 408573 RegSetValueExA RegCloseKey 16030->16032 16030->16042 16033 40875b DeleteFileA 16031->16033 16048 4086e0 lstrcpyA lstrlenA 16031->16048 16032->16042 16033->16025 16034->16038 16035->16016 16035->16017 16037 4084f0 16036->16037 16037->16026 16041 4084f8 RegQueryValueExA 16037->16041 16038->15961 16039->16035 16039->16038 16043 4083ea RegOpenKeyExA 16039->16043 16041->16026 16044 408515 16041->16044 16042->16035 16045 40ec2e codecvt 4 API calls 16042->16045 16043->16035 16046 4083fd RegQueryValueExA 16043->16046 16047 40ec2e codecvt 4 API calls 16044->16047 16045->16035 16049 40842d RegSetValueExA 16046->16049 16050 40841e 16046->16050 16052 40851d 16047->16052 16053 407fcf 64 API calls 16048->16053 16051 408447 RegCloseKey 16049->16051 16050->16049 16050->16051 16051->16035 16052->16026 16054 408719 CreateProcessA 16053->16054 16055 40873d CloseHandle CloseHandle 16054->16055 16056 40874f 16054->16056 16055->16025 16057 407ee6 64 API calls 16056->16057 16058 408754 16057->16058 16059 407ead 6 API calls 16058->16059 16060 40875a 16059->16060 16060->16033 16077 40a4c7 GetTickCount 16061->16077 16064 40c300 GetTickCount 16067 40c337 16064->16067 16065 40c326 16065->16067 16068 40c32b GetTickCount 16065->16068 16066 40c45e 16069 40c4d2 16066->16069 16070 40c4ab InterlockedIncrement CreateThread 16066->16070 16067->16066 16072 40c363 GetTickCount 16067->16072 16068->16067 16069->15961 16070->16069 16071 40c4cb CloseHandle 16070->16071 16082 40b535 16070->16082 16071->16069 16072->16066 16073 40c373 16072->16073 16074 40c378 GetTickCount 16073->16074 16075 40c37f 16073->16075 16074->16075 16076 40c43b GetTickCount 16075->16076 16076->16066 16078 40a4f7 InterlockedExchange 16077->16078 16079 40a500 16078->16079 16080 40a4e4 GetTickCount 16078->16080 16079->16064 16079->16065 16079->16066 16080->16079 16081 40a4ef Sleep 16080->16081 16081->16078 16083 40b566 16082->16083 16084 40ebcc 4 API calls 16083->16084 16085 40b587 16084->16085 16086 40ebcc 4 API calls 16085->16086 16124 40b590 16086->16124 16087 40bdcd InterlockedDecrement 16088 40bde2 16087->16088 16090 40ec2e codecvt 4 API calls 16088->16090 16091 40bdea 16090->16091 16093 40ec2e codecvt 4 API calls 16091->16093 16092 40bdb7 Sleep 16092->16124 16094 40bdf2 16093->16094 16095 40be05 16094->16095 16097 40ec2e codecvt 4 API calls 16094->16097 16096 40bdcc 16096->16087 16097->16095 16098 40ebed 8 API calls 16098->16124 16101 40b6b6 lstrlenA 16101->16124 16102 4030b5 2 API calls 16102->16124 16103 40e819 11 API calls 16103->16124 16104 40b6ed lstrcpyA 16157 405ce1 16104->16157 16107 40b731 lstrlenA 16107->16124 16108 40b71f lstrcmpA 16108->16107 16108->16124 16109 40b772 GetTickCount 16109->16124 16110 40bd49 InterlockedIncrement 16254 40a628 16110->16254 16113 40b7ce InterlockedIncrement 16167 40acd7 16113->16167 16114 40bc5b InterlockedIncrement 16114->16124 16117 40b912 GetTickCount 16117->16124 16118 40b826 InterlockedIncrement 16118->16109 16119 40b932 GetTickCount 16121 40bc6d InterlockedIncrement 16119->16121 16119->16124 16120 40bcdc closesocket 16120->16124 16121->16124 16122 405ce1 22 API calls 16122->16124 16123 4038f0 6 API calls 16123->16124 16124->16087 16124->16092 16124->16096 16124->16098 16124->16101 16124->16102 16124->16103 16124->16104 16124->16107 16124->16108 16124->16109 16124->16110 16124->16113 16124->16114 16124->16117 16124->16118 16124->16119 16124->16120 16124->16122 16124->16123 16126 40bba6 InterlockedIncrement 16124->16126 16129 40bc4c closesocket 16124->16129 16130 40a7c1 22 API calls 16124->16130 16132 40ba71 wsprintfA 16124->16132 16133 405ded 12 API calls 16124->16133 16136 40ab81 lstrcpynA InterlockedIncrement 16124->16136 16137 40ef1e lstrlenA 16124->16137 16139 403e10 16124->16139 16142 403e4f 16124->16142 16145 40384f 16124->16145 16165 40a7a3 inet_ntoa 16124->16165 16172 40abee 16124->16172 16184 401feb GetTickCount 16124->16184 16185 40a688 16124->16185 16208 403cfb 16124->16208 16211 40b3c5 16124->16211 16242 40ab81 16124->16242 16126->16124 16129->16124 16130->16124 16188 40a7c1 16132->16188 16133->16124 16136->16124 16137->16124 16140 4030fa 4 API calls 16139->16140 16141 403e1d 16140->16141 16141->16124 16143 4030fa 4 API calls 16142->16143 16144 403e5c 16143->16144 16144->16124 16146 4030fa 4 API calls 16145->16146 16147 403863 16146->16147 16148 4038b9 16147->16148 16149 403889 16147->16149 16156 4038b2 16147->16156 16263 4035f9 16148->16263 16257 403718 16149->16257 16154 403718 6 API calls 16154->16156 16155 4035f9 6 API calls 16155->16156 16156->16124 16158 405cf4 16157->16158 16159 405cec 16157->16159 16160 404bd1 4 API calls 16158->16160 16269 404bd1 GetTickCount 16159->16269 16162 405d02 16160->16162 16274 405472 16162->16274 16166 40a7b9 16165->16166 16166->16124 16168 40f315 14 API calls 16167->16168 16169 40aceb 16168->16169 16170 40acff 16169->16170 16171 40f315 14 API calls 16169->16171 16170->16124 16171->16170 16173 40abfb 16172->16173 16176 40ac65 16173->16176 16337 402f22 16173->16337 16175 40f315 14 API calls 16175->16176 16176->16175 16177 40ac8a 16176->16177 16178 40ac6f 16176->16178 16177->16124 16180 40ab81 2 API calls 16178->16180 16179 40ac23 16179->16176 16181 402684 2 API calls 16179->16181 16182 40ac81 16180->16182 16181->16179 16345 4038f0 16182->16345 16184->16124 16359 40a63d 16185->16359 16187 40a696 16187->16124 16189 40a87d lstrlenA send 16188->16189 16190 40a7df 16188->16190 16191 40a899 16189->16191 16192 40a8bf 16189->16192 16190->16189 16197 40a7fa wsprintfA 16190->16197 16198 40a80a 16190->16198 16200 40a8f2 16190->16200 16195 40a8a5 wsprintfA 16191->16195 16201 40a89e 16191->16201 16193 40a8c4 send 16192->16193 16192->16200 16196 40a8d8 wsprintfA 16193->16196 16193->16200 16194 40a978 recv 16194->16200 16202 40a982 16194->16202 16195->16201 16196->16201 16197->16198 16198->16189 16199 40a9b0 wsprintfA 16199->16201 16200->16194 16200->16199 16200->16202 16201->16124 16202->16201 16203 4030b5 2 API calls 16202->16203 16204 40ab05 16203->16204 16205 40e819 11 API calls 16204->16205 16206 40ab17 16205->16206 16207 40a7a3 inet_ntoa 16206->16207 16207->16201 16209 4030fa 4 API calls 16208->16209 16210 403d0b 16209->16210 16210->16124 16212 405ce1 22 API calls 16211->16212 16213 40b3e6 16212->16213 16214 405ce1 22 API calls 16213->16214 16216 40b404 16214->16216 16215 40b440 16218 40ef7c 3 API calls 16215->16218 16216->16215 16217 40ef7c 3 API calls 16216->16217 16219 40b42b 16217->16219 16220 40b458 wsprintfA 16218->16220 16221 40ef7c 3 API calls 16219->16221 16222 40ef7c 3 API calls 16220->16222 16221->16215 16223 40b480 16222->16223 16224 40ef7c 3 API calls 16223->16224 16225 40b493 16224->16225 16226 40ef7c 3 API calls 16225->16226 16227 40b4bb 16226->16227 16364 40ad89 GetLocalTime SystemTimeToFileTime 16227->16364 16231 40b4cc 16232 40ef7c 3 API calls 16231->16232 16233 40b4dd 16232->16233 16234 40b211 7 API calls 16233->16234 16235 40b4ec 16234->16235 16236 40ef7c 3 API calls 16235->16236 16237 40b4fd 16236->16237 16238 40b211 7 API calls 16237->16238 16239 40b509 16238->16239 16240 40ef7c 3 API calls 16239->16240 16241 40b51a 16240->16241 16241->16124 16243 40ab8c 16242->16243 16245 40abe9 GetTickCount 16242->16245 16244 40aba8 lstrcpynA 16243->16244 16243->16245 16246 40abe1 InterlockedIncrement 16243->16246 16244->16243 16247 40a51d 16245->16247 16246->16243 16248 40a4c7 4 API calls 16247->16248 16249 40a52c 16248->16249 16250 40a542 GetTickCount 16249->16250 16252 40a539 GetTickCount 16249->16252 16250->16252 16253 40a56c 16252->16253 16253->16124 16255 40a4c7 4 API calls 16254->16255 16256 40a633 16255->16256 16256->16124 16258 40f04e 4 API calls 16257->16258 16260 40372a 16258->16260 16259 403847 16259->16154 16259->16156 16260->16259 16261 4037b3 GetCurrentThreadId 16260->16261 16261->16260 16262 4037c8 GetCurrentThreadId 16261->16262 16262->16260 16264 40f04e 4 API calls 16263->16264 16268 40360c 16264->16268 16265 4036f1 16265->16155 16265->16156 16266 4036da GetCurrentThreadId 16266->16265 16267 4036e5 GetCurrentThreadId 16266->16267 16267->16265 16268->16265 16268->16266 16270 404bff InterlockedExchange 16269->16270 16271 404c08 16270->16271 16272 404bec GetTickCount 16270->16272 16271->16158 16272->16271 16273 404bf7 Sleep 16272->16273 16273->16270 16293 404763 16274->16293 16276 405b58 16303 404699 16276->16303 16279 404763 lstrlenA 16280 405b6e 16279->16280 16324 404f9f 16280->16324 16282 405b79 16282->16124 16284 405549 lstrlenA 16291 40548a 16284->16291 16286 40558d lstrcpynA 16286->16291 16287 405a9f lstrcpyA 16287->16291 16288 405935 lstrcpynA 16288->16291 16289 405472 13 API calls 16289->16291 16290 4058e7 lstrcpyA 16290->16291 16291->16276 16291->16286 16291->16287 16291->16288 16291->16289 16291->16290 16292 404ae6 8 API calls 16291->16292 16297 404ae6 16291->16297 16301 40ef7c lstrlenA lstrlenA lstrlenA 16291->16301 16292->16291 16295 40477a 16293->16295 16294 404859 16294->16291 16295->16294 16296 40480d lstrlenA 16295->16296 16296->16295 16298 404af3 16297->16298 16300 404b03 16297->16300 16299 40ebed 8 API calls 16298->16299 16299->16300 16300->16284 16302 40efb4 16301->16302 16302->16291 16329 4045b3 16303->16329 16306 4045b3 7 API calls 16307 4046c6 16306->16307 16308 4045b3 7 API calls 16307->16308 16309 4046d8 16308->16309 16310 4045b3 7 API calls 16309->16310 16311 4046ea 16310->16311 16312 4045b3 7 API calls 16311->16312 16313 4046ff 16312->16313 16314 4045b3 7 API calls 16313->16314 16315 404711 16314->16315 16316 4045b3 7 API calls 16315->16316 16317 404723 16316->16317 16318 40ef7c 3 API calls 16317->16318 16319 404735 16318->16319 16320 40ef7c 3 API calls 16319->16320 16321 40474a 16320->16321 16322 40ef7c 3 API calls 16321->16322 16323 40475c 16322->16323 16323->16279 16325 404fac 16324->16325 16328 404fb0 16324->16328 16325->16282 16326 404ffd 16326->16282 16327 404fd5 IsBadCodePtr 16327->16328 16328->16326 16328->16327 16330 4045c1 16329->16330 16331 4045c8 16329->16331 16332 40ebcc 4 API calls 16330->16332 16333 40ebcc 4 API calls 16331->16333 16335 4045e1 16331->16335 16332->16331 16333->16335 16334 404691 16334->16306 16335->16334 16336 40ef7c 3 API calls 16335->16336 16336->16335 16352 402d21 GetModuleHandleA 16337->16352 16340 402fcf GetProcessHeap HeapFree 16344 402f44 16340->16344 16341 402f4f 16343 402f6b GetProcessHeap HeapFree 16341->16343 16342 402f85 16342->16340 16342->16342 16343->16344 16344->16179 16346 403900 16345->16346 16347 403980 16345->16347 16348 4030fa 4 API calls 16346->16348 16347->16177 16351 40390a 16348->16351 16349 40391b GetCurrentThreadId 16349->16351 16350 403939 GetCurrentThreadId 16350->16351 16351->16347 16351->16349 16351->16350 16353 402d46 LoadLibraryA 16352->16353 16354 402d5b GetProcAddress 16352->16354 16353->16354 16356 402d54 16353->16356 16354->16356 16358 402d6b 16354->16358 16355 402d97 GetProcessHeap HeapAlloc 16355->16356 16355->16358 16356->16341 16356->16342 16356->16344 16357 402db5 lstrcpynA 16357->16358 16358->16355 16358->16356 16358->16357 16360 40a645 16359->16360 16361 40a64d 16359->16361 16360->16187 16362 40a66e 16361->16362 16363 40a65e GetTickCount 16361->16363 16362->16187 16363->16362 16365 40adbf 16364->16365 16389 40ad08 gethostname 16365->16389 16368 4030b5 2 API calls 16369 40add3 16368->16369 16370 40a7a3 inet_ntoa 16369->16370 16372 40ade4 16369->16372 16370->16372 16371 40ae85 wsprintfA 16373 40ef7c 3 API calls 16371->16373 16372->16371 16375 40ae36 wsprintfA wsprintfA 16372->16375 16374 40aebb 16373->16374 16377 40ef7c 3 API calls 16374->16377 16376 40ef7c 3 API calls 16375->16376 16376->16372 16378 40aed2 16377->16378 16379 40b211 16378->16379 16380 40b2bb FileTimeToLocalFileTime FileTimeToSystemTime 16379->16380 16381 40b2af GetLocalTime 16379->16381 16382 40b2d2 16380->16382 16381->16382 16383 40b2d9 SystemTimeToFileTime 16382->16383 16384 40b31c GetTimeZoneInformation 16382->16384 16385 40b2ec 16383->16385 16386 40b33a wsprintfA 16384->16386 16387 40b312 FileTimeToSystemTime 16385->16387 16386->16231 16387->16384 16390 40ad71 16389->16390 16391 40ad26 lstrlenA 16389->16391 16392 40ad85 16390->16392 16393 40ad79 lstrcpyA 16390->16393 16391->16390 16395 40ad68 lstrlenA 16391->16395 16392->16368 16393->16392 16395->16390 16397 40f428 14 API calls 16396->16397 16398 40198a 16397->16398 16399 401990 closesocket 16398->16399 16400 401998 16398->16400 16399->16400 16400->15992 16402 402d21 6 API calls 16401->16402 16403 402f01 16402->16403 16404 402f0f 16403->16404 16417 402df2 GetModuleHandleA 16403->16417 16405 402684 2 API calls 16404->16405 16408 402f1f 16404->16408 16407 402f1d 16405->16407 16407->15994 16408->15994 16413 401c80 16409->16413 16410 401cc2 wsprintfA 16412 402684 2 API calls 16410->16412 16411 401d1c 16411->16411 16414 401d47 wsprintfA 16411->16414 16412->16413 16413->16410 16413->16411 16416 401d79 16413->16416 16415 402684 2 API calls 16414->16415 16415->16416 16416->15990 16418 402e10 LoadLibraryA 16417->16418 16419 402e0b 16417->16419 16420 402e17 16418->16420 16419->16418 16419->16420 16421 402ef1 16420->16421 16422 402e28 GetProcAddress 16420->16422 16421->16404 16422->16421 16423 402e3e GetProcessHeap HeapAlloc 16422->16423 16425 402e62 16423->16425 16424 402ede GetProcessHeap HeapFree 16424->16421 16425->16421 16425->16424 16426 402e7f htons inet_addr 16425->16426 16427 402ea5 gethostbyname 16425->16427 16429 402ceb 16425->16429 16426->16425 16426->16427 16427->16425 16431 402cf2 16429->16431 16432 402d1c 16431->16432 16433 402d0e Sleep 16431->16433 16434 402a62 GetProcessHeap HeapAlloc 16431->16434 16432->16425 16433->16431 16433->16432 16435 402a92 16434->16435 16436 402a99 socket 16434->16436 16435->16431 16437 402cd3 GetProcessHeap HeapFree 16436->16437 16438 402ab4 16436->16438 16437->16435 16438->16437 16442 402abd 16438->16442 16439 402adb htons 16454 4026ff 16439->16454 16441 402b04 select 16441->16442 16442->16439 16442->16441 16443 402ca4 16442->16443 16444 402cb3 GetProcessHeap HeapFree closesocket 16442->16444 16445 402b3f recv 16442->16445 16446 402b66 htons 16442->16446 16447 402b87 htons 16442->16447 16450 402bf3 GetProcessHeap HeapAlloc 16442->16450 16451 402c17 htons 16442->16451 16453 402c4d GetProcessHeap HeapFree 16442->16453 16461 402923 16442->16461 16473 402904 16442->16473 16443->16444 16444->16435 16445->16442 16446->16442 16446->16443 16447->16442 16447->16443 16450->16442 16469 402871 16451->16469 16453->16442 16455 40271d 16454->16455 16456 402717 16454->16456 16458 40272b GetTickCount htons 16455->16458 16457 40ebcc 4 API calls 16456->16457 16457->16455 16459 4027cc htons htons sendto 16458->16459 16460 40278a 16458->16460 16459->16442 16460->16459 16462 402944 16461->16462 16464 40293d 16461->16464 16477 402816 htons 16462->16477 16464->16442 16465 402871 htons 16468 402950 16465->16468 16466 4029bd htons htons htons 16466->16464 16467 4029f6 GetProcessHeap HeapAlloc 16466->16467 16467->16464 16467->16468 16468->16464 16468->16465 16468->16466 16470 4028e3 16469->16470 16471 402889 16469->16471 16470->16442 16471->16470 16472 4028c3 htons 16471->16472 16472->16470 16472->16471 16474 402908 16473->16474 16476 402921 16473->16476 16475 402909 GetProcessHeap HeapFree 16474->16475 16475->16475 16475->16476 16476->16442 16478 40286b 16477->16478 16479 402836 16477->16479 16478->16468 16479->16478 16480 40285c htons 16479->16480 16480->16478 16480->16479 16482 406bc0 16481->16482 16483 406bbc 16481->16483 16484 40ebcc 4 API calls 16482->16484 16486 406bd4 16482->16486 16483->16022 16485 406be4 16484->16485 16485->16486 16487 406c07 CreateFileA 16485->16487 16488 406bfc 16485->16488 16486->16022 16490 406c34 WriteFile 16487->16490 16491 406c2a 16487->16491 16489 40ec2e codecvt 4 API calls 16488->16489 16489->16486 16492 406c49 CloseHandle DeleteFileA 16490->16492 16493 406c5a CloseHandle 16490->16493 16494 40ec2e codecvt 4 API calls 16491->16494 16492->16491 16495 40ec2e codecvt 4 API calls 16493->16495 16494->16486 16495->16486 14708 2550005 14713 255092b GetPEB 14708->14713 14710 2550030 14715 255003c 14710->14715 14714 2550972 14713->14714 14714->14710 14716 2550049 14715->14716 14730 2550e0f SetErrorMode SetErrorMode 14716->14730 14721 2550265 14722 25502ce VirtualProtect 14721->14722 14724 255030b 14722->14724 14723 2550439 VirtualFree 14728 25504be 14723->14728 14729 25505f4 LoadLibraryA 14723->14729 14724->14723 14725 25504e3 LoadLibraryA 14725->14728 14727 25508c7 14728->14725 14728->14729 14729->14727 14731 2550223 14730->14731 14732 2550d90 14731->14732 14733 2550dad 14732->14733 14734 2550dbb GetPEB 14733->14734 14735 2550238 VirtualAlloc 14733->14735 14734->14735 14735->14721 16496 25dd3a1 16497 25dd3b0 16496->16497 16500 25ddb41 16497->16500 16502 25ddb5c 16500->16502 16501 25ddb65 CreateToolhelp32Snapshot 16501->16502 16503 25ddb81 Module32First 16501->16503 16502->16501 16502->16503 16504 25ddb90 16503->16504 16506 25dd3b9 16503->16506 16507 25dd800 16504->16507 16508 25dd82b 16507->16508 16509 25dd83c VirtualAlloc 16508->16509 16510 25dd874 16508->16510 16509->16510 16510->16510

                                                                        Executed Functions

                                                                        Function 00409A6B Relevance: 102.3, APIs: 48, Strings: 10, Instructions: 799stringsleepregistryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A7F
                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 00409A83
                                                                        • SetUnhandledExceptionFilter.KERNEL32(00406511), ref: 00409A8A
                                                                          • Part of subcall function 0040EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                          • Part of subcall function 0040EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                          • Part of subcall function 0040EC54: GetTickCount.KERNEL32 ref: 0040EC78
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 00409AB3
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409ABA
                                                                        • GetCommandLineA.KERNEL32 ref: 00409AFD
                                                                        • lstrlenA.KERNEL32(?), ref: 00409B99
                                                                        • ExitProcess.KERNEL32 ref: 00409C06
                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 00409CAC
                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 00409D7A
                                                                        • lstrcatA.KERNEL32(?,?), ref: 00409D8B
                                                                        • lstrcatA.KERNEL32(?,0041070C), ref: 00409D9D
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 00409DED
                                                                        • DeleteFileA.KERNEL32(00000022), ref: 00409E38
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 00409E6F
                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409EC8
                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 00409ED5
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 00409F3B
                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 00409F5E
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 00409F6A
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 00409FAD
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FB4
                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 00409FFE
                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A038
                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A05E
                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 0040A072
                                                                        • lstrcatA.KERNEL32(00000022,00410A34), ref: 0040A08D
                                                                        • wsprintfA.USER32 ref: 0040A0B6
                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 0040A0DE
                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 0040A0FD
                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0040A120
                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 0040A131
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 0040A174
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 0040A17B
                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0040A1B6
                                                                        • GetCommandLineA.KERNEL32 ref: 0040A1E5
                                                                          • Part of subcall function 004099D2: lstrcpyA.KERNEL32(?,?,00000100,004122F8,00000000,?,00409E9D,?,00000022,?,?,?,?,?,?,?), ref: 004099DF
                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(00000022,00000000,?,?,00409E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 00409A3C
                                                                          • Part of subcall function 004099D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,00409E9D,?,00000022,?,?,?), ref: 00409A52
                                                                        • lstrlenA.KERNEL32(?), ref: 0040A288
                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0040A3B7
                                                                        • GetLastError.KERNEL32 ref: 0040A3ED
                                                                        • Sleep.KERNEL32(000003E8), ref: 0040A400
                                                                        • DeleteFileA.KERNEL32(C:\Users\user\Desktop\ewdWlNc8TL.exe), ref: 0040A407
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040405E,00000000,00000000,00000000), ref: 0040A42C
                                                                        • WSAStartup.WS2_32(00001010,?), ref: 0040A43A
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040877E,00000000,00000000,00000000), ref: 0040A469
                                                                        • Sleep.KERNEL32(00000BB8), ref: 0040A48A
                                                                        • GetTickCount.KERNEL32 ref: 0040A49F
                                                                        • GetTickCount.KERNEL32 ref: 0040A4B7
                                                                        • Sleep.KERNEL32(00001A90), ref: 0040A4C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                        • String ID: "$"$"$%X%08X$C:\Users\user\Desktop\ewdWlNc8TL.exe$C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$D$P$\$rpfcsqnj
                                                                        • API String ID: 2089075347-2046649171
                                                                        • Opcode ID: 74ed254e80b92ce2a67cd9b5d092285e1d886697e7539b718069182a3e242c6b
                                                                        • Instruction ID: 9e8e6158c267d4507ba39c142606b205eb09e8ef63bc9ae6e883bbf27c052806
                                                                        • Opcode Fuzzy Hash: 74ed254e80b92ce2a67cd9b5d092285e1d886697e7539b718069182a3e242c6b
                                                                        • Instruction Fuzzy Hash: 4A5291B1D40259BBDB11DBA1CC49EEF7BBCAF04304F1444BBF509B6182D6788E948B69
                                                                        Function 0040637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 486 40637c-406384 487 406386-406389 486->487 488 40638a-4063b4 GetModuleHandleA VirtualAlloc 486->488 489 4063f5-4063f7 488->489 490 4063b6-4063d4 call 40ee08 VirtualAllocEx 488->490 492 40640b-40640f 489->492 490->489 494 4063d6-4063f3 call 4062b7 WriteProcessMemory 490->494 494->489 497 4063f9-40640a 494->497 497->492
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,00409816,EntryPoint), ref: 0040638F
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,00409816,EntryPoint), ref: 004063A9
                                                                        • VirtualAllocEx.KERNELBASE(00000000,00000000,?,00001000,00000040), ref: 004063CA
                                                                        • WriteProcessMemory.KERNELBASE(00000000,00000000,?,?,00000000), ref: 004063EB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 1965334864-0
                                                                        • Opcode ID: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                        • Instruction ID: 5c31eb3238d54f8d6ca6dd7d72ba58cabd3ec10295ac0618dae15ec7b9dc1832
                                                                        • Opcode Fuzzy Hash: 6b7839f040fb078f737eaa4cdd504cc34e5d0933869709ec770a1cd6c6f8f9ba
                                                                        • Instruction Fuzzy Hash: B911A3B1600219BFEB119F65DC49F9B3FA8EB047A4F114035FD09E7290D775DC108AA8
                                                                        Function 004073FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 264 4073ff-407419 265 40741b 264->265 266 40741d-407422 264->266 265->266 267 407424 266->267 268 407426-40742b 266->268 267->268 269 407430-407435 268->269 270 40742d 268->270 271 407437 269->271 272 40743a-407481 call 406dc2 call 402544 RegOpenKeyExA 269->272 270->269 271->272 277 407487-40749d call 40ee2a 272->277 278 4077f9-4077fe call 40ee2a 272->278 283 407703-40770e RegEnumKeyA 277->283 284 407801 278->284 285 4074a2-4074b1 call 406cad 283->285 286 407714-40771d RegCloseKey 283->286 287 407804-407808 284->287 290 4074b7-4074cc call 40f1a5 285->290 291 4076ed-407700 285->291 286->284 290->291 294 4074d2-4074f8 RegOpenKeyExA 290->294 291->283 295 407727-40772a 294->295 296 4074fe-407530 call 402544 RegQueryValueExA 294->296 297 407755-407764 call 40ee2a 295->297 298 40772c-407740 call 40ef00 295->298 296->295 305 407536-40753c 296->305 309 4076df-4076e2 297->309 306 407742-407745 RegCloseKey 298->306 307 40774b-40774e 298->307 308 40753f-407544 305->308 306->307 311 4077ec-4077f7 RegCloseKey 307->311 308->308 310 407546-40754b 308->310 309->291 312 4076e4-4076e7 RegCloseKey 309->312 310->297 313 407551-40756b call 40ee95 310->313 311->287 312->291 313->297 316 407571-407593 call 402544 call 40ee95 313->316 321 407753 316->321 322 407599-4075a0 316->322 321->297 323 4075a2-4075c6 call 40ef00 call 40ed03 322->323 324 4075c8-4075d7 call 40ed03 322->324 329 4075d8-4075da 323->329 324->329 331 4075dc 329->331 332 4075df-407623 call 40ee95 call 402544 call 40ee95 call 40ee2a 329->332 331->332 342 407626-40762b 332->342 342->342 343 40762d-407634 342->343 344 407637-40763c 343->344 344->344 345 40763e-407642 344->345 346 407644-407656 call 40ed77 345->346 347 40765c-407673 call 40ed23 345->347 346->347 352 407769-40777c call 40ef00 346->352 353 407680 347->353 354 407675-40767e 347->354 359 4077e3-4077e6 RegCloseKey 352->359 356 407683-40768e call 406cad 353->356 354->356 361 407722-407725 356->361 362 407694-4076bf call 40f1a5 call 406c96 356->362 359->311 363 4076dd 361->363 368 4076c1-4076c7 362->368 369 4076d8 362->369 363->309 368->369 370 4076c9-4076d2 368->370 369->363 370->369 371 40777e-407797 GetFileAttributesExA 370->371 372 407799 371->372 373 40779a-40779f 371->373 372->373 374 4077a1 373->374 375 4077a3-4077a8 373->375 374->375 376 4077c4-4077c8 375->376 377 4077aa-4077c0 call 40ee08 375->377 378 4077d7-4077dc 376->378 379 4077ca-4077d6 call 40ef00 376->379 377->376 383 4077e0-4077e2 378->383 384 4077de 378->384 379->378 383->359 384->383
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 00407472
                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004074F0
                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407528
                                                                        • ___ascii_stricmp.LIBCMT ref: 0040764D
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 004076E7
                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 00407706
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407717
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 00407745
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 004077EF
                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040778F
                                                                        • RegCloseKey.KERNELBASE(?), ref: 004077E6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                        • String ID: "
                                                                        • API String ID: 3433985886-123907689
                                                                        • Opcode ID: fb0f2a9e6fd52b701184d9b1120ae1b26139c4ce9695fa828964d471d7998326
                                                                        • Instruction ID: 2be8177c38fcb0431c37abdcb30432b02610efeff0693f38a05b2573c300e2d4
                                                                        • Opcode Fuzzy Hash: fb0f2a9e6fd52b701184d9b1120ae1b26139c4ce9695fa828964d471d7998326
                                                                        • Instruction Fuzzy Hash: E8C1F171D04209ABEB119BA5DC45BEF7BB9EF04310F1004B7F504B72D1EA79AE908B69
                                                                        Function 0255003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 386 255003c-2550047 387 255004c-2550263 call 2550a3f call 2550e0f call 2550d90 VirtualAlloc 386->387 388 2550049 386->388 403 2550265-2550289 call 2550a69 387->403 404 255028b-2550292 387->404 388->387 408 25502ce-25503c2 VirtualProtect call 2550cce call 2550ce7 403->408 406 25502a1-25502b0 404->406 407 25502b2-25502cc 406->407 406->408 407->406 415 25503d1-25503e0 408->415 416 25503e2-2550437 call 2550ce7 415->416 417 2550439-25504b8 VirtualFree 415->417 416->415 419 25505f4-25505fe 417->419 420 25504be-25504cd 417->420 423 2550604-255060d 419->423 424 255077f-2550789 419->424 422 25504d3-25504dd 420->422 422->419 429 25504e3-2550505 LoadLibraryA 422->429 423->424 425 2550613-2550637 423->425 427 25507a6-25507b0 424->427 428 255078b-25507a3 424->428 430 255063e-2550648 425->430 431 25507b6-25507cb 427->431 432 255086e-25508be LoadLibraryA 427->432 428->427 433 2550517-2550520 429->433 434 2550507-2550515 429->434 430->424 437 255064e-255065a 430->437 435 25507d2-25507d5 431->435 442 25508c7-25508f9 432->442 436 2550526-2550547 433->436 434->436 438 2550824-2550833 435->438 439 25507d7-25507e0 435->439 440 255054d-2550550 436->440 437->424 441 2550660-255066a 437->441 448 2550839-255083c 438->448 443 25507e4-2550822 439->443 444 25507e2 439->444 445 2550556-255056b 440->445 446 25505e0-25505ef 440->446 447 255067a-2550689 441->447 449 2550902-255091d 442->449 450 25508fb-2550901 442->450 443->435 444->438 451 255056d 445->451 452 255056f-255057a 445->452 446->422 453 2550750-255077a 447->453 454 255068f-25506b2 447->454 448->432 455 255083e-2550847 448->455 450->449 451->446 457 255057c-2550599 452->457 458 255059b-25505bb 452->458 453->430 459 25506b4-25506ed 454->459 460 25506ef-25506fc 454->460 461 2550849 455->461 462 255084b-255086c 455->462 469 25505bd-25505db 457->469 458->469 459->460 463 25506fe-2550748 460->463 464 255074b 460->464 461->432 462->448 463->464 464->447 469->440
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0255024D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID: cess$kernel32.dll
                                                                        • API String ID: 4275171209-1230238691
                                                                        • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction ID: d4367e16267fe39940be7016af56db0703376a54c78866face186bf6b1dcdb2f
                                                                        • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                        • Instruction Fuzzy Hash: B6526B74A01229DFDB64CF58C995BACBBB1BF09314F1480DAE94DAB351DB30AA85CF14
                                                                        Function 0040977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadprocessinjectionCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 470 40977c-4097b9 call 40ee2a CreateProcessA 473 4097c2-4097f3 call 40ee2a Wow64GetThreadContext 470->473 474 4097bb-4097bd 470->474 478 409801-40981c call 40637c 473->478 479 4097f5 473->479 475 409864-409866 474->475 480 4097f6-4097ff TerminateProcess 478->480 483 40981e-409839 WriteProcessMemory 478->483 479->480 480->474 483->479 484 40983b-409856 Wow64SetThreadContext 483->484 484->479 485 409858-409863 ResumeThread 484->485 485->475
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(00000000,00409947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,004122F8), ref: 004097B1
                                                                        • Wow64GetThreadContext.KERNEL32(?,?,?,?,?,?,?,004122F8), ref: 004097EB
                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 004097F9
                                                                        • WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,004122F8), ref: 00409831
                                                                        • Wow64SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040984E
                                                                        • ResumeThread.KERNELBASE(?,?,?,?,?,?,?,?,?,?,004122F8), ref: 0040985B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessThread$ContextWow64$CreateMemoryResumeTerminateWrite
                                                                        • String ID: D
                                                                        • API String ID: 2098669666-2746444292
                                                                        • Opcode ID: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                        • Instruction ID: 6dc29e085b1385aad622296cf5a9b119a202239bcf48ce0aeeb22bf7d7f748db
                                                                        • Opcode Fuzzy Hash: bfc8fb38e21afcc8978dd871529b03129cc6a272bb135abfd583736d5c6f917f
                                                                        • Instruction Fuzzy Hash: 54216DB2901119BBDB119FA1DC49EEF7B7CEF05750F004071B909F2191EB759A44CAA8
                                                                        Function 00404000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 498 404000-404008 499 40400b-40402a CreateFileA 498->499 500 404057 499->500 501 40402c-404035 GetLastError 499->501 504 404059-40405c 500->504 502 404052 501->502 503 404037-40403a 501->503 505 404054-404056 502->505 503->502 506 40403c-40403f 503->506 504->505 506->504 507 404041-404050 Sleep 506->507 507->499 507->502
                                                                        APIs
                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,004122F8,004042B6,00000000,00000001,004122F8,00000000,?,004098FD), ref: 00404021
                                                                        • GetLastError.KERNEL32(?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 0040402C
                                                                        • Sleep.KERNEL32(000001F4,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404046
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateErrorFileLastSleep
                                                                        • String ID:
                                                                        • API String ID: 408151869-0
                                                                        • Opcode ID: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                        • Instruction ID: 3804347f6bd7ba573f3b83e06e35dce69dd086f5e0a34025cfebbc3953b0dfe0
                                                                        • Opcode Fuzzy Hash: 6f680220710ad79833a0587a74a8d4d803d4b32c880204d479e51cf724750932
                                                                        • Instruction Fuzzy Hash: 05F0A771240101AAD7311B24BC49B5B36A1DBC6734F258B76F3B5F21E0C67458C19B1D
                                                                        Function 0040EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0040EC5E
                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 0040EC72
                                                                        • GetTickCount.KERNEL32 ref: 0040EC78
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                        • String ID:
                                                                        • API String ID: 1209300637-0
                                                                        • Opcode ID: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                        • Instruction ID: 1673bc13977c8672636575d9c8a2f9c2942a42ce341afdc75306ae3be589e196
                                                                        • Opcode Fuzzy Hash: 317f96d9bc7de3e67904a91eb6120da1bd741d4a36fd8a43a77db32c5f55538a
                                                                        • Instruction Fuzzy Hash: 6BE0BFF5810104FFEB11EBB0EC4EEBB7BBCFB08315F504661B915D6090DAB49A448B64
                                                                        Function 00406E36 Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 509 406e36-406e5d GetUserNameW 510 406ebe-406ec2 509->510 511 406e5f-406e95 LookupAccountNameW 509->511 511->510 512 406e97-406e9b 511->512 513 406ebb-406ebd 512->513 514 406e9d-406ea3 512->514 513->510 514->513 515 406ea5-406eaa 514->515 516 406eb7-406eb9 515->516 517 406eac-406eb0 515->517 516->510 517->513 518 406eb2-406eb5 517->518 518->513 518->516
                                                                        APIs
                                                                        • GetUserNameW.ADVAPI32(?,00401FA1), ref: 00406E55
                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,00000000,00000012), ref: 00406E8D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountLookupUser
                                                                        • String ID:
                                                                        • API String ID: 2370142434-0
                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                        • Instruction ID: d69833bf2c7126fc9b7bd4b1d5117f4fe90a033eeaed535c4400ab00b2689cfd
                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                        • Instruction Fuzzy Hash: 0211F776900218EBDF21CFD4C884ADFB7BCAB04741F1542B6E502F6290DB749B989BE4
                                                                        Function 025DDB41 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 519 25ddb41-25ddb5a 520 25ddb5c-25ddb5e 519->520 521 25ddb65-25ddb71 CreateToolhelp32Snapshot 520->521 522 25ddb60 520->522 523 25ddb81-25ddb8e Module32First 521->523 524 25ddb73-25ddb79 521->524 522->521 525 25ddb97-25ddb9f 523->525 526 25ddb90-25ddb91 call 25dd800 523->526 524->523 530 25ddb7b-25ddb7f 524->530 531 25ddb96 526->531 530->520 530->523 531->525
                                                                        APIs
                                                                        • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 025DDB69
                                                                        • Module32First.KERNEL32(00000000,00000224), ref: 025DDB89
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773773019.00000000025D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 025D9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_25d9000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                        • String ID:
                                                                        • API String ID: 3833638111-0
                                                                        • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction ID: 02f53fd00a22e67c21181beb5221992bf5413c544c1bca76b6e7ff1fd7c8e3aa
                                                                        • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                        • Instruction Fuzzy Hash: 5AF062365017116BE7302AFDA88DB7A7AF8BF49668F100528E646920C0DB70E8454A69
                                                                        Function 02550E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 532 2550e0f-2550e24 SetErrorMode * 2 533 2550e26 532->533 534 2550e2b-2550e2c 532->534 533->534
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000400,?,?,02550223,?,?), ref: 02550E19
                                                                        • SetErrorMode.KERNELBASE(00000000,?,?,02550223,?,?), ref: 02550E1E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorMode
                                                                        • String ID:
                                                                        • API String ID: 2340568224-0
                                                                        • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction ID: 0a691935fcb4c5b5a949147956b2719d15e56e8ab85107f5cb4592576584c2a3
                                                                        • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                        • Instruction Fuzzy Hash: A9D0123114512877D7002AD4DC09BCD7F1CDF09B66F108011FB0DD9080C770954046E9
                                                                        Function 00406DC2 Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 544 406dc2-406dd5 545 406e33-406e35 544->545 546 406dd7-406df1 call 406cc9 call 40ef00 544->546 551 406df4-406df9 546->551 551->551 552 406dfb-406e00 551->552 553 406e02-406e22 GetVolumeInformationA 552->553 554 406e24 552->554 553->554 555 406e2e 553->555 554->555 555->545
                                                                        APIs
                                                                          • Part of subcall function 00406CC9: GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                          • Part of subcall function 00406CC9: GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                          • Part of subcall function 00406CC9: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                          • Part of subcall function 00406CC9: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                        • GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000,000000C8), ref: 00406E1A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleInformationModuleProcSystemVolumeWindows
                                                                        • String ID:
                                                                        • API String ID: 1823874839-0
                                                                        • Opcode ID: 05478fb9babea3aedd85a8edb4ab166fddf6c1b165fd5123cd32555987dcb6f6
                                                                        • Instruction ID: 937aca74520052d45988c2d0c0f169875d4d0bc257a2eacc80ff7e120b8985ce
                                                                        • Opcode Fuzzy Hash: 05478fb9babea3aedd85a8edb4ab166fddf6c1b165fd5123cd32555987dcb6f6
                                                                        • Instruction Fuzzy Hash: 75F0C2B6104218AFD710DB64EDC4EE777EED714308F1084B6E286E3145D6B89DA85B6C
                                                                        Function 00409892 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 556 409892-4098c0 557 4098c2-4098c5 556->557 558 4098d9 556->558 557->558 559 4098c7-4098d7 557->559 560 4098e0-4098f1 SetServiceStatus 558->560 559->560
                                                                        APIs
                                                                        • SetServiceStatus.SECHOST(00413394), ref: 004098EB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ServiceStatus
                                                                        • String ID:
                                                                        • API String ID: 3969395364-0
                                                                        • Opcode ID: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                        • Instruction ID: dd676a4af3dd8f9e000b524091363a81fd6157f1888c947a943bd607f736cbf1
                                                                        • Opcode Fuzzy Hash: ed568b8bb23c32db7e8f15f5619feefc651b0b7a3ef30a3dcb983adc29e58fc0
                                                                        • Instruction Fuzzy Hash: 02F0F271514208EFCB18CF14E89869A7BA0F348706B20C83EE82AD2371CB749A80DF0D
                                                                        Function 025DD800 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 561 25dd800-25dd83a call 25ddb13 564 25dd83c-25dd86f VirtualAlloc call 25dd88d 561->564 565 25dd888 561->565 567 25dd874-25dd886 564->567 565->565 567->565
                                                                        APIs
                                                                        • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 025DD851
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773773019.00000000025D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 025D9000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_25d9000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction ID: 9ff407aad0ce76bd86226863c5820f6261b7f236b954dbbfbe818c6c4541974a
                                                                        • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                        • Instruction Fuzzy Hash: A4112879A40208EFDB01DF98C985E98BBF5AF08751F0580A4F9489B361D371EA90DF84
                                                                        Function 004098F2 Relevance: 1.3, APIs: 1, Instructions: 37sleepCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 568 4098f2-4098f4 569 4098f6-409902 call 404280 568->569 572 409904-409913 Sleep 569->572 573 409917 569->573 572->569 574 409915 572->574 575 409919-409942 call 402544 call 40977c 573->575 576 40995e-409960 573->576 574->573 580 409947-409957 call 40ee2a 575->580 580->576
                                                                        APIs
                                                                          • Part of subcall function 00404280: CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                        • Sleep.KERNEL32(000003E8,00000100,004122F8,0040A3C7), ref: 00409909
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEventSleep
                                                                        • String ID:
                                                                        • API String ID: 3100162736-0
                                                                        • Opcode ID: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                        • Instruction ID: e56085e6bf9507d1b9c0d1fa6774ae3e34a200a1ca8b69066151cd7271dcc025
                                                                        • Opcode Fuzzy Hash: 4d41be995d42169e7907864f945f5cc175d4e7c56b3013806251050fc082db50
                                                                        • Instruction Fuzzy Hash: 58F05472A81360A6E62226566C07F8F19040B95B24F05417EF744BA2C395E8495141ED

                                                                        Non-executed Functions

                                                                        Function 025565E3 Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 025565F6
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 02556610
                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02556631
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02556652
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 1965334864-0
                                                                        • Opcode ID: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                        • Instruction ID: 375ec10b23e9159f10f2768afae257a28a04dff4e958961fe7cffd06c488ae20
                                                                        • Opcode Fuzzy Hash: f6d5bfc494c97751726a91e8fcfc29ef8439432d9fc6ff92f654e37a29c1b935
                                                                        • Instruction Fuzzy Hash: 7E1191B1600269BFDB219F65DC15F9B3FACFB057A5F004025FE08A7250D7B1DD008AA8
                                                                        Function 02559EA0 Relevance: 59.9, APIs: 28, Strings: 6, Instructions: 421stringregistryfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ExitProcess.KERNEL32 ref: 02559E6D
                                                                        • lstrcpy.KERNEL32(?,00000000), ref: 02559FE1
                                                                        • lstrcat.KERNEL32(?,?), ref: 02559FF2
                                                                        • lstrcat.KERNEL32(?,0041070C), ref: 0255A004
                                                                        • GetFileAttributesExA.KERNEL32(?,?,?), ref: 0255A054
                                                                        • DeleteFileA.KERNEL32(?), ref: 0255A09F
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 0255A0D6
                                                                        • lstrcpy.KERNEL32 ref: 0255A12F
                                                                        • lstrlen.KERNEL32(00000022), ref: 0255A13C
                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02559F13
                                                                          • Part of subcall function 02557029: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00412F0C,00000000,00000000,00000000,00000000), ref: 02557081
                                                                          • Part of subcall function 02556F30: GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wukhxvso,02557043), ref: 02556F4E
                                                                          • Part of subcall function 02556F30: GetProcAddress.KERNEL32(00000000), ref: 02556F55
                                                                          • Part of subcall function 02556F30: GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02556F7B
                                                                          • Part of subcall function 02556F30: GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02556F92
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,?,00000103,?,?,?,?), ref: 0255A1A2
                                                                        • RegSetValueExA.ADVAPI32(?,00000001,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0255A1C5
                                                                        • GetModuleHandleA.KERNEL32(?,?,00000104,?,?,00000010,?,?,00000044,?,?,?,?,?,?,00000103), ref: 0255A214
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,00000104,?,?,00000010,?,?,00000044), ref: 0255A21B
                                                                        • GetDriveTypeA.KERNEL32(?), ref: 0255A265
                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0255A29F
                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0255A2C5
                                                                        • lstrcat.KERNEL32(?,00000022), ref: 0255A2D9
                                                                        • lstrcat.KERNEL32(?,00410A34), ref: 0255A2F4
                                                                        • wsprintfA.USER32 ref: 0255A31D
                                                                        • lstrcat.KERNEL32(?,00000000), ref: 0255A345
                                                                        • lstrcat.KERNEL32(?,?), ref: 0255A364
                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?,?,00000010), ref: 0255A387
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,08000000,?,?,?,?,?,?,00000104,?), ref: 0255A398
                                                                        • RegCloseKey.ADVAPI32(?,?,00000001,?,000001F5,?,?,?,00000103,?,?,?,?), ref: 0255A1D1
                                                                          • Part of subcall function 02559966: RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 0255999D
                                                                          • Part of subcall function 02559966: RegDeleteValueA.ADVAPI32(?,00000000), ref: 025599BD
                                                                          • Part of subcall function 02559966: RegCloseKey.ADVAPI32(?), ref: 025599C6
                                                                        • GetModuleHandleA.KERNEL32(?,?,0000012C), ref: 0255A3DB
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,0000012C), ref: 0255A3E2
                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 0255A41D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcat$FileModule$DeleteHandle$CloseDirectoryDriveNameOpenProcessTypeValuelstrcpy$AddressAttributesCreateEnvironmentExitInformationPathProcSystemTempVariableVolumeWindowslstrlenwsprintf
                                                                        • String ID: "$"$"$D$P$\
                                                                        • API String ID: 1653845638-2605685093
                                                                        • Opcode ID: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                        • Instruction ID: 4aeff626e14379018db9d085afbce6625c22e4d17a3322adee6b6c8a35d0600e
                                                                        • Opcode Fuzzy Hash: 2004a96a3fb695a35ebb74482f6fad10186942e4c1f31b0e0affa7522a4f957f
                                                                        • Instruction Fuzzy Hash: 19F140B1C4026AEFDF11DBA0DC58EEE7BBCBF08304F1445A6EA05E2151E77596848F68
                                                                        Function 00401000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,00401839,00409646), ref: 00401012
                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 004010C2
                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 004010E1
                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 00401101
                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 00401121
                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 00401140
                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 00401160
                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 00401180
                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040119F
                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 004011BF
                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 004011DF
                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 004011FE
                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 0040121A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$LibraryLoad
                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                        • API String ID: 2238633743-3228201535
                                                                        • Opcode ID: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                        • Instruction ID: c8dd2db2df3f08e17c6117e54d1286841a2c4197db930f8a9693796d5e259140
                                                                        • Opcode Fuzzy Hash: 099c329b46637f9171a1ca57a4c5e0107e32006a0b8f6d8903d04b45664d461e
                                                                        • Instruction Fuzzy Hash: 2F5100B1662641A6D7118F69EC84BD23AE86748372F14837B9520F62F0D7F8CAC1CB5D
                                                                        Function 0040B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 0040B2B3
                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 0040B2C2
                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B2D0
                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 0040B2E1
                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 0040B31A
                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0040B329
                                                                        • wsprintfA.USER32 ref: 0040B3B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                        • API String ID: 766114626-2976066047
                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction ID: 3cccae2c5b68faf9d5e65ebc3321ef0303f497beb4f825406ae493c25d793f5b
                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction Fuzzy Hash: D8510EB1D0021CAADF18DFD5D8495EEBBB9EF48304F10856BE501B6250E7B84AC9CF98
                                                                        Function 00407A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 00407ABA
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 00407ADF
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,0041070C,?,?,?), ref: 00407B16
                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 00407B3B
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 00407B59
                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 00407B6A
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407B7E
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407B8C
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407B9C
                                                                        • RegSetKeySecurity.ADVAPI32(00000000,00000001,00000000), ref: 00407BAB
                                                                        • LocalFree.KERNEL32(00000000), ref: 00407BB2
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,00407FC9,?,00000000), ref: 00407BCE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$D
                                                                        • API String ID: 2976863881-1637623080
                                                                        • Opcode ID: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                        • Instruction ID: e17c9e5f60e255820364911aa1186e0accab4a2e7248257c6285c946b731c67d
                                                                        • Opcode Fuzzy Hash: d4f479c9f78d504b8da3df740f472ce51a34dde969fc05e485fb9939b8f25359
                                                                        • Instruction Fuzzy Hash: 6FA14D71D04219ABDB119FA0DD44EEF7B78FF48304F04807AE505F2290D779AA85CB69
                                                                        Function 02557CFC Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,000E0100,?), ref: 02557D21
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02557D46
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02557D7D
                                                                        • RegGetKeySecurity.ADVAPI32(?,00000005,?,?), ref: 02557DA2
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02557DC0
                                                                        • EqualSid.ADVAPI32(?,?), ref: 02557DD1
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02557DE5
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02557DF3
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02557E03
                                                                        • RegSetKeySecurity.ADVAPI32(?,00000001,00000000), ref: 02557E12
                                                                        • LocalFree.KERNEL32(00000000), ref: 02557E19
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02557E35
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$D
                                                                        • API String ID: 2976863881-1637623080
                                                                        • Opcode ID: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                        • Instruction ID: bb088418f04ca9e6b8b8f0ecd873fb49a21a2fe3488d5f3dd09044361a556185
                                                                        • Opcode Fuzzy Hash: 1a53823342927d1e4650e54f1beed8d9b04cc787a6d03e02cd47dd5285ddf864
                                                                        • Instruction Fuzzy Hash: 7BA14E71900229AFDB11CFA1DD98FEEBFB9FF08304F04816AE905E6150D7759A85CB68
                                                                        Function 00406511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                        • API String ID: 2400214276-165278494
                                                                        • Opcode ID: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                        • Instruction ID: e6dd37f2d7c7e48b8b359c94d8b0a85da35b73f81cc1d7405eac3f4e783bc3bd
                                                                        • Opcode Fuzzy Hash: b90de3a98ed26af7195d6c430e21dd073139462529909c443086ffd26068662a
                                                                        • Instruction Fuzzy Hash: 26615F72940208EFDB609FB4DC45FEA77E9FF08300F24846AF95DD2161DA7599908F58
                                                                        Function 0040A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wsprintfA.USER32 ref: 0040A7FB
                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 0040A87E
                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 0040A893
                                                                        • wsprintfA.USER32 ref: 0040A8AF
                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 0040A8D2
                                                                        • wsprintfA.USER32 ref: 0040A8E2
                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 0040A97C
                                                                        • wsprintfA.USER32 ref: 0040A9B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                        • API String ID: 3650048968-2394369944
                                                                        • Opcode ID: 746662ae2e07b1e187343bb9806b09eabb2692b1532a6a4bb231cefe9db8a9a3
                                                                        • Instruction ID: cb8b6fe7cbcb8804cc0a5996a8d7cccc3c4edaa2c523fe44b9a5a0cb3107b5a3
                                                                        • Opcode Fuzzy Hash: 746662ae2e07b1e187343bb9806b09eabb2692b1532a6a4bb231cefe9db8a9a3
                                                                        • Instruction Fuzzy Hash: 34A16872A44305AADF209A54DC85FEF3B79AB00304F244437FA05B61D0DA7D9DA98B5F
                                                                        Function 00407809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 0040782F
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00407866
                                                                        • GetLengthSid.ADVAPI32(?), ref: 00407878
                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 0040789A
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00407F63,?), ref: 004078B8
                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004078D2
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 004078E3
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 004078F1
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 00407901
                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 00407910
                                                                        • LocalFree.KERNEL32(00000000), ref: 00407917
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00407933
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00407963
                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 0040798A
                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 004079A3
                                                                        • EqualSid.ADVAPI32(?,00407F63), ref: 004079C5
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 00407A4A
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00407A58
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 00407A69
                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 00407A79
                                                                        • LocalFree.KERNEL32(00000000), ref: 00407A87
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                        • String ID: D
                                                                        • API String ID: 3722657555-2746444292
                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction ID: df0c13f2d89176358eaf39038022480abc221899387876bf5e0f356ce13a0778
                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction Fuzzy Hash: 59813C71E04119ABDB11CFA5DD44FEFBBB8AB08340F14817AE505F6290D739AA41CF69
                                                                        Function 02557A70 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02557A96
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02557ACD
                                                                        • GetLengthSid.ADVAPI32(?), ref: 02557ADF
                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02557B01
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,?,?), ref: 02557B1F
                                                                        • EqualSid.ADVAPI32(?,?), ref: 02557B39
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02557B4A
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02557B58
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02557B68
                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02557B77
                                                                        • LocalFree.KERNEL32(00000000), ref: 02557B7E
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02557B9A
                                                                        • GetAce.ADVAPI32(?,?,?), ref: 02557BCA
                                                                        • EqualSid.ADVAPI32(?,?), ref: 02557BF1
                                                                        • DeleteAce.ADVAPI32(?,?), ref: 02557C0A
                                                                        • EqualSid.ADVAPI32(?,?), ref: 02557C2C
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02557CB1
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02557CBF
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02557CD0
                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02557CE0
                                                                        • LocalFree.KERNEL32(00000000), ref: 02557CEE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                        • String ID: D
                                                                        • API String ID: 3722657555-2746444292
                                                                        • Opcode ID: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction ID: 89b8c9112a6d15c0351ddb20434d678db6ad8a0ebccfb80029827128500c0bdb
                                                                        • Opcode Fuzzy Hash: bb30bf074c347c8653546d93d28bb934471e976575b6637e302f0e375d0d0c6d
                                                                        • Instruction Fuzzy Hash: 4E814D7190022AAFDB11CFA5DD98FEEBFB8BF0C304F04806AE915E6150E7759641CB68
                                                                        Function 00408328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 004083F3
                                                                        • RegQueryValueExA.ADVAPI32(00410750,?,00000000,?,00408893,?,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408414
                                                                        • RegSetValueExA.ADVAPI32(00410750,?,00000000,00000004,00408893,00000004,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 00408441
                                                                        • RegCloseKey.ADVAPI32(00410750,?,?,00000000,00000103,Function_00010750,?,?,00000000,localcfg,00000000), ref: 0040844A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseOpenQuery
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$localcfg
                                                                        • API String ID: 237177642-125568393
                                                                        • Opcode ID: c0ed8608904dbf5daae194d8f805c8f7c37291116167fddd5df035c008f9e7d4
                                                                        • Instruction ID: 84ba07e5042139a9063b988de9b3f7486f2cd5d6c0453319c527b22e45c4d953
                                                                        • Opcode Fuzzy Hash: c0ed8608904dbf5daae194d8f805c8f7c37291116167fddd5df035c008f9e7d4
                                                                        • Instruction Fuzzy Hash: DAC1D2B1D00109BEEB11ABA0DE85EEF7BBCEB04304F14447FF544B2191EA794E948B69
                                                                        Function 00401280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 0040139A
                                                                        • lstrlenW.KERNEL32(-00000003), ref: 00401571
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShelllstrlen
                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                        • API String ID: 1628651668-179334549
                                                                        • Opcode ID: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                        • Instruction ID: 915494465e6448ea0d8334ed2feda226c725056e28db06d0983f622db304c09c
                                                                        • Opcode Fuzzy Hash: 2389670ef0d52bc0af3abcc9b5081f8297bcd674c671d6a9091d706800eac20c
                                                                        • Instruction Fuzzy Hash: E5F19FB55083419FD720DF64C888BABB7E5FB88304F10892EF596A73A0D778D944CB5A
                                                                        Function 00401D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32 ref: 00401DC6
                                                                        • GetSystemInfo.KERNEL32(?), ref: 00401DE8
                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 00401E03
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00401E0A
                                                                        • GetCurrentProcess.KERNEL32(?), ref: 00401E1B
                                                                        • GetTickCount.KERNEL32 ref: 00401FC9
                                                                          • Part of subcall function 00401BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                        • API String ID: 4207808166-1381319158
                                                                        • Opcode ID: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                        • Instruction ID: 8f9aaa01d81d5e00f35a14cef107f65a3e8f5b831808d54868c05c9eb27f2f66
                                                                        • Opcode Fuzzy Hash: 9f3abc139dc6c88613093014c78d45ea21c86ec42b9258ba851d748653af05de
                                                                        • Instruction Fuzzy Hash: D451D9B05043446FD320AF768C85F67BAECEB84708F04493FF955A2292D7BDA94487A9
                                                                        Function 0040199C Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 004019B1
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,?,?,?,?,00000001,00401E9E), ref: 004019BF
                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 004019E2
                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 004019ED
                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 004019F9
                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,00401E9E), ref: 00401A1D
                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,00401E9E), ref: 00401A36
                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,00401E9E,?,?,?,?,00000001,00401E9E), ref: 00401A5A
                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,00401E9E), ref: 00401A9B
                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,00401E9E), ref: 00401AA4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressProc$AllocFreeLibrary$LoadProcessinet_addr
                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                        • API String ID: 835516345-270533642
                                                                        • Opcode ID: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                        • Instruction ID: c689a3d9ae3379b0bfe51822f68a21815d588b76a9689f39126eb657c90dfffc
                                                                        • Opcode Fuzzy Hash: 52436911476c130446cd143f44c65522dc478156bb7ce270366fd521237d2269
                                                                        • Instruction Fuzzy Hash: 39313E32A01219AFCF119FE4DD888AFBBB9EB45311B24457BE501B2260D7B94E819F58
                                                                        Function 0255858F Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 361registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000103,?), ref: 0255865A
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,00000103,?), ref: 0255867B
                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,?,00000004,?,?,00000000,00000103,?), ref: 025586A8
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 025586B1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseOpenQuery
                                                                        • String ID: "$C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe
                                                                        • API String ID: 237177642-2234931768
                                                                        • Opcode ID: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                        • Instruction ID: b7f2f9d896024cacd44712e8e55a06a9376353ef7e08d1877bb3debaaffcefd5
                                                                        • Opcode Fuzzy Hash: 1c60b81768065cc7cafd43d65e6870f876b06d8eccb24c6c2cb771a703b3980a
                                                                        • Instruction Fuzzy Hash: 00C1A071900229BEEB11ABA4DD99EEF7FBDFB44304F144467FA01E2050E7714AC48B69
                                                                        Function 00402A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 00402A83
                                                                        • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 00402A86
                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00402AA0
                                                                        • htons.WS2_32(00000000), ref: 00402ADB
                                                                        • select.WS2_32 ref: 00402B28
                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 00402B4A
                                                                        • htons.WS2_32(?), ref: 00402B71
                                                                        • htons.WS2_32(?), ref: 00402B8C
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 00402BFB
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                        • String ID:
                                                                        • API String ID: 1639031587-0
                                                                        • Opcode ID: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                        • Instruction ID: 51c4a8f8372388146ce05ee3fd67d3b8acfed2692fca977a8adbfce498b2b585
                                                                        • Opcode Fuzzy Hash: 0a9a318a9520cdba09dec5fbe0b7d43cc2391f431d6a7511ea18a0acbd49a9c0
                                                                        • Instruction Fuzzy Hash: FB61D271508305ABD7209F51DE0CB6FBBE8FB48345F14482AF945A72D1D7F8D8808BAA
                                                                        Function 025514E7 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 02551601
                                                                        • lstrlenW.KERNEL32(-00000003), ref: 025517D8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShelllstrlen
                                                                        • String ID: $<$@$D
                                                                        • API String ID: 1628651668-1974347203
                                                                        • Opcode ID: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                        • Instruction ID: d3c4f5a0d68bc49641799e4f943feabc95521cd10064c673142f48e2a2c710fc
                                                                        • Opcode Fuzzy Hash: 03adf1138caabce6029c68f91071d7d17f6d9527f2eb0b017a6edce7519f1441
                                                                        • Instruction Fuzzy Hash: F0F1B0B11087519FD720CF64C898BABBBF5FB88304F00892EF99997290D7B4D944CB5A
                                                                        Function 02557666 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,00020119,?), ref: 025576D9
                                                                        • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000101,?), ref: 02557757
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,00000104), ref: 0255778F
                                                                        • ___ascii_stricmp.LIBCMT ref: 025578B4
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0255794E
                                                                        • RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0255796D
                                                                        • RegCloseKey.ADVAPI32(?), ref: 0255797E
                                                                        • RegCloseKey.ADVAPI32(?), ref: 025579AC
                                                                        • RegCloseKey.ADVAPI32(?), ref: 02557A56
                                                                          • Part of subcall function 0255F40C: lstrlen.KERNEL32(000000E4,00000000,004122F8,000000E4,0255772A,?), ref: 0255F414
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 025579F6
                                                                        • RegCloseKey.ADVAPI32(?), ref: 02557A4D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                        • String ID: "
                                                                        • API String ID: 3433985886-123907689
                                                                        • Opcode ID: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                        • Instruction ID: 173a67ab882b4fb3da1389a77d8009ad8f775c982b6e32fc5d5f5bcf50ff7b9d
                                                                        • Opcode Fuzzy Hash: 6662dee372d798d6f1e3baf347185b0c176791543b489e25c2cc06528122fd8e
                                                                        • Instruction Fuzzy Hash: 57C1727190022AAFDB11DBA4DC54FEEBFB9FF49310F1440A7E904E6150EB759A84CB68
                                                                        Function 0040704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 004070C2
                                                                        • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 0040719E
                                                                        • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 004071B2
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407208
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407291
                                                                        • ___ascii_stricmp.LIBCMT ref: 004072C2
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004072D0
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 00407314
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 0040738D
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 004073D8
                                                                          • Part of subcall function 0040F1A5: lstrlenA.KERNEL32(000000C8,000000E4,004122F8,000000C8,00407150,?), ref: 0040F1AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                        • String ID: $"
                                                                        • API String ID: 4293430545-3817095088
                                                                        • Opcode ID: 844d959b869107477598dc7fc3fd0898fc590bab3c8716b4da34f6361cc296a8
                                                                        • Instruction ID: bdd769efad709bd93da993ba4a974553bca105625a5613f565cdc8f40f8c6bf1
                                                                        • Opcode Fuzzy Hash: 844d959b869107477598dc7fc3fd0898fc590bab3c8716b4da34f6361cc296a8
                                                                        • Instruction Fuzzy Hash: 8FB17F71D0820ABAEB159FA1DC45BEF77B8AB04304F10047BF501F61D1EB79AA94CB69
                                                                        Function 02552CC9 Relevance: 21.2, APIs: 14, Instructions: 194memorynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02552CED
                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02552D07
                                                                        • htons.WS2_32(00000000), ref: 02552D42
                                                                        • select.WS2_32 ref: 02552D8F
                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02552DB1
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02552E62
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AllocateProcesshtonsrecvselectsocket
                                                                        • String ID:
                                                                        • API String ID: 127016686-0
                                                                        • Opcode ID: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                        • Instruction ID: db69782b38b75a8192ed9ed6b1bbce063b8f903a1c507dc97b345c0606ee2c4b
                                                                        • Opcode Fuzzy Hash: 34b12e3987a7911b0151bc10fc282e4d0fd91c502d2533c711cf9584e7c9b6b6
                                                                        • Instruction Fuzzy Hash: D361BF72508325ABC7209F64DC18B6BBBE8FF88755F04481AFD85D7250D7B598808BAA
                                                                        Function 0040AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 0040AD98
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0040ADA6
                                                                          • Part of subcall function 0040AD08: gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                          • Part of subcall function 0040AD08: lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                          • Part of subcall function 0040AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                          • Part of subcall function 004030B5: gethostname.WS2_32(?,00000080), ref: 004030D8
                                                                          • Part of subcall function 004030B5: gethostbyname.WS2_32(?), ref: 004030E2
                                                                        • wsprintfA.USER32 ref: 0040AEA5
                                                                          • Part of subcall function 0040A7A3: inet_ntoa.WS2_32(?), ref: 0040A7A9
                                                                        • wsprintfA.USER32 ref: 0040AE4F
                                                                        • wsprintfA.USER32 ref: 0040AE5E
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                        • API String ID: 3631595830-1816598006
                                                                        • Opcode ID: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                        • Instruction ID: 6edd35ca6b9ca9df7a5a601651cb978d50ba63929d11386258719776c0551fa5
                                                                        • Opcode Fuzzy Hash: ed5774bf6ac078b224cbf22e450ca61793c1c52625b21437799b5f936851b975
                                                                        • Instruction Fuzzy Hash: 0C4123B290030CBBDF25EFA1DC45EEE3BADFF08304F14442BB915A2191E679E5548B55
                                                                        Function 00402DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E01
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E11
                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 00402E2E
                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4C
                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402E4F
                                                                        • htons.WS2_32(00000035), ref: 00402E88
                                                                        • inet_addr.WS2_32(?), ref: 00402E93
                                                                        • gethostbyname.WS2_32(?), ref: 00402EA6
                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE3
                                                                        • HeapFree.KERNEL32(00000000,?,00000000,00402F0F,?,004020FF,00412000), ref: 00402EE6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                        • API String ID: 929413710-2099955842
                                                                        • Opcode ID: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                        • Instruction ID: af9ac6d56ee620c8fffc4a8d4b95bbdbc136fdcf8554a1f3230d1ae4f4a52a91
                                                                        • Opcode Fuzzy Hash: ac765a0f8383a0e22933114e4494c8504a9546d168c54e12ec6921eb1cd39c15
                                                                        • Instruction Fuzzy Hash: E3318131A40209ABDB119BB8DD4CAAF7778AF04361F144136F914F72D0DBB8D9819B9C
                                                                        Function 0040675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                        • ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                        • ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                        • SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,00408244,00000000,?,74DF0F10,00000000), ref: 0040688B
                                                                        • SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 00406906
                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,00408244,00000000,?,74DF0F10,00000000), ref: 0040691C
                                                                        • CloseHandle.KERNEL32(000000FF,?,74DF0F10,00000000), ref: 00406971
                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$CloseFreeHandleProcessSize
                                                                        • String ID:
                                                                        • API String ID: 2622201749-0
                                                                        • Opcode ID: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                        • Instruction ID: 23622665348289c9bdc7ba1e7bdf6275147e3319f3664adf7917ee5564634b96
                                                                        • Opcode Fuzzy Hash: d05b9ef8185a7d6987771a176bb27021890da5eba797bb42cdabcd388c34deb0
                                                                        • Instruction Fuzzy Hash: E47109B1D00219EFDB109FA5CC809EEBBB9FB04314F11457AF516B6290E7349EA2DB54
                                                                        Function 00409326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32(?,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409340
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 0040936E
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00409DD7,?,00000022,?,?,00000000,00000001), ref: 00409375
                                                                        • wsprintfA.USER32 ref: 004093CE
                                                                        • wsprintfA.USER32 ref: 0040940C
                                                                        • wsprintfA.USER32 ref: 0040948D
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 004094F1
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409526
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 00409571
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                        • String ID: runas
                                                                        • API String ID: 3696105349-4000483414
                                                                        • Opcode ID: 97af48ab48525fb617f5abd17424ad614edf633f88179256e16c2771f2badf11
                                                                        • Instruction ID: b6d0878b1d73306239325ce20442e1ed3f1d42e4277a972a89fda7ad6b3a58d4
                                                                        • Opcode Fuzzy Hash: 97af48ab48525fb617f5abd17424ad614edf633f88179256e16c2771f2badf11
                                                                        • Instruction Fuzzy Hash: A7A181B2540208BBEB21DFA1CC45FDF3BACEB44744F104437FA05A2192D7B999848FA9
                                                                        Function 0040B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wsprintfA.USER32 ref: 0040B467
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 0040EF92
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(?), ref: 0040EF99
                                                                          • Part of subcall function 0040EF7C: lstrlenA.KERNEL32(00000000), ref: 0040EFA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$wsprintf
                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                        • API String ID: 1220175532-2340906255
                                                                        • Opcode ID: 491365892f8bb9f782b1eadb0c053184f090b87ac727cff77266b05d33f425ed
                                                                        • Instruction ID: bf34ba3998127a8345ca8177a6a798a4e2b1dcf0281bd89f40bace4b7f612c60
                                                                        • Opcode Fuzzy Hash: 491365892f8bb9f782b1eadb0c053184f090b87ac727cff77266b05d33f425ed
                                                                        • Instruction Fuzzy Hash: CE4174B254011D7EDF016B96CCC2DFFBB6CEF4934CB14052AF904B2181EB78A96487A9
                                                                        Function 00402011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00402078
                                                                        • GetTickCount.KERNEL32 ref: 004020D4
                                                                        • GetTickCount.KERNEL32 ref: 004020DB
                                                                        • GetTickCount.KERNEL32 ref: 0040212B
                                                                        • GetTickCount.KERNEL32 ref: 00402132
                                                                        • GetTickCount.KERNEL32 ref: 00402142
                                                                          • Part of subcall function 0040F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4), ref: 0040F089
                                                                          • Part of subcall function 0040F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000,0040E513,?,00000000,00000000,?,000000E4,000000C8), ref: 0040F093
                                                                          • Part of subcall function 0040E854: lstrcpyA.KERNEL32(00000001,?,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E88B
                                                                          • Part of subcall function 0040E854: lstrlenA.KERNEL32(00000001,?,0040D8DF,00000001,localcfg,except_info,00100000,00410264), ref: 0040E899
                                                                          • Part of subcall function 00401C5F: wsprintfA.USER32 ref: 00401CE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                        • API String ID: 3976553417-1522128867
                                                                        • Opcode ID: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                        • Instruction ID: 2c4ade229706ff5e66d1d9a19171a9bb61e55472092035c31cb102c4d2320628
                                                                        • Opcode Fuzzy Hash: e666061d80d691fc6b112011ec25e37af1bccbb964f924a1abaaf546849d61ae
                                                                        • Instruction Fuzzy Hash: CF51F3706043465ED728EB21EF49B9A3BD4BB04318F10447FE605E62E2DBFC9494CA1D
                                                                        Function 0040F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • htons.WS2_32(0040CA1D), ref: 0040F34D
                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0040F367
                                                                        • closesocket.WS2_32(00000000), ref: 0040F375
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: closesockethtonssocket
                                                                        • String ID: time_cfg
                                                                        • API String ID: 311057483-2401304539
                                                                        • Opcode ID: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                        • Instruction ID: 30084693e0db7c5d018f03cf39b97fa82366a7d059792586ebb4172a1a3c68ff
                                                                        • Opcode Fuzzy Hash: 685126c5453265c7bff9625bd6507709e61d04640598cf9eaa2582fbc6c48842
                                                                        • Instruction Fuzzy Hash: AA319E72900118ABDB20DFA5DC859EF7BBCEF88314F104176F904E3190E7788A858BA9
                                                                        Function 0040405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 00404070
                                                                        • ExitProcess.KERNEL32 ref: 00404121
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEventExitProcess
                                                                        • String ID:
                                                                        • API String ID: 2404124870-0
                                                                        • Opcode ID: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                        • Instruction ID: 074d9bb49edb1fcb374f0917b5464843becdd4ef2bd88426a03fabb40598a920
                                                                        • Opcode Fuzzy Hash: ecdf59d793d742e7872ece16c3f2b9a8eabc219a589cb6fa6f12b524e62dd379
                                                                        • Instruction Fuzzy Hash: 3C5192B1E00209BAEB10ABA19D45FFF7A7CEB54755F00007AFB04B61C1E7798A41C7A9
                                                                        Function 0040C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040A4C7: GetTickCount.KERNEL32 ref: 0040A4D1
                                                                          • Part of subcall function 0040A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                        • GetTickCount.KERNEL32 ref: 0040C31F
                                                                        • GetTickCount.KERNEL32 ref: 0040C32B
                                                                        • GetTickCount.KERNEL32 ref: 0040C363
                                                                        • GetTickCount.KERNEL32 ref: 0040C378
                                                                        • GetTickCount.KERNEL32 ref: 0040C44D
                                                                        • InterlockedIncrement.KERNEL32(0040C4E4), ref: 0040C4AE
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0040C4E0), ref: 0040C4C1
                                                                        • CloseHandle.KERNEL32(00000000,?,0040C4E0,00413588,00408810), ref: 0040C4CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                        • String ID: localcfg
                                                                        • API String ID: 1553760989-1857712256
                                                                        • Opcode ID: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                        • Instruction ID: d79c9f10581ee3273b6165e92ba068ddd4f199cf4cd09fd02743c11af2233124
                                                                        • Opcode Fuzzy Hash: afac293e63498dd1283f128a7be93ce9089d2193a9ff6ee31ee25d998cb0b475
                                                                        • Instruction Fuzzy Hash: 0E515CB1A00B41CFC7249F6AC5D552ABBE9FB48304B509A3FE58BD7A90D778F8448B14
                                                                        Function 02553059 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 97memorylibrarynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 02553068
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 02553078
                                                                        • GetProcAddress.KERNEL32(00000000,00410408), ref: 02553095
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 025530B6
                                                                        • htons.WS2_32(00000035), ref: 025530EF
                                                                        • inet_addr.WS2_32(?), ref: 025530FA
                                                                        • gethostbyname.WS2_32(?), ref: 0255310D
                                                                        • HeapFree.KERNEL32(00000000), ref: 0255314D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocateFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                        • String ID: iphlpapi.dll
                                                                        • API String ID: 2869546040-3565520932
                                                                        • Opcode ID: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                        • Instruction ID: 5a7a8df0a2a8c4f3c4c468a4c24b9b3aba9ebfe1cb6d4b1774a06d515f89b76d
                                                                        • Opcode Fuzzy Hash: 1e8713dd52c6e8bc37e9b2497aa4af782d9b250ffd42f9daf4508d8acafa4540
                                                                        • Instruction Fuzzy Hash: 7231A431E00216BBDB119BB89C58BAE7FB8BF047A4F1441A6ED1CE7290DB74D5418B6C
                                                                        Function 0255958D Relevance: 15.3, APIs: 10, Instructions: 284registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32(?), ref: 025595A7
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 025595D5
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 025595DC
                                                                        • wsprintfA.USER32 ref: 02559635
                                                                        • wsprintfA.USER32 ref: 02559673
                                                                        • wsprintfA.USER32 ref: 025596F4
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02559758
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 0255978D
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 025597D8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                        • String ID:
                                                                        • API String ID: 3696105349-0
                                                                        • Opcode ID: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                        • Instruction ID: d86045c406c616d831b8ab760971a0e25ce5646102373627569f644e9b6e55ec
                                                                        • Opcode Fuzzy Hash: 0ac1c7cf1312716136e7fb6a36e28e3fd6dbc7c146b39f469b2464a0e942be83
                                                                        • Instruction Fuzzy Hash: D8A16AB2900229EBEB21DFA0CC54FDA3BADBB44740F104027FE05E6151E7B99584CFA8
                                                                        Function 00402D21 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                        • LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 00402D61
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 00402D99
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00402DA0
                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 00402DCB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                        • API String ID: 3560063639-3847274415
                                                                        • Opcode ID: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                        • Instruction ID: e5e1ee734cbcfb8ca4eff609f7c37a2f42b45bda1feb54b0ffc2340cedddb21a
                                                                        • Opcode Fuzzy Hash: d4096c20dd1105e3ef32148a9c5654c80b560ad64ac552135804a6a2b7bfb5e3
                                                                        • Instruction Fuzzy Hash: 25214F7190022AABCB11AB55DD48AEFBBB8EF08750F104432F905B7290D7F49E8587D8
                                                                        Function 0040BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BE4F
                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BE5B
                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BE67
                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 0040BF6A
                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 0040BF7F
                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 0040BF94
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmpi
                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                        • API String ID: 1586166983-1625972887
                                                                        • Opcode ID: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                        • Instruction ID: 5eb9e18a275db8e61a6fe50fd05ed02ec51c2bbb25542f34a2f5cec7b259a8e4
                                                                        • Opcode Fuzzy Hash: 5ed1ca685c1a1102e109d808c77f40e9161e989bab58e2ccc029642cf3dec37a
                                                                        • Instruction Fuzzy Hash: 98519F71A0021AEEDB119B65DD40B9ABBA9EF04344F14407BE845FB291D738E9818FDC
                                                                        Function 00406A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406A7D
                                                                        • GetDiskFreeSpaceA.KERNEL32(00409E9D,00409A60,?,?,?,004122F8,?,?,?,00409A60,?,?,00409E9D), ref: 00406ABB
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B40
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B4E
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B5F
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B6F
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B7D
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,00409A60,?,?,00409E9D), ref: 00406B80
                                                                        • GetLastError.KERNEL32(?,?,?,00409A60,?,?,00409E9D,?,?,?,?,?,00409E9D,?,00000022,?), ref: 00406B96
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                        • String ID:
                                                                        • API String ID: 3188212458-0
                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction ID: ab228a986819567a034f5778c60117e3a6ddbbfebf067212e33de9fc62893814
                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction Fuzzy Hash: 6C31F1B2900108BFDB00DFA09D44ADF7F78EF48310F158076E212F7291D674A9618F69
                                                                        Function 02556778 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000008), ref: 025567C3
                                                                        • htonl.WS2_32(?), ref: 025567DF
                                                                        • htonl.WS2_32(?), ref: 025567EE
                                                                        • GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000), ref: 025568F1
                                                                        • ExitProcess.KERNEL32 ref: 025569BC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Processhtonl$CurrentExitHugeRead
                                                                        • String ID: except_info$localcfg
                                                                        • API String ID: 1150517154-3605449297
                                                                        • Opcode ID: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                        • Instruction ID: a248e77f6fae2a168c641ce5cf1d94b423f3bc07ebddf6edcdcd6bd89353d73f
                                                                        • Opcode Fuzzy Hash: 9895dd2e79d38ff6447f40a868429f3d8bfef7524ed1ea596fca3f6cba339201
                                                                        • Instruction Fuzzy Hash: 55616D72A40218AFDB609FA4DC45FEA7BF9FB48300F148066FA69D2161EB7599908F14
                                                                        Function 0255F57C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • htons.WS2_32(0255CC84), ref: 0255F5B4
                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 0255F5CE
                                                                        • closesocket.WS2_32(00000000), ref: 0255F5DC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: closesockethtonssocket
                                                                        • String ID: time_cfg
                                                                        • API String ID: 311057483-2401304539
                                                                        • Opcode ID: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                        • Instruction ID: 67931875e3c47787546e71c9aaaf17cd40da3ff3f49a04a609325a905c62b3d1
                                                                        • Opcode Fuzzy Hash: 35ab9fe366417f7a0644d99ffa926dabfa0554eb5add049d4f688aed03fde98e
                                                                        • Instruction Fuzzy Hash: B7315C76900129ABDB10DFA5EC88DEE7BFCFF89310F104566F915D3150E7709A818BA8
                                                                        Function 00406F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,0040D7C3), ref: 00406F7A
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,0040D7C3), ref: 00406FC1
                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 00406FE8
                                                                        • LocalFree.KERNEL32(00000120), ref: 0040701F
                                                                        • wsprintfA.USER32 ref: 00407036
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                        • String ID: /%d$|
                                                                        • API String ID: 676856371-4124749705
                                                                        • Opcode ID: 50e1d0fd506a25f4fcf020f7626363f0e34832197d4c239b412bec30e638236e
                                                                        • Instruction ID: 25602f0bb6ce76eb5d01febd46d0227a680cec7408ef54ec30c82d1084126da1
                                                                        • Opcode Fuzzy Hash: 50e1d0fd506a25f4fcf020f7626363f0e34832197d4c239b412bec30e638236e
                                                                        • Instruction Fuzzy Hash: B5313C72900209BFDB01DFA5DC45BDB7BBCEF04314F048166F949EB241DA79EA588B98
                                                                        Function 02552F88 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85memorylibrarystringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(?), ref: 02552FA1
                                                                        • LoadLibraryA.KERNEL32(?), ref: 02552FB1
                                                                        • GetProcAddress.KERNEL32(00000000,004103F0), ref: 02552FC8
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02553000
                                                                        • RtlAllocateHeap.NTDLL(00000000), ref: 02553007
                                                                        • lstrcpyn.KERNEL32(00000008,?,000000FF), ref: 02553032
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcesslstrcpyn
                                                                        • String ID: dnsapi.dll
                                                                        • API String ID: 1242400761-3175542204
                                                                        • Opcode ID: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                        • Instruction ID: 33ae2f8b1cc249626bdf9cf9c8b6c94aa53afc86925c8833eaa402c793af5a50
                                                                        • Opcode Fuzzy Hash: 7f5d185b3cfc49c95be658a26291c7e098e834ef0b89546cb75d65dd2dad2050
                                                                        • Instruction Fuzzy Hash: 07216071D01629BBCB219B55DC59AAEBFB8FF08B50F008462FD05E7150D7B49A8187E8
                                                                        Function 00406CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,004122F8,000000E4,00406DDC,000000C8), ref: 00406CE7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406CEE
                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 00406D14
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 00406D2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                        • API String ID: 1082366364-3395550214
                                                                        • Opcode ID: 08590bedac40c171af98f9ef71e4763ddedd3488e6be67803c08e43eb8f6ec67
                                                                        • Instruction ID: 283af98db633f334a3c96cb566aa979ace8a56c3c0d7b64ee1e11c7fdc897f47
                                                                        • Opcode Fuzzy Hash: 08590bedac40c171af98f9ef71e4763ddedd3488e6be67803c08e43eb8f6ec67
                                                                        • Instruction Fuzzy Hash: AC21F26174034479F72157225D89FF72E4C8F52744F19407AF804B62D2CAED88E582AD
                                                                        Function 025599E3 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02559A18
                                                                        • GetThreadContext.KERNEL32(?,?), ref: 02559A52
                                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 02559A60
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 02559A98
                                                                        • SetThreadContext.KERNEL32(?,00010002), ref: 02559AB5
                                                                        • ResumeThread.KERNEL32(?), ref: 02559AC2
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                        • String ID: D
                                                                        • API String ID: 2981417381-2746444292
                                                                        • Opcode ID: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                        • Instruction ID: 7407d41502b22c494df47d9bda705a0c473c628cecdfc161585a2ce36d94febc
                                                                        • Opcode Fuzzy Hash: e2726c898831fa2e77ccd26efcb7f3ad26579022b5c1c2510a23e725eb230ef9
                                                                        • Instruction Fuzzy Hash: 26212C71901129BBDF119BA1DC09EEFBFBCFF05750F404062BA19E1050E7758A84CAA8
                                                                        Function 02551C03 Relevance: 12.1, APIs: 8, Instructions: 106memorylibraryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WS2_32(004102D8), ref: 02551C18
                                                                        • LoadLibraryA.KERNEL32(004102C8), ref: 02551C26
                                                                        • GetProcessHeap.KERNEL32 ref: 02551C84
                                                                        • RtlAllocateHeap.NTDLL(00000000,00000000,00000288), ref: 02551C9D
                                                                        • RtlReAllocateHeap.NTDLL(?,00000000,00000000,?), ref: 02551CC1
                                                                        • HeapFree.KERNEL32(?,00000000,00000000), ref: 02551D02
                                                                        • FreeLibrary.KERNEL32(?), ref: 02551D0B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AllocateFreeLibrary$LoadProcessinet_addr
                                                                        • String ID:
                                                                        • API String ID: 2324436984-0
                                                                        • Opcode ID: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                        • Instruction ID: dc875aab538dd5d524197ecf27ad575f4ba9e8f90c6ebc701cd88c19699533f8
                                                                        • Opcode Fuzzy Hash: 86649b882a12f673409f1c62972542be89ea1fb211e92df17ca9b312c060c3f6
                                                                        • Instruction Fuzzy Hash: 76316F31D00229BFCB119FE4DC98AFEBFB9FB45345B24847AE905A6110D7B54E80DB98
                                                                        Function 02556CC7 Relevance: 10.6, APIs: 7, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02556CE4
                                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 02556D22
                                                                        • GetLastError.KERNEL32 ref: 02556DA7
                                                                        • CloseHandle.KERNEL32(?), ref: 02556DB5
                                                                        • GetLastError.KERNEL32 ref: 02556DD6
                                                                        • DeleteFileA.KERNEL32(?), ref: 02556DE7
                                                                        • GetLastError.KERNEL32 ref: 02556DFD
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorLast$File$CloseCreateDeleteDiskFreeHandleSpace
                                                                        • String ID:
                                                                        • API String ID: 3873183294-0
                                                                        • Opcode ID: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction ID: 1d2f9a4ad81c8df73bf7c559196408a5d498bdbe782a30da7f60822a630302e1
                                                                        • Opcode Fuzzy Hash: 362dcede7d5d7e1862a192dbfd3c9a0fc2e91233da1497f7250b4d19aff3169c
                                                                        • Instruction Fuzzy Hash: CC310272800199BFCB019FA4DD54AEE7F7DFB48310F048566EA11A3210D7709A418B69
                                                                        Function 02556F30 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00410380,00410670,00000000,\\.\pipe\wukhxvso,02557043), ref: 02556F4E
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02556F55
                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02556F7B
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02556F92
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                        • String ID: C:\Windows\SysWOW64\$\\.\pipe\wukhxvso
                                                                        • API String ID: 1082366364-1563880823
                                                                        • Opcode ID: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                        • Instruction ID: 8325501f1412537efc1843317e380ca9701e761163f19ba3cfb60b74a679fc7a
                                                                        • Opcode Fuzzy Hash: 04a770052eb57bbfbb30415af63bc188d31a19c33639d4dbddcadc0e825ea320
                                                                        • Instruction Fuzzy Hash: 14212621B403613AF7225331DCA8FFB2E8DAF56714F1840A7FC04D64A0EBD994D6866D
                                                                        Function 0255AA28 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 247stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen
                                                                        • String ID: $localcfg
                                                                        • API String ID: 1659193697-2018645984
                                                                        • Opcode ID: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                        • Instruction ID: 485542460a3e4059ea5f42ed057a81d6d19882dda1e7246d50a3b641b7107022
                                                                        • Opcode Fuzzy Hash: 50699324d062f411f204296795e1435c215d76901ce01f8ee411c745418a2661
                                                                        • Instruction Fuzzy Hash: 9F716A72A00339AADF21AB54DCA5FEE3B69BB40318F244627FD05A6090DF7295C4CB5D
                                                                        Function 0040E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                          • Part of subcall function 0040DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 0040DDB5
                                                                        • lstrcpynA.KERNEL32(?,00401E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?), ref: 0040E8DE
                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E935
                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?,0000000A), ref: 0040E93D
                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,0040EAAA,?,?,00000001,?,00401E84,?), ref: 0040E94F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                        • String ID: flags_upd$localcfg
                                                                        • API String ID: 204374128-3505511081
                                                                        • Opcode ID: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                        • Instruction ID: 4a5a107d8aad74d0ab91cd578fe54778089971c235e688b3f19fdb3cdc8cf470
                                                                        • Opcode Fuzzy Hash: 798df9beac1de9cfe9593c9a5200f7c4a69fe291944888fed16d288fbbf397d9
                                                                        • Instruction Fuzzy Hash: A5514F7290020AAFCB00EFE9C985DAEBBF9BF48308F14452EE405B3251D779EA548B54
                                                                        Function 0255E8BB Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0255DF6C: GetCurrentThreadId.KERNEL32 ref: 0255DFBA
                                                                        • lstrcmp.KERNEL32(00410178,00000000), ref: 0255E8FA
                                                                        • lstrcpyn.KERNEL32(00000008,00000000,0000000F,?,00410170,00000000,?,02556128), ref: 0255E950
                                                                        • lstrcmp.KERNEL32(?,00000008), ref: 0255E989
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp$CurrentThreadlstrcpyn
                                                                        • String ID: A$ A$ A
                                                                        • API String ID: 2920362961-1846390581
                                                                        • Opcode ID: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                        • Instruction ID: 196c98c6c456fc71b1d3e30ff71524d686f7795bab2c95cb1a9030299f91557c
                                                                        • Opcode Fuzzy Hash: 22b7ec265cbf58d9e118b1c9ae896798d4c4cc7fc0edb460ff72d5a9b3fd5feb
                                                                        • Instruction Fuzzy Hash: 6D31BE31A007269BCB718F24C895BA67FF4FF05724F00892BE99587550D370EA80CB89
                                                                        Function 00406BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Code
                                                                        • String ID:
                                                                        • API String ID: 3609698214-0
                                                                        • Opcode ID: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                        • Instruction ID: deae59b9a6c18e17a8054c2740d34a6eafe128a66e3352cd220e92de8f8b68f4
                                                                        • Opcode Fuzzy Hash: 39c3a5a53f78f07926ecb9a894269625e93d17a87676cf1a9de91011702fa4cf
                                                                        • Instruction Fuzzy Hash: D7218B72208115FFEB10ABB1ED49EDF3EACDB08364B218436F543F1091EA799A50966C
                                                                        Function 02556E0E Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Code
                                                                        • String ID:
                                                                        • API String ID: 3609698214-0
                                                                        • Opcode ID: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                        • Instruction ID: 2d2fb218cbec25b232a65bb86ed340f92df2a75b3d704b33c24014f6636f8974
                                                                        • Opcode Fuzzy Hash: dbd61df3ebb78cc6fa2ed7637639bc7d17aa9fbedb66480432ceb7f56d018bc4
                                                                        • Instruction Fuzzy Hash: 78215E72105125BFDB109BB0FC59EDF3FADFB49265B508426F902D1090EB70DA409678
                                                                        Function 00409064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                        • wsprintfA.USER32 ref: 004090E9
                                                                        • CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                        • String ID:
                                                                        • API String ID: 2439722600-0
                                                                        • Opcode ID: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                        • Instruction ID: 58bbe077760212e8da181cf829ffda1a70542de1f4ba4b23f7e3a80b8f6fba70
                                                                        • Opcode Fuzzy Hash: f28af15f22a92dcef6476bc2819c454602b50741f9449e0ae3514995eeab5b50
                                                                        • Instruction Fuzzy Hash: 451175B26401147AF7246723DD0AFEF3A6DDBC8704F04C47AB70AB50D1EAB94A519668
                                                                        Function 025592CB Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathA.KERNEL32(00000400,?), ref: 025592E2
                                                                        • wsprintfA.USER32 ref: 02559350
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02559375
                                                                        • lstrlen.KERNEL32(?,?,00000000), ref: 02559389
                                                                        • WriteFile.KERNEL32(00000000,?,00000000), ref: 02559394
                                                                        • CloseHandle.KERNEL32(00000000), ref: 0255939B
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                        • String ID:
                                                                        • API String ID: 2439722600-0
                                                                        • Opcode ID: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                        • Instruction ID: a81f8b92aa0233bdeed7817951a527d9d11d7ad2dea247ccfef1f0e8ab49498c
                                                                        • Opcode Fuzzy Hash: 15e5744a609ce20ae0f07ead06a63c4ecb295d114b6c11b49a51968f57c888d1
                                                                        • Instruction Fuzzy Hash: 811187B1740124BBE7216731DC0DFEF3A6EEFC5B14F008066BF06E5090EEB45A418AA8
                                                                        Function 0040DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0040DD0F
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD20
                                                                        • GetTickCount.KERNEL32 ref: 0040DD2E
                                                                        • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,0040E538,?,74DF0F10,?,00000000,?,0040A445), ref: 0040DD3B
                                                                        • InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                        • GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 3819781495-0
                                                                        • Opcode ID: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                        • Instruction ID: 5047c4a85d7ce053583ecb6bfb553561e79882e3d1eaa06aec664d00f8baf4e0
                                                                        • Opcode Fuzzy Hash: 00222842cf4b27377529e63430db8cbc0b0fb89ac28641eb4cfa7891be51bad4
                                                                        • Instruction Fuzzy Hash: 1AF0E971604204AFD7505FA5BC84BB53FA4EB48353F008077E109D22A8C77455898F2E
                                                                        Function 0255C543 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 182threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0255C6B4
                                                                        • InterlockedIncrement.KERNEL32(0255C74B), ref: 0255C715
                                                                        • CreateThread.KERNEL32(00000000,00000000,0040B535,00000000,?,0255C747), ref: 0255C728
                                                                        • CloseHandle.KERNEL32(00000000,?,0255C747,00413588,02558A77), ref: 0255C733
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseCountCreateHandleIncrementInterlockedThreadTick
                                                                        • String ID: localcfg
                                                                        • API String ID: 1026198776-1857712256
                                                                        • Opcode ID: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                        • Instruction ID: 51653a8d52b54af6d2c8de56963742dd8549953ef516e50fb89b1e87d0b6b026
                                                                        • Opcode Fuzzy Hash: 7930164416072ce379d69f2024e67a12fb5078e265013c4e4f79f9c65834da75
                                                                        • Instruction Fuzzy Hash: D7516DB1A01B518FC7248F69C5E462ABBE9FB48305B50693FE58BC7A90D774F940CB14
                                                                        Function 004080C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 0040815F
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408187
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,0040A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 004081BE
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 00408210
                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 0040677E
                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 0040679A
                                                                          • Part of subcall function 0040675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 004067B0
                                                                          • Part of subcall function 0040675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 004067BF
                                                                          • Part of subcall function 0040675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 004067D3
                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,00000040,00408244,00000000,?,74DF0F10,00000000), ref: 00406807
                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040681F
                                                                          • Part of subcall function 0040675C: ReadFile.KERNEL32(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 0040683E
                                                                          • Part of subcall function 0040675C: SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 0040685C
                                                                          • Part of subcall function 0040EC2E: GetProcessHeap.KERNEL32(00000000,'@,00000000,0040EA27,00000000), ref: 0040EC41
                                                                          • Part of subcall function 0040EC2E: HeapFree.KERNEL32(00000000), ref: 0040EC48
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe
                                                                        • API String ID: 124786226-3712984543
                                                                        • Opcode ID: eb9e4b690bf89fd9b5ecc7cfd1228528b84d28a347e991db18a559738f185d55
                                                                        • Instruction ID: c6ff5cc28a73505882571aaa3479db7aabb841166acb9389a4089cab67cb233b
                                                                        • Opcode Fuzzy Hash: eb9e4b690bf89fd9b5ecc7cfd1228528b84d28a347e991db18a559738f185d55
                                                                        • Instruction Fuzzy Hash: 6641A2B1801109BFEB10EBA19E81DEF777CDB04304F1448BFF545F2182EAB85A948B59
                                                                        Function 025571C6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 025571E1
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02557228
                                                                        • LocalFree.KERNEL32(?,?,?), ref: 02557286
                                                                        • wsprintfA.USER32 ref: 0255729D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountFreeLocalLookupUserwsprintf
                                                                        • String ID: |
                                                                        • API String ID: 2539190677-2343686810
                                                                        • Opcode ID: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                        • Instruction ID: 6bd65e7d562a84664f1fc6b07bef264b20c1450eac9597302b191f6942824f2a
                                                                        • Opcode Fuzzy Hash: 0c0665c49b02975d3cb655efb4674a53369201e8279effc4896e63a6fe97e42a
                                                                        • Instruction Fuzzy Hash: B6313A72900219BBCB01DFA8DC54BDA7BACFF08314F148066FC59DB100EB75D6488B98
                                                                        Function 0040AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostname.WS2_32(?,00000080), ref: 0040AD1C
                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD60
                                                                        • lstrlenA.KERNEL32(00000000), ref: 0040AD69
                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 0040AD7F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                        • String ID: LocalHost
                                                                        • API String ID: 3695455745-3154191806
                                                                        • Opcode ID: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                        • Instruction ID: 5e983dddb47fd7e780230f110e9d304ee880480ae48faa8370a3fb9af9ed59c3
                                                                        • Opcode Fuzzy Hash: 8a17093f3d26383e77935b758fdadb31e519a4398e40a43d70c627834661f375
                                                                        • Instruction Fuzzy Hash: FA0149208443895EDF3107289844BEA3F675F9670AF104077E4C0BB692E77C8893835F
                                                                        Function 0040E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,0040E5F2,00000000,00020119,0040E5F2,004122F8), ref: 0040E3E6
                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 0040E44E
                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 0040E482
                                                                        • RegQueryValueExA.ADVAPI32(0040E5F2,?,00000000,?,80000001,?), ref: 0040E4CF
                                                                        • RegCloseKey.ADVAPI32(0040E5F2,?,?,?,?,000000C8,000000E4), ref: 0040E520
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: QueryValue$CloseOpen
                                                                        • String ID:
                                                                        • API String ID: 1586453840-0
                                                                        • Opcode ID: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                        • Instruction ID: f21eb42f94b351107ce6bcf9928d909f9cde6c0f887f3b022360bbb50f243882
                                                                        • Opcode Fuzzy Hash: aa9c7803f1892efbeb2ec60484cf553e29528730025646744f8bae12e973cd09
                                                                        • Instruction Fuzzy Hash: D94106B2D00219BFDF119FD5DC81DEEBBB9EB08308F14487AE910B2291E3359A559B64
                                                                        Function 0255B478 Relevance: 7.6, APIs: 5, Instructions: 131timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 0255B51A
                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0255B529
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0255B548
                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 0255B590
                                                                        • wsprintfA.USER32 ref: 0255B61E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$File$Local$InformationSystemZonewsprintf
                                                                        • String ID:
                                                                        • API String ID: 4026320513-0
                                                                        • Opcode ID: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction ID: 90e43e5892f56de982e401d067374833bf7c759ae2a164c2616ddc45c37ccafc
                                                                        • Opcode Fuzzy Hash: fbb2cc535003bdd2a03704f06e43c86ec17b275768f9954b8d174276db173d5b
                                                                        • Instruction Fuzzy Hash: E2511FB1D0021DAACF18DFD5D8885EEBBB9BF48304F10856BF505A6150E7B84AC9CF98
                                                                        Function 00404280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,004098FD,00000001,00000100,004122F8,0040A3C7), ref: 00404290
                                                                        • CloseHandle.KERNEL32(0040A3C7), ref: 004043AB
                                                                        • CloseHandle.KERNEL32(00000001), ref: 004043AE
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreateEvent
                                                                        • String ID:
                                                                        • API String ID: 1371578007-0
                                                                        • Opcode ID: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                        • Instruction ID: 580dd723e2696739ab8c529274da47b2bc3b4765397f1bbb4cd5042057411b76
                                                                        • Opcode Fuzzy Hash: 0dd57ba844ed6ccee3cc7ff792ca289a65d044fd43fa66271c948426b094db86
                                                                        • Instruction Fuzzy Hash: F94181B1900209BADB109BA2CD45F9FBFBCEF40355F104566F614B21C1D7789A51DBA4
                                                                        Function 00406069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,004064CF,00000000), ref: 0040609C
                                                                        • LoadLibraryA.KERNEL32(?,?,004064CF,00000000), ref: 004060C3
                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 0040614A
                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 0040619E
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                        • String ID:
                                                                        • API String ID: 2438460464-0
                                                                        • Opcode ID: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                        • Instruction ID: 2c66ad34c3d6fb1da92a891872b73c8746f5f3d5bf62d79dfacd6c24df0475f4
                                                                        • Opcode Fuzzy Hash: beeb212f6d5b41c5424ed959fb710d65fbebcae36a96b2ee910fcd89165a7e78
                                                                        • Instruction Fuzzy Hash: D5418C71A00105AFDB10CF58C884BAAB7B9EF14354F26807AE816EB3D1D738ED61CB84
                                                                        Function 025562D0 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadHugeReadPtr.KERNEL32(?,00000014), ref: 02556303
                                                                        • LoadLibraryA.KERNEL32(?), ref: 0255632A
                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 025563B1
                                                                        • IsBadHugeReadPtr.KERNEL32(-000000DC,00000014), ref: 02556405
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: HugeRead$AddressLibraryLoadProc
                                                                        • String ID:
                                                                        • API String ID: 3498078134-0
                                                                        • Opcode ID: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                        • Instruction ID: d25d7c87cb5ac4d9d809bf3fd3641f44578305537b41706611ff5125d6931bfe
                                                                        • Opcode Fuzzy Hash: 22151fd6ac6a99dd14e45186f4812a7dac7af9c00bb3bb0eb99ee7530713bb62
                                                                        • Instruction Fuzzy Hash: 5B417C71A10266EFDB14CF58C8A4BADBBB8FF04358F59846AEC15D7290E730E940CB54
                                                                        Function 00402923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                        • Instruction ID: 0bfd2bf0caf83722c61519a9099cbfb16c0865a6a5fe5c2769a2057d5fd36f2a
                                                                        • Opcode Fuzzy Hash: 7d7be85cd36f3663e93a2a6933a3c0dd16534f9087a3b26c869853f350d83737
                                                                        • Instruction Fuzzy Hash: 2931A471A00219ABCB109FA6CD85ABEB7F4FF48705F10846BF504F62C1E7B8D6418B68
                                                                        Function 0040E654 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 0040DD05: GetTickCount.KERNEL32 ref: 0040DD0F
                                                                          • Part of subcall function 0040DD05: InterlockedExchange.KERNEL32(004136B4,00000001), ref: 0040DD44
                                                                          • Part of subcall function 0040DD05: GetCurrentThreadId.KERNEL32 ref: 0040DD53
                                                                        • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,00405EC1), ref: 0040E693
                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,00405EC1), ref: 0040E6E9
                                                                        • lstrcmpA.KERNEL32(?,00000008,?,74DF0F10,00000000,?,00405EC1), ref: 0040E722
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                        • String ID: A$ A
                                                                        • API String ID: 3343386518-686259309
                                                                        • Opcode ID: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                        • Instruction ID: 47b803fc1c440cad9c550ff35358ad860d5bc2ca4051ff98ce99c32b6473ed9c
                                                                        • Opcode Fuzzy Hash: 951ece8c2afd944643beef7ac70d50e077dd33d1a65e809f7a70b3905a3fc363
                                                                        • Instruction Fuzzy Hash: CC31C031600301DBCB318F66E8847977BE4AB24314F508D3BE555A7690D779E8A0CB89
                                                                        Function 004026FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0040272E
                                                                        • htons.WS2_32(00000001), ref: 00402752
                                                                        • htons.WS2_32(0000000F), ref: 004027D5
                                                                        • htons.WS2_32(00000001), ref: 004027E3
                                                                        • sendto.WS2_32(?,00412BF8,00000009,00000000,00000010,00000010), ref: 00402802
                                                                          • Part of subcall function 0040EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,0040EBFE,7FFF0001,?,0040DB55,7FFF0001), ref: 0040EBD3
                                                                          • Part of subcall function 0040EBCC: HeapAlloc.KERNEL32(00000000,?,0040DB55,7FFF0001), ref: 0040EBDA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: htons$Heap$AllocCountProcessTicksendto
                                                                        • String ID:
                                                                        • API String ID: 1802437671-0
                                                                        • Opcode ID: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                        • Instruction ID: e317574a351225f02cdc10e669db3389ba019fd1a924c3d0ab3f78f3d9a30560
                                                                        • Opcode Fuzzy Hash: 6299894b8f3bc0cc0dfae645a3d09159b09bee40e3d6069153e68f679ff52250
                                                                        • Instruction Fuzzy Hash: B8313A342483969FD7108F74DD80AA27760FF19318B19C07EE855DB3A2D6B6E892D718
                                                                        Function 0040F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 0040F2A0
                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 0040F2C0
                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 0040F2DD
                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 0040F2EC
                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F2FD
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: setsockopt
                                                                        • String ID:
                                                                        • API String ID: 3981526788-0
                                                                        • Opcode ID: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                        • Instruction ID: 54276ff97121d9260d4f5268cf3942b14174050ddbce03adff589c8218e6c2bb
                                                                        • Opcode Fuzzy Hash: 8b4be0266ee07c3102769aa2bfb0f3fbe40b153d7f42fbd5c93fb3948aedae23
                                                                        • Instruction Fuzzy Hash: 6B110AB2A40248BAEF11DF94CD85FDE7FBCEB44751F008066BB04EA1D0E6B19A44CB94
                                                                        Function 00409145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,004122F8), ref: 0040915F
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 00409166
                                                                        • CharToOemA.USER32(?,?), ref: 00409174
                                                                        • wsprintfA.USER32 ref: 004091A9
                                                                          • Part of subcall function 00409064: GetTempPathA.KERNEL32(00000400,?,00000000,004122F8), ref: 0040907B
                                                                          • Part of subcall function 00409064: wsprintfA.USER32 ref: 004090E9
                                                                          • Part of subcall function 00409064: CreateFileA.KERNEL32(004122F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0040910E
                                                                          • Part of subcall function 00409064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 00409122
                                                                          • Part of subcall function 00409064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 0040912D
                                                                          • Part of subcall function 00409064: CloseHandle.KERNEL32(00000000), ref: 00409134
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 004091E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                        • String ID:
                                                                        • API String ID: 3857584221-0
                                                                        • Opcode ID: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                        • Instruction ID: 6acb945c628b875356ea86accac8c7b18cb61426f44bb7d0566a1afba52fbd3a
                                                                        • Opcode Fuzzy Hash: 69a42f15c0bdb603acf61cfacf6d4b07552c73bbecf68ccfe74a45dc0564b67a
                                                                        • Instruction Fuzzy Hash: 8F016DB69001187BD720A7619D49EDF3A7C9B85705F0000A6BB09E2080DAB89AC48F68
                                                                        Function 025593AC Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104), ref: 025593C6
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 025593CD
                                                                        • CharToOemA.USER32(?,?), ref: 025593DB
                                                                        • wsprintfA.USER32 ref: 02559410
                                                                          • Part of subcall function 025592CB: GetTempPathA.KERNEL32(00000400,?), ref: 025592E2
                                                                          • Part of subcall function 025592CB: wsprintfA.USER32 ref: 02559350
                                                                          • Part of subcall function 025592CB: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02559375
                                                                          • Part of subcall function 025592CB: lstrlen.KERNEL32(?,?,00000000), ref: 02559389
                                                                          • Part of subcall function 025592CB: WriteFile.KERNEL32(00000000,?,00000000), ref: 02559394
                                                                          • Part of subcall function 025592CB: CloseHandle.KERNEL32(00000000), ref: 0255939B
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02559448
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                        • String ID:
                                                                        • API String ID: 3857584221-0
                                                                        • Opcode ID: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                        • Instruction ID: c3b8164e8305dec7fa6e49de288b61a6742dafa99773398e2faec179e45515d6
                                                                        • Opcode Fuzzy Hash: ff085cb3efc643ea3343cce32a213b77a8dc5f084f98a1949d4da58a8db7cba0
                                                                        • Instruction Fuzzy Hash: 770156F6900119BBD7219761DD49EDF377CEB95701F0040A2BB49E2040DAB496C58F75
                                                                        Function 00402419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001), ref: 00402429
                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 0040243E
                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00402452
                                                                        • lstrlenA.KERNEL32(?,?,00402491,?,?,?,0040E844,-00000030,?,?,?,00000001,00401E3D,00000001,localcfg,lid_file_upd), ref: 00402467
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$lstrcmpi
                                                                        • String ID: localcfg
                                                                        • API String ID: 1808961391-1857712256
                                                                        • Opcode ID: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                        • Instruction ID: 10b525c6ae3f8891cd48fd25e34f392daf9ed257baad57177c8ccf48abf1fcea
                                                                        • Opcode Fuzzy Hash: e0652b8e6b882c26303073c97bc729d70adad1496f82cefeb83b9b40d862f6ea
                                                                        • Instruction Fuzzy Hash: B4011A31600218EFCF11EF69DD888DE7BA9EF44354B01C436E859A7250E3B4EA408A98
                                                                        Function 00401AC3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                        • API String ID: 2574300362-1087626847
                                                                        • Opcode ID: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                        • Instruction ID: f6c238f91e07a5798e813b0b618c72a9a5addbcd8e0b61e0281ff71d4ef1483f
                                                                        • Opcode Fuzzy Hash: 4ad453f95e319ae71f8ebabcc46d8d27ffdc7fe226df516f9f2c7e6519cf6946
                                                                        • Instruction Fuzzy Hash: 3D11DA71E01124BFCB11DBA5DD858EEBBB9EB44B10B144077E005F72A1E7786E80CB98
                                                                        Function 00401BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401C15
                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 00401C51
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                        • String ID: hi_id$localcfg
                                                                        • API String ID: 2777991786-2393279970
                                                                        • Opcode ID: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                        • Instruction ID: b3a67a5cb4ed68e183e77afdc8505cc80d304e276af6d439446d09174096bcc5
                                                                        • Opcode Fuzzy Hash: 8706900559274ba91d770fb8bb1d60ecae66f9331a84d665d36368a2f022e804
                                                                        • Instruction Fuzzy Hash: B2018072A44118BBEB10EAE8C8C59EFBABCAB48745F104476E602F3290D274DE4486A5
                                                                        Function 00406EDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 00406F0F
                                                                        • CheckTokenMembership.ADVAPI32(00000000,?,*p@), ref: 00406F24
                                                                        • FreeSid.ADVAPI32(?), ref: 00406F3E
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                        • String ID: *p@
                                                                        • API String ID: 3429775523-2474123842
                                                                        • Opcode ID: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                        • Instruction ID: a55d58a6849641b9de595c9770ce5785232f8714219103e6702645194e06a02f
                                                                        • Opcode Fuzzy Hash: e5b07a668181befdfd7487022a30a26c3f8e9f7140bfa863a498fdcbf626812e
                                                                        • Instruction Fuzzy Hash: 6701E571904209AFDB10DFE4ED85AAE7BB8F708304F50847AE606E2191D7745A54CB18
                                                                        Function 025528EB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbynameinet_addr
                                                                        • String ID: time_cfg$u6A
                                                                        • API String ID: 1594361348-1940331995
                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction ID: 3c768ea3114f80cb791cddfe3362118337100204fb06fa799175378c37725ea9
                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction Fuzzy Hash: 96E012306086219FDB509B2CF888AD57BE5FF4A230F058596FC54D72A1D778DCC19758
                                                                        Function 025569C3 Relevance: 6.2, APIs: 4, Instructions: 199COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 025569E5
                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02556A26
                                                                        • GetFileSize.KERNEL32(000000FF,00000000), ref: 02556A3A
                                                                        • CloseHandle.KERNEL32(000000FF), ref: 02556BD8
                                                                          • Part of subcall function 0255EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02551DCF,?), ref: 0255EEA8
                                                                          • Part of subcall function 0255EE95: HeapFree.KERNEL32(00000000), ref: 0255EEAF
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesHeap$CloseFreeHandleProcessSize
                                                                        • String ID:
                                                                        • API String ID: 3384756699-0
                                                                        • Opcode ID: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                        • Instruction ID: dbc27ea90673a60f99e98c24b51b7eb7c7b5b93527308b4a210aae21e84e0227
                                                                        • Opcode Fuzzy Hash: 7cb1483d7ca4a0334585b6ef60a3fe03637638a32adcd708d2059a772ed48796
                                                                        • Instruction Fuzzy Hash: 63714771D0026DEFDF10CFA4CC90AEEBBB9FB08324F50456AE915A6190D7349E92CB64
                                                                        Function 00401C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf
                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                        • API String ID: 2111968516-120809033
                                                                        • Opcode ID: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                        • Instruction ID: f60862e96afe744063ef1f8e151e0253a3d6131670b42bf9f562b78b9aabf051
                                                                        • Opcode Fuzzy Hash: 013209f5f393509082169113c365cfa774f3339610439ce827356f9210efd2df
                                                                        • Instruction Fuzzy Hash: 3C41C1729042999FDB21DF798D44BEE7BE89F49310F240066FD64E3192D639EA04CBA4
                                                                        Function 0040E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0040E2A3,00000000,00000000,00000000,00020106,00000000,0040E2A3,00000000,000000E4), ref: 0040E0B2
                                                                        • RegSetValueExA.ADVAPI32(0040E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0040E127
                                                                        • RegDeleteValueA.ADVAPI32(0040E2A3,?,?,?,?,?,000000C8,004122F8), ref: 0040E158
                                                                        • RegCloseKey.ADVAPI32(0040E2A3,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0040E2A3), ref: 0040E161
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseCreateDelete
                                                                        • String ID:
                                                                        • API String ID: 2667537340-0
                                                                        • Opcode ID: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                        • Instruction ID: af4a942e7328ea1ce2cdf979f73f75556816175b5134196b99f0fb832a21e1c2
                                                                        • Opcode Fuzzy Hash: 72ec9626f1a57597f212d5c6e724b1b36c6131d7c0d684d5184da94b21603b05
                                                                        • Instruction Fuzzy Hash: 2F218071A00219BBDF209FA6EC89EDF7F79EF08754F008072F904A6190E6718A64DB94
                                                                        Function 0255E2FC Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExA.ADVAPI32(80000001,0255E50A,00000000,00000000,00000000,00020106,00000000,0255E50A,00000000,000000E4), ref: 0255E319
                                                                        • RegSetValueExA.ADVAPI32(0255E50A,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,004122F8), ref: 0255E38E
                                                                        • RegDeleteValueA.ADVAPI32(0255E50A,?,?,?,?,?,000000C8,004122F8), ref: 0255E3BF
                                                                        • RegCloseKey.ADVAPI32(0255E50A,?,?,?,?,000000C8,004122F8,?,?,?,?,?,?,?,?,0255E50A), ref: 0255E3C8
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseCreateDelete
                                                                        • String ID:
                                                                        • API String ID: 2667537340-0
                                                                        • Opcode ID: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                        • Instruction ID: 8efdac7ff3a3620a4ae0a58a31b8656b3b29a9b7ca56e3aa34008e31fb650e1e
                                                                        • Opcode Fuzzy Hash: 71be46fcf4b4c1b855c56a8beb8c548cd5d416d4e28516e03566d8543fb954ad
                                                                        • Instruction Fuzzy Hash: F5217C71A0022DABDF209FA4EC99EEE7F79FF09750F018022FD04A6050E3719A54CBA4
                                                                        Function 00403F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403F44
                                                                        • GetLastError.KERNEL32 ref: 00403F4E
                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403F5F
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403F72
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                        • String ID:
                                                                        • API String ID: 3373104450-0
                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction ID: 81d5a9f64dfd66904774ebc82d2e0e48c629fa8216d99cd76bf4a5dbd4e59073
                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction Fuzzy Hash: B9010C7291110AABDF01DF90ED44BEF7B7CEB08356F104066FA01E2190D774DA558BB6
                                                                        Function 00403F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,00000000,0040A3C7,00000000,00000000,000007D0,00000001), ref: 00403FB8
                                                                        • GetLastError.KERNEL32 ref: 00403FC2
                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 00403FD3
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 00403FE6
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                        • String ID:
                                                                        • API String ID: 888215731-0
                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction ID: 44fd539f7a3468c5635e20a1652967c761b46accf60e77792ab8a53432005efc
                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction Fuzzy Hash: A601177291110AAFDF01DF90ED45BEF3B7CEF08356F004062F906E2090D7749A549BA6
                                                                        Function 0255417F Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 025541AB
                                                                        • GetLastError.KERNEL32 ref: 025541B5
                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 025541C6
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 025541D9
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                        • String ID:
                                                                        • API String ID: 3373104450-0
                                                                        • Opcode ID: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction ID: c9b4eb6fad90723c85df3f8c52208413a117515a5ed95764c9c2a0c9f60d98d2
                                                                        • Opcode Fuzzy Hash: 9f1c12f5bce82851f463a843ee7e6df514edb3150162876966f253c0cf19dcdf
                                                                        • Instruction Fuzzy Hash: 3D01E97651111AABDF01DF90ED84BEE7F6CFB18295F008062F901E2150D7709AA48BB9
                                                                        Function 025541F3 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0255421F
                                                                        • GetLastError.KERNEL32 ref: 02554229
                                                                        • WaitForSingleObject.KERNEL32(?,?), ref: 0255423A
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 0255424D
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                        • String ID:
                                                                        • API String ID: 888215731-0
                                                                        • Opcode ID: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction ID: ec720cc6585e8264a15b2c4cdab9e741ba52c2feaa89388e01c06e8541f7539b
                                                                        • Opcode Fuzzy Hash: 7dacf77ebfc6f27f1d23b030b7b6a0e1e1f459510f641919a7ac9d23c17bf39a
                                                                        • Instruction Fuzzy Hash: 3F01C872511129AFDF01DF91ED84BEF7BACFB08255F108462F901E2050DB70DA948BBA
                                                                        Function 0255E036 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 35stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcmp.KERNEL32(?,80000009), ref: 0255E066
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp
                                                                        • String ID: A$ A$ A
                                                                        • API String ID: 1534048567-1846390581
                                                                        • Opcode ID: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                        • Instruction ID: 5edfe5bd9e8b8a43c30cf02265f30400b1a73c0e89c9a9f80757f989dc02d821
                                                                        • Opcode Fuzzy Hash: 328de717d7c8de90c20bd47ba6ba1583dee1274120ab1c13f1680d5d51b61bca
                                                                        • Instruction Fuzzy Hash: 87F06271600722DBCB20CF25D894AA2BBE9FF05325B44862BE954C3070D374A599CB59
                                                                        Function 0040A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0040A4D1
                                                                        • GetTickCount.KERNEL32 ref: 0040A4E4
                                                                        • Sleep.KERNEL32(00000000,?,0040C2E9,0040C4E0,00000000,localcfg,?,0040C4E0,00413588,00408810), ref: 0040A4F1
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 0040A4FA
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                        • Instruction ID: a5473328a7e7118e9aede6741b06156156ec1e7733dd8d1ec56465b12724d56e
                                                                        • Opcode Fuzzy Hash: 4cd0520482080c365333fb8aab0c55e365768e1349ae612301bcb729eb943e51
                                                                        • Instruction Fuzzy Hash: 7DE0863720131567C6005BA5BD84FAA7B98AB4D761F164072FB08E3280D6AAA99145BF
                                                                        Function 00404E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00404E9E
                                                                        • GetTickCount.KERNEL32 ref: 00404EAD
                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 00404EBA
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00404EC3
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                        • Instruction ID: 0be737a4b1ecb403dd0b6a084e6b0260aeafc6613011e157a8d43e60cd200510
                                                                        • Opcode Fuzzy Hash: 574f7709b1251d8d4516fda0e718bcbaf1509578ef326d685951742d25275ed5
                                                                        • Instruction Fuzzy Hash: 6AE086B620121457D61027B9FD84F966A89AB9A361F010532F70DE21C0C6AA989345FD
                                                                        Function 00404BD1 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00404BDD
                                                                        • GetTickCount.KERNEL32 ref: 00404BEC
                                                                        • Sleep.KERNEL32(00000000,?,?,?,00000004,004050F2), ref: 00404BF9
                                                                        • InterlockedExchange.KERNEL32(-00000008,00000001), ref: 00404C02
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                        • Instruction ID: c27c4130c4fb343c81443d6f5f76baf76a02980c1ff66e5fdc0d00212ab38f61
                                                                        • Opcode Fuzzy Hash: 1ad869c4a91a2c80201434bef060b196597965ff38d45849583c02ff4b747b44
                                                                        • Instruction Fuzzy Hash: FCE0867624521457D61027A66D80FA67BA89B99361F064073F70CE2190C9AAE48141BD
                                                                        Function 004030FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 00403103
                                                                        • GetTickCount.KERNEL32 ref: 0040310F
                                                                        • Sleep.KERNEL32(00000000), ref: 0040311C
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                        • Instruction ID: 9edc608f4d32da9f9de986fa19dd3c9deb40157c310ade5cfb00ff6fe32d5b40
                                                                        • Opcode Fuzzy Hash: 5475aadbbb6481cfb66701b566d3724b8cf1f0baef2ba10e865a3ab4c750e63b
                                                                        • Instruction Fuzzy Hash: 51E0C235200215ABDB00AF75BD44B8A6E9EDF8C762F014432F205EA1E0C9F44D51897A
                                                                        Function 02558330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?), ref: 025583C6
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?), ref: 02558477
                                                                          • Part of subcall function 025569C3: SetFileAttributesA.KERNEL32(?,00000080), ref: 025569E5
                                                                          • Part of subcall function 025569C3: SetFileAttributesA.KERNEL32(?,00000002), ref: 02556A26
                                                                          • Part of subcall function 025569C3: GetFileSize.KERNEL32(000000FF,00000000), ref: 02556A3A
                                                                          • Part of subcall function 0255EE95: GetProcessHeap.KERNEL32(00000000,?,00000000,02551DCF,?), ref: 0255EEA8
                                                                          • Part of subcall function 0255EE95: HeapFree.KERNEL32(00000000), ref: 0255EEAF
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesHeap$CloseFreeOpenProcessSize
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe
                                                                        • API String ID: 359188348-3712984543
                                                                        • Opcode ID: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                        • Instruction ID: 62a8e3024d0e5f5a74bfb3280bf51171b559c1b300f03d35b5055d0100af021a
                                                                        • Opcode Fuzzy Hash: c1a48b1ac5137ef9544f8785227e3e3eae959810ca81eb1dd85f310690abdf03
                                                                        • Instruction Fuzzy Hash: D64171B2900129BFEB20EBA4DD94EFF7B6DFB44348F0444A7ED44D6010E7B05A958B68
                                                                        Function 0255AFF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 0255AFFF
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 0255B00D
                                                                          • Part of subcall function 0255AF6F: gethostname.WS2_32(?,00000080), ref: 0255AF83
                                                                          • Part of subcall function 0255AF6F: lstrcpy.KERNEL32(?,00410B90), ref: 0255AFE6
                                                                          • Part of subcall function 0255331C: gethostname.WS2_32(?,00000080), ref: 0255333F
                                                                          • Part of subcall function 0255331C: gethostbyname.WS2_32(?), ref: 02553349
                                                                          • Part of subcall function 0255AA0A: inet_ntoa.WS2_32(00000000), ref: 0255AA10
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                        • String ID: %OUTLOOK_BND_
                                                                        • API String ID: 1981676241-3684217054
                                                                        • Opcode ID: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                        • Instruction ID: 7b2abada95faa7e2d4244349b2ce2fe6a9d984b2825fe7c63b7729cdf0af58f2
                                                                        • Opcode Fuzzy Hash: bb8041472755e196babefc9da9900d7748fbc848bd0525b5e1603bb455f94b3f
                                                                        • Instruction Fuzzy Hash: 0C416E7290021CABDB21EFA0DC55EEE3BADFF48304F144427FE2592161EA75E6448F58
                                                                        Function 02559452 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,00000020,00000022,00000000,00000000), ref: 02559536
                                                                        • Sleep.KERNEL32(000001F4), ref: 0255955D
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShellSleep
                                                                        • String ID:
                                                                        • API String ID: 4194306370-3916222277
                                                                        • Opcode ID: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                        • Instruction ID: c2efe0836a452ffd99d41d23c54f51b07226bf2f82c640e1540dc79de8872576
                                                                        • Opcode Fuzzy Hash: 441ad30f2646d1b8623b46c1d7e45f404d08a6258c9d37c2b51fbe89c32dcb37
                                                                        • Instruction Fuzzy Hash: 1C4127B18043A5EEEB328B64D8A87B63FA4BF02314F1800A7DC8247192D77C4D80C799
                                                                        Function 00406987 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00409A60,?,?,00000000,00000000,00409A60,?,00000000), ref: 004069F9
                                                                        • WriteFile.KERNEL32(00409A60,?,00409A60,00000000,00000000), ref: 00406A27
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: FileWrite
                                                                        • String ID: ,k@
                                                                        • API String ID: 3934441357-1053005162
                                                                        • Opcode ID: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                        • Instruction ID: 2e4882fff751b5905bcc38bfa2cd4d67bf9c642b42fdf425c00f27fbfd993b21
                                                                        • Opcode Fuzzy Hash: e4aff9389b963f63373f6495f6f2d31144d691977fa3f05a849364ed3536fcbf
                                                                        • Instruction Fuzzy Hash: 3A313A72A00209EFDB24DF58D984BAA77F4EB44315F12847AE802F7680D374EE64CB65
                                                                        Function 0255BC7A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 0255B9D9
                                                                        • InterlockedIncrement.KERNEL32(00413648), ref: 0255BA3A
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0255BA94
                                                                        • GetTickCount.KERNEL32 ref: 0255BB79
                                                                        • GetTickCount.KERNEL32 ref: 0255BB99
                                                                        • InterlockedIncrement.KERNEL32(?), ref: 0255BE15
                                                                        • closesocket.WS2_32(00000000), ref: 0255BEB4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountIncrementInterlockedTick$closesocket
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 1869671989-2903620461
                                                                        • Opcode ID: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                        • Instruction ID: 289a9e273486a4d91ec9932419f154e232308d3ea20b282ef4fae5bd6b71a3f3
                                                                        • Opcode Fuzzy Hash: 0090938f495b36ecde0c2704714dbc7a7bc2631707f40fe0f7850b313d5ec50d
                                                                        • Instruction Fuzzy Hash: 3A316971400258DFDF25DFA4DCA8AE9BBA9FB48704F24445BFE2482164EB709A85CF18
                                                                        Function 0040BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 0040C057
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTickwsprintf
                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                        • API String ID: 2424974917-1012700906
                                                                        • Opcode ID: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                        • Instruction ID: 59a0723085258e1b6130595cff45262f63c8180c8ffe05f2a9b9c441a6a96c57
                                                                        • Opcode Fuzzy Hash: 06c76dfdee32e392c5b9e14bf2ce1b6ffedea00b213a31f1363bbf4a57a4f60a
                                                                        • Instruction Fuzzy Hash: 53115672200100FFDB529BA9DD44E567FA6FB88319B3491ACF6188A166D633D863EB50
                                                                        Function 004038F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 004030FA: GetTickCount.KERNEL32 ref: 00403103
                                                                          • Part of subcall function 004030FA: InterlockedExchange.KERNEL32(?,00000001), ref: 00403128
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403929
                                                                        • GetCurrentThreadId.KERNEL32 ref: 00403939
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 3716169038-2903620461
                                                                        • Opcode ID: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                        • Instruction ID: b7f4056d5a805f6dc72f55654bcd4db07a73235d6c8b9c95532e416c15eafef7
                                                                        • Opcode Fuzzy Hash: ef9999c53fb079ee60b66104ed5eee9301c2c40c50ee899f7204c173007e787c
                                                                        • Instruction Fuzzy Hash: 7B113DB5900214EFD720DF16D581A5DF7F8FB05716F11856EE844A7291C7B8AB80CFA8
                                                                        Function 0255709D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 025570BC
                                                                        • LookupAccountNameW.ADVAPI32(00000000,?,?,00000104,?,?,?), ref: 025570F4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountLookupUser
                                                                        • String ID: |
                                                                        • API String ID: 2370142434-2343686810
                                                                        • Opcode ID: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                        • Instruction ID: 1b02d12930e25fc4f16766216405924a704927cfa654baffc3fcf8bb8fd2e14e
                                                                        • Opcode Fuzzy Hash: 72898ebcb6f81f1198030622a9bf6313c93c94cde1355ae2af79125b690e915f
                                                                        • Instruction Fuzzy Hash: FC11FA72900128EBDB11CBD6DC84EDEBBBDBB08715F1441A6E901E6194D7709B88CBA4
                                                                        Function 00401B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00401AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 00401AD4
                                                                          • Part of subcall function 00401AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 00401AE9
                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 00401BA3
                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00401EFD,00000000,00000000,00000000,00000000), ref: 00401BB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerInformationLibraryLoadNameProcVolume
                                                                        • String ID: localcfg
                                                                        • API String ID: 2777991786-1857712256
                                                                        • Opcode ID: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                        • Instruction ID: 3328142983dde5627d9ce9a8d7cd594e0c2b91da8c15a082e229c164244e8f4a
                                                                        • Opcode Fuzzy Hash: 347cd581b463f90e4869c942ce5ddbd7b1215e33c70616b3ab33c256474cc11e
                                                                        • Instruction Fuzzy Hash: BE018BB2D0010CBFEB009BE9CC819EFFABCAB48754F150072A601F3190E6746E084AA1
                                                                        Function 0040AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,0040BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 0040ABB9
                                                                        • InterlockedIncrement.KERNEL32(00413640), ref: 0040ABE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 224340156-2903620461
                                                                        • Opcode ID: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                        • Instruction ID: 7c747491fd5973eaabf4003e0d871bd0eed893c7530145efd7f06e2bf3dfd35d
                                                                        • Opcode Fuzzy Hash: 85a21fda7c2203b6c3b9fe5e6af0625d6c65905c1dc9d9bdca14f106badbca83
                                                                        • Instruction Fuzzy Hash: D3019231508384AFDB21CF18D881F967FA5AF15314F1444A6F6805B393C3B9E995CB96
                                                                        Function 004026B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 004026C3
                                                                        • inet_ntoa.WS2_32(?), ref: 004026E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                        • String ID: localcfg
                                                                        • API String ID: 2112563974-1857712256
                                                                        • Opcode ID: eb36c4684a50d41e83146847fb5b55aa5c7421795727ebfadd0c8b1e870b45ea
                                                                        • Instruction ID: d2c247fa2f64166219b22d1ecfca1b9a377bc480b126e4bf322f1ec8134a793b
                                                                        • Opcode Fuzzy Hash: eb36c4684a50d41e83146847fb5b55aa5c7421795727ebfadd0c8b1e870b45ea
                                                                        • Instruction Fuzzy Hash: 81F082321482097BEF006FA1ED09A9A379CEF09354F108876FA08EA0D0DBB5D950979C
                                                                        Function 00402684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WS2_32(00000001), ref: 00402693
                                                                        • gethostbyname.WS2_32(00000001), ref: 0040269F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbynameinet_addr
                                                                        • String ID: time_cfg
                                                                        • API String ID: 1594361348-2401304539
                                                                        • Opcode ID: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction ID: 506fadec158220b53989f58c32679351ed61dc8f5455c60e8cf87b9af1828998
                                                                        • Opcode Fuzzy Hash: f9db606e706a3ea9b2ac4bed422f000f2ba59a3d29e70a13aafe2ea60d03e68c
                                                                        • Instruction Fuzzy Hash: 9CE08C302040219FCB108B28F848AC637A4AF06330F0189A2F840E32E0C7B89CC08688
                                                                        Function 0040EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,0040EB54,_alldiv,0040F0B7,80000001,00000000,00989680,00000000,?,?,?,0040E342,00000000,75A8EA50,80000001,00000000), ref: 0040EAF2
                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 0040EB07
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ntdll.dll
                                                                        • API String ID: 2574300362-2227199552
                                                                        • Opcode ID: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                        • Instruction ID: 7b5812d5d2c037db56fb7cc720bc5ad28be2e092f3141d28ea6626f847aa1f88
                                                                        • Opcode Fuzzy Hash: b4eb004c93ce830f66033c1bec013b2cb76b73adf8dbcf645c2d99c100687d31
                                                                        • Instruction Fuzzy Hash: D0D0C934600302ABCF22CF65AE1EA867AACAB54702B40C436B406E1670E778E994DA0C
                                                                        Function 00402F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 00402D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,00402F01,?,004020FF,00412000), ref: 00402D3A
                                                                          • Part of subcall function 00402D21: LoadLibraryA.KERNEL32(?), ref: 00402D4A
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00402F73
                                                                        • HeapFree.KERNEL32(00000000), ref: 00402F7A
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1772595073.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_400000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                        • String ID:
                                                                        • API String ID: 1017166417-0
                                                                        • Opcode ID: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                        • Instruction ID: 68d3b74a61d8da24685d2c7d21854d87d7e5c343c8b3ec1e3967b08f84d9f298
                                                                        • Opcode Fuzzy Hash: 17a9aa356eb7964f79448f848511744e029a14576c0ff14f59890d2228000c73
                                                                        • Instruction Fuzzy Hash: C251E23190020A9FCF01DF64D8889FABB79FF15304F10457AEC95E7290E7769A19CB88
                                                                        Function 02553189 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02552F88: GetModuleHandleA.KERNEL32(?), ref: 02552FA1
                                                                          • Part of subcall function 02552F88: LoadLibraryA.KERNEL32(?), ref: 02552FB1
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 025531DA
                                                                        • HeapFree.KERNEL32(00000000), ref: 025531E1
                                                                        Memory Dump Source
                                                                        • Source File: 0000000B.00000002.1773632508.0000000002550000.00000040.00001000.00020000.00000000.sdmp, Offset: 02550000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_11_2_2550000_ybuffopp.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                        • String ID:
                                                                        • API String ID: 1017166417-0
                                                                        • Opcode ID: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                        • Instruction ID: c75d6c3c9f8adf130c3796e7eb664a758be2a15f51e01ccc2253792064da30bc
                                                                        • Opcode Fuzzy Hash: 6d22c46e4b2bbf8f956e586da185c112e243b929c4a2d348202b24ffe9e68596
                                                                        • Instruction Fuzzy Hash: 7051A03190026AEFCB01DF64D8949F9BB75FF05344F1445AAEC9AC7210E732DA19CB98

                                                                        Execution Graph

                                                                        Execution Coverage:14.5%
                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                        Signature Coverage:0.7%
                                                                        Total number of Nodes:1807
                                                                        Total number of Limit Nodes:18
                                                                        execution_graph 8075 2f8be31 lstrcmpiA 8076 2f8be55 lstrcmpiA 8075->8076 8082 2f8be71 8075->8082 8077 2f8be61 lstrcmpiA 8076->8077 8076->8082 8080 2f8bfc8 8077->8080 8077->8082 8078 2f8bf62 lstrcmpiA 8079 2f8bf77 lstrcmpiA 8078->8079 8083 2f8bf70 8078->8083 8081 2f8bf8c lstrcmpiA 8079->8081 8079->8083 8081->8083 8082->8078 8085 2f8ebcc 4 API calls 8082->8085 8083->8080 8084 2f8bfc2 8083->8084 8087 2f8ec2e codecvt 4 API calls 8083->8087 8086 2f8ec2e codecvt 4 API calls 8084->8086 8090 2f8beb6 8085->8090 8086->8080 8087->8083 8088 2f8bf5a 8088->8078 8089 2f8ebcc 4 API calls 8089->8090 8090->8078 8090->8080 8090->8088 8090->8089 8091 2f85d34 IsBadWritePtr 8092 2f85d47 8091->8092 8093 2f85d4a 8091->8093 8096 2f85389 8093->8096 8097 2f84bd1 4 API calls 8096->8097 8098 2f853a5 8097->8098 8099 2f84ae6 8 API calls 8098->8099 8102 2f853ad 8099->8102 8100 2f85407 8101 2f84ae6 8 API calls 8101->8102 8102->8100 8102->8101 7936 2f84c75 7937 2f84c83 7936->7937 7938 2f84c92 7937->7938 7940 2f81940 7937->7940 7941 2f8ec2e codecvt 4 API calls 7940->7941 7942 2f81949 7941->7942 7942->7938 8103 2f85029 8108 2f84a02 8103->8108 8109 2f84a18 8108->8109 8110 2f84a12 8108->8110 8112 2f8ec2e codecvt 4 API calls 8109->8112 8113 2f84a26 8109->8113 8111 2f8ec2e codecvt 4 API calls 8110->8111 8111->8109 8112->8113 8114 2f8ec2e codecvt 4 API calls 8113->8114 8115 2f84a34 8113->8115 8114->8115 6156 2f89a6b SetErrorMode SetErrorMode SetUnhandledExceptionFilter 6272 2f8ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6156->6272 6158 2f89a95 6159 2f89aa3 GetModuleHandleA GetModuleFileNameA 6158->6159 6164 2f8a3cc 6158->6164 6168 2f89ac4 6159->6168 6160 2f8a41c CreateThread WSAStartup 6273 2f8e52e 6160->6273 7347 2f8405e CreateEventA 6160->7347 6162 2f89afd GetCommandLineA 6172 2f89b22 6162->6172 6163 2f8a406 DeleteFileA 6163->6164 6165 2f8a40d 6163->6165 6164->6160 6164->6163 6164->6165 6169 2f8a3ed GetLastError 6164->6169 6165->6160 6166 2f8a445 6292 2f8eaaf 6166->6292 6168->6162 6169->6165 6171 2f8a3f8 Sleep 6169->6171 6170 2f8a44d 6296 2f81d96 6170->6296 6171->6163 6176 2f89c0c 6172->6176 6185 2f89b47 6172->6185 6174 2f8a457 6344 2f880c9 6174->6344 6536 2f896aa 6176->6536 6182 2f89c39 6187 2f8a167 GetModuleHandleA GetModuleFileNameA 6182->6187 6542 2f84280 CreateEventA 6182->6542 6183 2f8a1d2 6193 2f8a1e3 GetCommandLineA 6183->6193 6186 2f89b96 lstrlenA 6185->6186 6192 2f89b58 6185->6192 6186->6192 6190 2f8a189 6187->6190 6191 2f89c05 ExitProcess 6187->6191 6190->6191 6200 2f8a1b2 GetDriveTypeA 6190->6200 6192->6191 6495 2f8675c 6192->6495 6216 2f8a205 6193->6216 6200->6191 6202 2f8a1c5 6200->6202 6643 2f89145 GetModuleHandleA GetModuleFileNameA CharToOemA 6202->6643 6203 2f8675c 21 API calls 6205 2f89c79 6203->6205 6205->6187 6212 2f89e3e 6205->6212 6213 2f89ca0 GetTempPathA 6205->6213 6206 2f89bff 6206->6191 6208 2f8a491 6209 2f8a49f GetTickCount 6208->6209 6210 2f8a4be Sleep 6208->6210 6215 2f8a4b7 GetTickCount 6208->6215 6391 2f8c913 6208->6391 6209->6208 6209->6210 6210->6208 6221 2f89e6b GetEnvironmentVariableA 6212->6221 6223 2f89e04 6212->6223 6213->6212 6214 2f89cba 6213->6214 6568 2f899d2 lstrcpyA 6214->6568 6215->6210 6222 2f8a285 lstrlenA 6216->6222 6232 2f8a239 6216->6232 6221->6223 6224 2f89e7d 6221->6224 6222->6232 6638 2f8ec2e 6223->6638 6225 2f899d2 16 API calls 6224->6225 6227 2f89e9d 6225->6227 6227->6223 6231 2f89eb0 lstrcpyA lstrlenA 6227->6231 6228 2f89d5f 6582 2f86cc9 6228->6582 6230 2f8a3c2 6655 2f898f2 6230->6655 6235 2f89ef4 6231->6235 6232->6232 6651 2f86ec3 6232->6651 6236 2f86dc2 6 API calls 6235->6236 6240 2f89f03 6235->6240 6236->6240 6237 2f8a39d StartServiceCtrlDispatcherA 6237->6230 6238 2f89d72 lstrcpyA lstrcatA lstrcatA 6241 2f89cf6 6238->6241 6239 2f8a3c7 6239->6164 6242 2f89f32 RegOpenKeyExA 6240->6242 6591 2f89326 6241->6591 6244 2f89f48 RegSetValueExA RegCloseKey 6242->6244 6247 2f89f70 6242->6247 6243 2f8a35f 6243->6230 6243->6237 6244->6247 6253 2f89f9d GetModuleHandleA GetModuleFileNameA 6247->6253 6248 2f89dde GetFileAttributesExA 6249 2f89e0c DeleteFileA 6248->6249 6251 2f89df7 6248->6251 6249->6212 6251->6223 6628 2f896ff 6251->6628 6254 2f8a093 6253->6254 6255 2f89fc2 6253->6255 6256 2f8a103 CreateProcessA 6254->6256 6257 2f8a0a4 wsprintfA 6254->6257 6255->6254 6261 2f89ff1 GetDriveTypeA 6255->6261 6258 2f8a13a 6256->6258 6259 2f8a12a DeleteFileA 6256->6259 6634 2f82544 6257->6634 6258->6223 6265 2f896ff 3 API calls 6258->6265 6259->6258 6261->6254 6263 2f8a00d 6261->6263 6267 2f8a02d lstrcatA 6263->6267 6265->6223 6268 2f8a046 6267->6268 6269 2f8a052 lstrcatA 6268->6269 6270 2f8a064 lstrcatA 6268->6270 6269->6270 6270->6254 6271 2f8a081 lstrcatA 6270->6271 6271->6254 6272->6158 6662 2f8dd05 GetTickCount 6273->6662 6275 2f8e538 6670 2f8dbcf 6275->6670 6277 2f8e544 6278 2f8e555 GetFileSize 6277->6278 6282 2f8e5b8 6277->6282 6279 2f8e5b1 CloseHandle 6278->6279 6280 2f8e566 6278->6280 6279->6282 6694 2f8db2e 6280->6694 6680 2f8e3ca RegOpenKeyExA 6282->6680 6284 2f8e576 ReadFile 6284->6279 6285 2f8e58d 6284->6285 6698 2f8e332 6285->6698 6289 2f8e5f2 6290 2f8e3ca 19 API calls 6289->6290 6291 2f8e629 6289->6291 6290->6291 6291->6166 6293 2f8eabe 6292->6293 6295 2f8eaba 6292->6295 6294 2f8dd05 6 API calls 6293->6294 6293->6295 6294->6295 6295->6170 6297 2f8ee2a 6296->6297 6298 2f81db4 GetVersionExA 6297->6298 6299 2f81dd0 GetSystemInfo GetModuleHandleA GetProcAddress 6298->6299 6301 2f81e24 6299->6301 6302 2f81e16 GetCurrentProcess 6299->6302 6756 2f8e819 6301->6756 6302->6301 6304 2f81e3d 6305 2f8e819 11 API calls 6304->6305 6306 2f81e4e 6305->6306 6307 2f81e77 6306->6307 6797 2f8df70 6306->6797 6763 2f8ea84 6307->6763 6310 2f81e6c 6312 2f8df70 12 API calls 6310->6312 6312->6307 6313 2f8e819 11 API calls 6314 2f81e93 6313->6314 6767 2f8199c inet_addr LoadLibraryA 6314->6767 6317 2f8e819 11 API calls 6318 2f81eb9 6317->6318 6319 2f8f04e 4 API calls 6318->6319 6326 2f81ed8 6318->6326 6321 2f81ec9 6319->6321 6320 2f8e819 11 API calls 6322 2f81eee 6320->6322 6323 2f8ea84 30 API calls 6321->6323 6324 2f81f0a 6322->6324 6781 2f81b71 6322->6781 6323->6326 6325 2f8e819 11 API calls 6324->6325 6328 2f81f23 6325->6328 6326->6320 6330 2f81f3f 6328->6330 6785 2f81bdf 6328->6785 6329 2f81efd 6331 2f8ea84 30 API calls 6329->6331 6333 2f8e819 11 API calls 6330->6333 6331->6324 6335 2f81f5e 6333->6335 6337 2f81f77 6335->6337 6338 2f8ea84 30 API calls 6335->6338 6336 2f8ea84 30 API calls 6336->6330 6793 2f830b5 6337->6793 6338->6337 6341 2f86ec3 2 API calls 6343 2f81f8e GetTickCount 6341->6343 6343->6174 6345 2f86ec3 2 API calls 6344->6345 6346 2f880eb 6345->6346 6347 2f880f9 6346->6347 6348 2f880ef 6346->6348 6864 2f8704c 6347->6864 6851 2f87ee6 6348->6851 6351 2f88269 CreateThread 6370 2f85e6c 6351->6370 7325 2f8877e 6351->7325 6352 2f880f4 6352->6351 6354 2f8675c 21 API calls 6352->6354 6353 2f88110 6353->6352 6355 2f88156 RegOpenKeyExA 6353->6355 6360 2f88244 6354->6360 6356 2f8816d RegQueryValueExA 6355->6356 6357 2f88216 6355->6357 6358 2f8818d 6356->6358 6359 2f881f7 6356->6359 6357->6352 6358->6359 6364 2f8ebcc 4 API calls 6358->6364 6361 2f8820d RegCloseKey 6359->6361 6363 2f8ec2e codecvt 4 API calls 6359->6363 6360->6351 6362 2f8ec2e codecvt 4 API calls 6360->6362 6361->6357 6362->6351 6369 2f881dd 6363->6369 6365 2f881a0 6364->6365 6365->6361 6366 2f881aa RegQueryValueExA 6365->6366 6366->6359 6367 2f881c4 6366->6367 6368 2f8ebcc 4 API calls 6367->6368 6368->6369 6369->6361 6966 2f8ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6370->6966 6372 2f85e71 6967 2f8e654 6372->6967 6374 2f85ec1 6375 2f83132 6374->6375 6376 2f8df70 12 API calls 6375->6376 6377 2f8313b 6376->6377 6378 2f8c125 6377->6378 6978 2f8ec54 GetSystemTimeAsFileTime GetVolumeInformationA GetTickCount 6378->6978 6380 2f8c12d 6381 2f8e654 13 API calls 6380->6381 6382 2f8c2bd 6381->6382 6383 2f8e654 13 API calls 6382->6383 6384 2f8c2c9 6383->6384 6385 2f8e654 13 API calls 6384->6385 6386 2f8a47a 6385->6386 6387 2f88db1 6386->6387 6388 2f88dbc 6387->6388 6389 2f8e654 13 API calls 6388->6389 6390 2f88dec Sleep 6389->6390 6390->6208 6392 2f8c92f 6391->6392 6393 2f8c93c 6392->6393 6990 2f8c517 6392->6990 6395 2f8ca2b 6393->6395 6396 2f8e819 11 API calls 6393->6396 6395->6208 6397 2f8c96a 6396->6397 6398 2f8e819 11 API calls 6397->6398 6399 2f8c97d 6398->6399 6400 2f8e819 11 API calls 6399->6400 6401 2f8c990 6400->6401 6402 2f8c9aa 6401->6402 6403 2f8ebcc 4 API calls 6401->6403 6402->6395 6979 2f82684 6402->6979 6403->6402 6408 2f8ca26 7007 2f8c8aa 6408->7007 6411 2f8ca44 6412 2f8ca4b closesocket 6411->6412 6413 2f8ca83 6411->6413 6412->6408 6414 2f8ea84 30 API calls 6413->6414 6415 2f8caac 6414->6415 6416 2f8f04e 4 API calls 6415->6416 6417 2f8cab2 6416->6417 6418 2f8ea84 30 API calls 6417->6418 6419 2f8caca 6418->6419 6420 2f8ea84 30 API calls 6419->6420 6421 2f8cad9 6420->6421 7011 2f8c65c 6421->7011 6424 2f8cb60 closesocket 6424->6395 6426 2f8dad2 closesocket 6427 2f8e318 23 API calls 6426->6427 6428 2f8dae0 6427->6428 6428->6395 6429 2f8df4c 20 API calls 6489 2f8cb70 6429->6489 6434 2f8e654 13 API calls 6434->6489 6440 2f8c65c send GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 6440->6489 6441 2f8ea84 30 API calls 6441->6489 6442 2f8d569 closesocket Sleep 7058 2f8e318 6442->7058 6443 2f8d815 wsprintfA 6443->6489 6444 2f8cc1c GetTempPathA 6444->6489 6445 2f87ead 6 API calls 6445->6489 6446 2f8c517 23 API calls 6446->6489 6448 2f8f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 6448->6489 6449 2f8e8a1 30 API calls 6449->6489 6450 2f8d582 ExitProcess 6451 2f8ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 6451->6489 6452 2f8cfe3 GetSystemDirectoryA 6452->6489 6453 2f8cfad GetEnvironmentVariableA 6453->6489 6454 2f8675c 21 API calls 6454->6489 6455 2f8d027 GetSystemDirectoryA 6455->6489 6456 2f8d105 lstrcatA 6456->6489 6457 2f8ef1e lstrlenA 6457->6489 6458 2f8cc9f CreateFileA 6459 2f8ccc6 WriteFile 6458->6459 6458->6489 6463 2f8cdcc CloseHandle 6459->6463 6464 2f8cced CloseHandle 6459->6464 6460 2f88e26 GetSystemTime SystemTimeToFileTime CreateFileW DeviceIoControl CloseHandle 6460->6489 6461 2f8d15b CreateFileA 6462 2f8d182 WriteFile CloseHandle 6461->6462 6461->6489 6462->6489 6463->6489 6469 2f8cd2f 6464->6469 6465 2f8cd16 wsprintfA 6465->6469 6466 2f8d149 SetFileAttributesA 6466->6461 6467 2f8d36e GetEnvironmentVariableA 6467->6489 6468 2f8d1bf SetFileAttributesA 6468->6489 6469->6465 7040 2f87fcf 6469->7040 6470 2f8d22d GetEnvironmentVariableA 6470->6489 6471 2f8d3af lstrcatA 6473 2f8d3f2 CreateFileA 6471->6473 6471->6489 6476 2f8d415 WriteFile CloseHandle 6473->6476 6473->6489 6475 2f87fcf 64 API calls 6475->6489 6476->6489 6477 2f8cda5 6480 2f87ee6 64 API calls 6477->6480 6478 2f8cd81 WaitForSingleObject CloseHandle CloseHandle 6479 2f8f04e 4 API calls 6478->6479 6479->6477 6484 2f8cdbd DeleteFileA 6480->6484 6481 2f8d4b1 CreateProcessA 6485 2f8d4e8 CloseHandle CloseHandle 6481->6485 6481->6489 6482 2f8d3e0 SetFileAttributesA 6482->6473 6483 2f8d26e lstrcatA 6486 2f8d2b1 CreateFileA 6483->6486 6483->6489 6484->6489 6485->6489 6486->6489 6490 2f8d2d8 WriteFile CloseHandle 6486->6490 6487 2f87ee6 64 API calls 6487->6489 6488 2f8d452 SetFileAttributesA 6488->6489 6489->6426 6489->6429 6489->6434 6489->6440 6489->6441 6489->6442 6489->6443 6489->6444 6489->6445 6489->6446 6489->6448 6489->6449 6489->6451 6489->6452 6489->6453 6489->6454 6489->6455 6489->6456 6489->6457 6489->6458 6489->6460 6489->6461 6489->6466 6489->6467 6489->6468 6489->6470 6489->6471 6489->6473 6489->6475 6489->6481 6489->6482 6489->6483 6489->6486 6489->6487 6489->6488 6492 2f8d29f SetFileAttributesA 6489->6492 6494 2f8d31d SetFileAttributesA 6489->6494 7019 2f8c75d 6489->7019 7031 2f87e2f 6489->7031 7053 2f87ead 6489->7053 7063 2f831d0 6489->7063 7080 2f83c09 6489->7080 7090 2f83a00 6489->7090 7094 2f8e7b4 6489->7094 7097 2f8c06c 6489->7097 7103 2f86f5f GetUserNameA 6489->7103 7114 2f8e854 6489->7114 7124 2f87dd6 6489->7124 6490->6489 6492->6486 6494->6489 6496 2f8677a SetFileAttributesA 6495->6496 6497 2f86784 CreateFileA 6495->6497 6496->6497 6498 2f867a4 CreateFileA 6497->6498 6499 2f867b5 6497->6499 6498->6499 6500 2f867ba SetFileAttributesA 6499->6500 6501 2f867c5 6499->6501 6500->6501 6502 2f867cf GetFileSize 6501->6502 6503 2f86977 6501->6503 6504 2f867e5 6502->6504 6522 2f86965 6502->6522 6503->6191 6523 2f86a60 CreateFileA 6503->6523 6506 2f867ed ReadFile 6504->6506 6504->6522 6505 2f8696e FindCloseChangeNotification 6505->6503 6507 2f86811 SetFilePointer 6506->6507 6506->6522 6508 2f8682a ReadFile 6507->6508 6507->6522 6509 2f86848 SetFilePointer 6508->6509 6508->6522 6510 2f86867 6509->6510 6509->6522 6511 2f86878 ReadFile 6510->6511 6512 2f868d5 6510->6512 6513 2f868d0 6511->6513 6515 2f86891 6511->6515 6512->6505 6514 2f8ebcc 4 API calls 6512->6514 6513->6512 6516 2f868f8 6514->6516 6515->6511 6515->6513 6517 2f86900 SetFilePointer 6516->6517 6516->6522 6518 2f8695a 6517->6518 6519 2f8690d ReadFile 6517->6519 6521 2f8ec2e codecvt 4 API calls 6518->6521 6519->6518 6520 2f86922 6519->6520 6520->6505 6521->6522 6522->6505 6524 2f86b8c GetLastError 6523->6524 6525 2f86a8f GetDiskFreeSpaceA 6523->6525 6533 2f86b86 6524->6533 6526 2f86ac5 6525->6526 6535 2f86ad7 6525->6535 7209 2f8eb0e 6526->7209 6530 2f86b56 CloseHandle 6532 2f86b65 GetLastError CloseHandle 6530->6532 6530->6533 6531 2f86b36 GetLastError CloseHandle 6534 2f86b7f DeleteFileA 6531->6534 6532->6534 6533->6206 6534->6533 7213 2f86987 6535->7213 6537 2f896b9 6536->6537 6538 2f873ff 17 API calls 6537->6538 6539 2f896e2 6538->6539 6540 2f896f7 6539->6540 6541 2f8704c 16 API calls 6539->6541 6540->6182 6540->6183 6541->6540 6543 2f842a5 6542->6543 6544 2f8429d 6542->6544 7219 2f83ecd 6543->7219 6544->6187 6544->6203 6546 2f842b0 7223 2f84000 6546->7223 6548 2f843c1 CloseHandle 6548->6544 6549 2f842b6 6549->6544 6549->6548 7229 2f83f18 WriteFile 6549->7229 6554 2f843ba CloseHandle 6554->6548 6555 2f84318 6556 2f83f18 4 API calls 6555->6556 6557 2f84331 6556->6557 6558 2f83f18 4 API calls 6557->6558 6559 2f8434a 6558->6559 6560 2f8ebcc 4 API calls 6559->6560 6561 2f84350 6560->6561 6562 2f83f18 4 API calls 6561->6562 6563 2f84389 6562->6563 6564 2f8ec2e codecvt 4 API calls 6563->6564 6565 2f8438f 6564->6565 6566 2f83f8c 4 API calls 6565->6566 6567 2f8439f CloseHandle CloseHandle 6566->6567 6567->6544 6569 2f899eb 6568->6569 6570 2f89a2f lstrcatA 6569->6570 6571 2f8ee2a 6570->6571 6572 2f89a4b lstrcatA 6571->6572 6573 2f86a60 13 API calls 6572->6573 6574 2f89a60 6573->6574 6574->6212 6574->6241 6575 2f86dc2 6574->6575 6576 2f86e33 6575->6576 6577 2f86dd7 6575->6577 6576->6228 6578 2f86cc9 5 API calls 6577->6578 6579 2f86ddc 6578->6579 6579->6579 6580 2f86e02 GetVolumeInformationA 6579->6580 6581 2f86e24 6579->6581 6580->6581 6581->6576 6583 2f86cdc GetModuleHandleA GetProcAddress 6582->6583 6588 2f86d8b 6582->6588 6584 2f86cfd 6583->6584 6585 2f86d12 GetSystemDirectoryA 6583->6585 6584->6585 6584->6588 6586 2f86d1e 6585->6586 6587 2f86d27 GetWindowsDirectoryA 6585->6587 6586->6587 6586->6588 6589 2f86d42 6587->6589 6588->6238 6590 2f8ef1e lstrlenA 6589->6590 6590->6588 7237 2f81910 6591->7237 6594 2f8934a GetModuleHandleA GetModuleFileNameA 6596 2f8937f 6594->6596 6597 2f893d9 6596->6597 6598 2f893a4 6596->6598 6600 2f89401 wsprintfA 6597->6600 6599 2f893c3 wsprintfA 6598->6599 6601 2f89415 6599->6601 6600->6601 6602 2f894a0 6601->6602 6605 2f86cc9 5 API calls 6601->6605 6603 2f86edd 5 API calls 6602->6603 6604 2f894ac 6603->6604 6606 2f8962f 6604->6606 6607 2f894e8 RegOpenKeyExA 6604->6607 6611 2f89439 6605->6611 6612 2f89646 6606->6612 7252 2f81820 6606->7252 6609 2f894fb 6607->6609 6610 2f89502 6607->6610 6609->6606 6614 2f8958a 6609->6614 6615 2f8951f RegQueryValueExA 6610->6615 6616 2f8ef1e lstrlenA 6611->6616 6621 2f895d6 6612->6621 7258 2f891eb 6612->7258 6614->6612 6617 2f89593 6614->6617 6618 2f89539 6615->6618 6619 2f89530 6615->6619 6620 2f89462 6616->6620 6617->6621 7239 2f8f0e4 6617->7239 6623 2f89556 RegQueryValueExA 6618->6623 6622 2f8956e RegCloseKey 6619->6622 6624 2f8947e wsprintfA 6620->6624 6621->6248 6621->6249 6622->6609 6623->6619 6623->6622 6624->6602 6626 2f895bb 6626->6621 7246 2f818e0 6626->7246 6629 2f82544 6628->6629 6630 2f8972d RegOpenKeyExA 6629->6630 6631 2f89740 6630->6631 6632 2f89765 6630->6632 6633 2f8974f RegDeleteValueA RegCloseKey 6631->6633 6632->6223 6633->6632 6635 2f82554 lstrcatA 6634->6635 6636 2f8ee2a 6635->6636 6637 2f8a0ec lstrcatA 6636->6637 6637->6256 6639 2f8a15d 6638->6639 6640 2f8ec37 6638->6640 6639->6187 6639->6191 6641 2f8eba0 codecvt 2 API calls 6640->6641 6642 2f8ec3d GetProcessHeap RtlFreeHeap 6641->6642 6642->6639 6644 2f82544 6643->6644 6645 2f8919e wsprintfA 6644->6645 6646 2f891bb 6645->6646 7296 2f89064 GetTempPathA 6646->7296 6649 2f891d5 ShellExecuteA 6650 2f891e7 6649->6650 6650->6206 6652 2f86ed5 6651->6652 6653 2f86ecc 6651->6653 6652->6243 6654 2f86e36 2 API calls 6653->6654 6654->6652 6656 2f898f6 6655->6656 6657 2f84280 30 API calls 6656->6657 6658 2f89904 Sleep 6656->6658 6659 2f89915 6656->6659 6657->6656 6658->6656 6658->6659 6661 2f89947 6659->6661 7303 2f8977c 6659->7303 6661->6239 6663 2f8dd41 InterlockedExchange 6662->6663 6664 2f8dd4a 6663->6664 6665 2f8dd20 GetCurrentThreadId 6663->6665 6667 2f8dd53 GetCurrentThreadId 6664->6667 6666 2f8dd2e GetTickCount 6665->6666 6665->6667 6668 2f8dd39 Sleep 6666->6668 6669 2f8dd4c 6666->6669 6667->6275 6668->6663 6669->6667 6671 2f8dbf0 6670->6671 6703 2f8db67 GetEnvironmentVariableA 6671->6703 6673 2f8dc19 6674 2f8dcda 6673->6674 6675 2f8db67 3 API calls 6673->6675 6674->6277 6676 2f8dc5c 6675->6676 6676->6674 6677 2f8db67 3 API calls 6676->6677 6678 2f8dc9b 6677->6678 6678->6674 6679 2f8db67 3 API calls 6678->6679 6679->6674 6681 2f8e528 6680->6681 6682 2f8e3f4 6680->6682 6681->6289 6683 2f8e434 RegQueryValueExA 6682->6683 6684 2f8e458 6683->6684 6685 2f8e51d RegCloseKey 6683->6685 6686 2f8e46e RegQueryValueExA 6684->6686 6685->6681 6686->6684 6687 2f8e488 6686->6687 6687->6685 6688 2f8db2e 8 API calls 6687->6688 6689 2f8e499 6688->6689 6689->6685 6690 2f8e4b9 RegQueryValueExA 6689->6690 6691 2f8e4e8 6689->6691 6690->6689 6690->6691 6691->6685 6692 2f8e332 14 API calls 6691->6692 6693 2f8e513 6692->6693 6693->6685 6695 2f8db3a 6694->6695 6696 2f8db55 6694->6696 6707 2f8ebed 6695->6707 6696->6279 6696->6284 6725 2f8f04e SystemTimeToFileTime GetSystemTimeAsFileTime 6698->6725 6700 2f8e3be 6700->6279 6701 2f8e342 6701->6700 6728 2f8de24 6701->6728 6704 2f8dbca 6703->6704 6706 2f8db89 lstrcpyA CreateFileA 6703->6706 6704->6673 6706->6673 6708 2f8ec01 6707->6708 6709 2f8ebf6 6707->6709 6719 2f8eba0 6708->6719 6716 2f8ebcc GetProcessHeap RtlAllocateHeap 6709->6716 6717 2f8eb74 2 API calls 6716->6717 6718 2f8ebe8 6717->6718 6718->6696 6720 2f8eba7 GetProcessHeap HeapSize 6719->6720 6721 2f8ebbf GetProcessHeap HeapReAlloc 6719->6721 6720->6721 6722 2f8eb74 6721->6722 6723 2f8eb7b GetProcessHeap HeapSize 6722->6723 6724 2f8eb93 6722->6724 6723->6724 6724->6696 6739 2f8eb41 6725->6739 6727 2f8f0b7 6727->6701 6729 2f8de3a 6728->6729 6734 2f8de4e 6729->6734 6748 2f8dd84 6729->6748 6732 2f8ebed 8 API calls 6737 2f8def6 6732->6737 6733 2f8de9e 6733->6732 6733->6734 6734->6701 6735 2f8de76 6752 2f8ddcf 6735->6752 6737->6734 6738 2f8ddcf lstrcmpA 6737->6738 6738->6734 6740 2f8eb4a 6739->6740 6743 2f8eb61 6739->6743 6744 2f8eae4 6740->6744 6742 2f8eb54 6742->6727 6742->6743 6743->6727 6745 2f8eaed LoadLibraryA 6744->6745 6746 2f8eb02 GetProcAddress 6744->6746 6745->6746 6747 2f8eb01 6745->6747 6746->6742 6747->6742 6749 2f8dd96 6748->6749 6750 2f8ddc5 6748->6750 6749->6750 6751 2f8ddad lstrcmpiA 6749->6751 6750->6733 6750->6735 6751->6749 6751->6750 6753 2f8de20 6752->6753 6754 2f8dddd 6752->6754 6753->6734 6754->6753 6755 2f8ddfa lstrcmpA 6754->6755 6755->6754 6757 2f8dd05 6 API calls 6756->6757 6758 2f8e821 6757->6758 6759 2f8dd84 lstrcmpiA 6758->6759 6760 2f8e82c 6759->6760 6761 2f8e844 6760->6761 6806 2f82480 6760->6806 6761->6304 6764 2f8ea98 6763->6764 6815 2f8e8a1 6764->6815 6766 2f81e84 6766->6313 6768 2f819d5 GetProcAddress GetProcAddress GetProcAddress 6767->6768 6771 2f819ce 6767->6771 6769 2f81ab3 FreeLibrary 6768->6769 6770 2f81a04 6768->6770 6769->6771 6770->6769 6772 2f81a14 GetBestInterface GetProcessHeap 6770->6772 6771->6317 6772->6771 6773 2f81a2e HeapAlloc 6772->6773 6773->6771 6774 2f81a42 GetAdaptersInfo 6773->6774 6775 2f81a62 6774->6775 6776 2f81a52 HeapReAlloc 6774->6776 6777 2f81a69 GetAdaptersInfo 6775->6777 6778 2f81aa1 FreeLibrary 6775->6778 6776->6775 6777->6778 6779 2f81a75 HeapFree 6777->6779 6778->6771 6779->6778 6843 2f81ac3 LoadLibraryA 6781->6843 6784 2f81bcf 6784->6329 6786 2f81ac3 13 API calls 6785->6786 6787 2f81c09 6786->6787 6788 2f81c5a 6787->6788 6789 2f81c0d GetComputerNameA 6787->6789 6788->6336 6790 2f81c1f 6789->6790 6791 2f81c45 GetVolumeInformationA 6789->6791 6790->6791 6792 2f81c41 6790->6792 6791->6788 6792->6788 6794 2f8ee2a 6793->6794 6795 2f830d0 gethostname gethostbyname 6794->6795 6796 2f81f82 6795->6796 6796->6341 6796->6343 6798 2f8dd05 6 API calls 6797->6798 6799 2f8df7c 6798->6799 6800 2f8dd84 lstrcmpiA 6799->6800 6804 2f8df89 6800->6804 6801 2f8dfc4 6801->6310 6802 2f8ddcf lstrcmpA 6802->6804 6803 2f8ec2e codecvt 4 API calls 6803->6804 6804->6801 6804->6802 6804->6803 6805 2f8dd84 lstrcmpiA 6804->6805 6805->6804 6809 2f82419 lstrlenA 6806->6809 6808 2f82491 6808->6761 6810 2f8243d lstrlenA 6809->6810 6811 2f82474 6809->6811 6812 2f8244e lstrcmpiA 6810->6812 6813 2f82464 lstrlenA 6810->6813 6811->6808 6812->6813 6814 2f8245c 6812->6814 6813->6810 6813->6811 6814->6811 6814->6813 6816 2f8dd05 6 API calls 6815->6816 6817 2f8e8b4 6816->6817 6818 2f8dd84 lstrcmpiA 6817->6818 6819 2f8e8c0 6818->6819 6820 2f8e8c8 lstrcpynA 6819->6820 6821 2f8e90a 6819->6821 6822 2f8e8f5 6820->6822 6823 2f82419 4 API calls 6821->6823 6831 2f8ea27 6821->6831 6836 2f8df4c 6822->6836 6824 2f8e926 lstrlenA lstrlenA 6823->6824 6826 2f8e96a 6824->6826 6827 2f8e94c lstrlenA 6824->6827 6830 2f8ebcc 4 API calls 6826->6830 6826->6831 6827->6826 6828 2f8e901 6829 2f8dd84 lstrcmpiA 6828->6829 6829->6821 6832 2f8e98f 6830->6832 6831->6766 6832->6831 6833 2f8df4c 20 API calls 6832->6833 6834 2f8ea1e 6833->6834 6835 2f8ec2e codecvt 4 API calls 6834->6835 6835->6831 6837 2f8dd05 6 API calls 6836->6837 6838 2f8df51 6837->6838 6839 2f8f04e 4 API calls 6838->6839 6840 2f8df58 6839->6840 6841 2f8de24 10 API calls 6840->6841 6842 2f8df63 6841->6842 6842->6828 6844 2f81ae2 GetProcAddress 6843->6844 6848 2f81b68 GetComputerNameA GetVolumeInformationA 6843->6848 6845 2f81af5 6844->6845 6844->6848 6846 2f81b1c GetAdaptersAddresses 6845->6846 6847 2f8ebed 8 API calls 6845->6847 6849 2f81b29 6845->6849 6846->6845 6846->6849 6847->6845 6848->6784 6849->6848 6850 2f8ec2e codecvt 4 API calls 6849->6850 6850->6848 6852 2f86ec3 2 API calls 6851->6852 6853 2f87ef4 6852->6853 6854 2f87fc9 6853->6854 6887 2f873ff 6853->6887 6854->6352 6856 2f87f16 6856->6854 6907 2f87809 GetUserNameA 6856->6907 6858 2f87f63 6858->6854 6931 2f8ef1e lstrlenA 6858->6931 6861 2f8ef1e lstrlenA 6862 2f87fb7 6861->6862 6933 2f87a95 RegOpenKeyExA 6862->6933 6865 2f87073 6864->6865 6866 2f870b9 RegOpenKeyExA 6865->6866 6867 2f871b8 6866->6867 6868 2f870d0 6866->6868 6867->6353 6869 2f86dc2 6 API calls 6868->6869 6872 2f870d5 6869->6872 6870 2f8719b RegEnumValueA 6871 2f871af RegCloseKey 6870->6871 6870->6872 6871->6867 6872->6870 6874 2f871d0 6872->6874 6964 2f8f1a5 lstrlenA 6872->6964 6875 2f87205 RegCloseKey 6874->6875 6876 2f87227 6874->6876 6875->6867 6877 2f872b8 ___ascii_stricmp 6876->6877 6878 2f8728e RegCloseKey 6876->6878 6879 2f872cd RegCloseKey 6877->6879 6880 2f872dd 6877->6880 6878->6867 6879->6867 6881 2f87311 RegCloseKey 6880->6881 6882 2f87335 6880->6882 6881->6867 6883 2f873d5 RegCloseKey 6882->6883 6885 2f8737e GetFileAttributesExA 6882->6885 6886 2f87397 6882->6886 6884 2f873e4 6883->6884 6885->6886 6886->6883 6888 2f8741b 6887->6888 6889 2f86dc2 6 API calls 6888->6889 6890 2f8743f 6889->6890 6891 2f87469 RegOpenKeyExA 6890->6891 6893 2f877f9 6891->6893 6902 2f87487 ___ascii_stricmp 6891->6902 6892 2f87703 RegEnumKeyA 6894 2f87714 RegCloseKey 6892->6894 6892->6902 6893->6856 6894->6893 6895 2f874d2 RegOpenKeyExA 6895->6902 6896 2f8772c 6898 2f8774b 6896->6898 6899 2f87742 RegCloseKey 6896->6899 6897 2f87521 RegQueryValueExA 6897->6902 6900 2f877ec RegCloseKey 6898->6900 6899->6898 6900->6893 6901 2f876e4 RegCloseKey 6901->6902 6902->6892 6902->6895 6902->6896 6902->6897 6902->6901 6904 2f8f1a5 lstrlenA 6902->6904 6905 2f8777e GetFileAttributesExA 6902->6905 6906 2f87769 6902->6906 6903 2f877e3 RegCloseKey 6903->6900 6904->6902 6905->6906 6906->6903 6908 2f8783d LookupAccountNameA 6907->6908 6909 2f87a8d 6907->6909 6908->6909 6910 2f87874 GetLengthSid GetFileSecurityA 6908->6910 6909->6858 6910->6909 6911 2f878a8 GetSecurityDescriptorOwner 6910->6911 6912 2f8791d GetSecurityDescriptorDacl 6911->6912 6913 2f878c5 EqualSid 6911->6913 6912->6909 6921 2f87941 6912->6921 6913->6912 6914 2f878dc LocalAlloc 6913->6914 6914->6912 6915 2f878ef InitializeSecurityDescriptor 6914->6915 6917 2f878fb SetSecurityDescriptorOwner 6915->6917 6918 2f87916 LocalFree 6915->6918 6916 2f8795b GetAce 6916->6921 6917->6918 6919 2f8790b SetFileSecurityA 6917->6919 6918->6912 6919->6918 6920 2f87980 EqualSid 6920->6921 6921->6909 6921->6916 6921->6920 6922 2f87a3d 6921->6922 6923 2f879be EqualSid 6921->6923 6924 2f8799d DeleteAce 6921->6924 6922->6909 6925 2f87a43 LocalAlloc 6922->6925 6923->6921 6924->6921 6925->6909 6926 2f87a56 InitializeSecurityDescriptor 6925->6926 6927 2f87a62 SetSecurityDescriptorDacl 6926->6927 6928 2f87a86 LocalFree 6926->6928 6927->6928 6929 2f87a73 SetFileSecurityA 6927->6929 6928->6909 6929->6928 6930 2f87a83 6929->6930 6930->6928 6932 2f87fa6 6931->6932 6932->6861 6934 2f87acb GetUserNameA 6933->6934 6935 2f87ac4 6933->6935 6936 2f87aed LookupAccountNameA 6934->6936 6937 2f87da7 RegCloseKey 6934->6937 6935->6854 6936->6937 6938 2f87b24 RegGetKeySecurity 6936->6938 6937->6935 6938->6937 6939 2f87b49 GetSecurityDescriptorOwner 6938->6939 6940 2f87bb8 GetSecurityDescriptorDacl 6939->6940 6941 2f87b63 EqualSid 6939->6941 6943 2f87da6 6940->6943 6956 2f87bdc 6940->6956 6941->6940 6942 2f87b74 LocalAlloc 6941->6942 6942->6940 6944 2f87b8a InitializeSecurityDescriptor 6942->6944 6943->6937 6945 2f87bb1 LocalFree 6944->6945 6946 2f87b96 SetSecurityDescriptorOwner 6944->6946 6945->6940 6946->6945 6948 2f87ba6 RegSetKeySecurity 6946->6948 6947 2f87bf8 GetAce 6947->6956 6948->6945 6949 2f87c1d EqualSid 6949->6956 6950 2f87c5f EqualSid 6950->6956 6951 2f87cd9 6951->6943 6953 2f87d5a LocalAlloc 6951->6953 6954 2f87cf2 RegOpenKeyExA 6951->6954 6952 2f87c3a DeleteAce 6952->6956 6953->6943 6955 2f87d70 InitializeSecurityDescriptor 6953->6955 6954->6953 6961 2f87d0f 6954->6961 6957 2f87d7c SetSecurityDescriptorDacl 6955->6957 6958 2f87d9f LocalFree 6955->6958 6956->6943 6956->6947 6956->6949 6956->6950 6956->6951 6956->6952 6957->6958 6959 2f87d8c RegSetKeySecurity 6957->6959 6958->6943 6959->6958 6960 2f87d9c 6959->6960 6960->6958 6962 2f87d43 RegSetValueExA 6961->6962 6962->6953 6963 2f87d54 6962->6963 6963->6953 6965 2f8f1c3 6964->6965 6965->6872 6966->6372 6968 2f8dd05 6 API calls 6967->6968 6971 2f8e65f 6968->6971 6969 2f8e6a5 6970 2f8ebcc 4 API calls 6969->6970 6976 2f8e6f5 6969->6976 6973 2f8e6b0 6970->6973 6971->6969 6972 2f8e68c lstrcmpA 6971->6972 6972->6971 6974 2f8e6b7 6973->6974 6975 2f8e6e0 lstrcpynA 6973->6975 6973->6976 6974->6374 6975->6976 6976->6974 6977 2f8e71d lstrcmpA 6976->6977 6977->6976 6978->6380 6980 2f82692 inet_addr 6979->6980 6982 2f8268e 6979->6982 6981 2f8269e gethostbyname 6980->6981 6980->6982 6981->6982 6983 2f8f428 6982->6983 7131 2f8f315 6983->7131 6986 2f8f43e 6987 2f8f473 recv 6986->6987 6988 2f8f458 6987->6988 6989 2f8f47c 6987->6989 6988->6987 6988->6989 6989->6411 6991 2f8c532 6990->6991 6992 2f8c525 6990->6992 6993 2f8c548 6991->6993 7144 2f8e7ff 6991->7144 6992->6991 6994 2f8ec2e codecvt 4 API calls 6992->6994 6996 2f8e7ff lstrcmpiA 6993->6996 7004 2f8c54f 6993->7004 6994->6991 6997 2f8c615 6996->6997 6998 2f8ebcc 4 API calls 6997->6998 6997->7004 6998->7004 6999 2f8c5d1 7002 2f8ebcc 4 API calls 6999->7002 7001 2f8e819 11 API calls 7003 2f8c5b7 7001->7003 7002->7004 7005 2f8f04e 4 API calls 7003->7005 7004->6393 7006 2f8c5bf 7005->7006 7006->6993 7006->6999 7008 2f8c8d2 7007->7008 7009 2f8c907 7008->7009 7010 2f8c517 23 API calls 7008->7010 7009->6395 7010->7009 7012 2f8c670 7011->7012 7013 2f8c67d 7011->7013 7014 2f8ebcc 4 API calls 7012->7014 7015 2f8ebcc 4 API calls 7013->7015 7017 2f8c699 7013->7017 7014->7013 7015->7017 7016 2f8c6f3 7016->6424 7016->6489 7017->7016 7018 2f8c73c send 7017->7018 7018->7016 7020 2f8c770 7019->7020 7022 2f8c77d 7019->7022 7021 2f8ebcc 4 API calls 7020->7021 7021->7022 7023 2f8c799 7022->7023 7025 2f8ebcc 4 API calls 7022->7025 7024 2f8c7b5 7023->7024 7026 2f8ebcc 4 API calls 7023->7026 7027 2f8f43e recv 7024->7027 7025->7023 7026->7024 7028 2f8c7cb 7027->7028 7029 2f8f43e recv 7028->7029 7030 2f8c7d3 7028->7030 7029->7030 7030->6489 7147 2f87db7 7031->7147 7034 2f8f04e 4 API calls 7036 2f87e4c 7034->7036 7035 2f87e96 7035->6489 7038 2f8f04e 4 API calls 7036->7038 7039 2f87e70 7036->7039 7037 2f8f04e 4 API calls 7037->7035 7038->7039 7039->7035 7039->7037 7041 2f86ec3 2 API calls 7040->7041 7042 2f87fdd 7041->7042 7043 2f873ff 17 API calls 7042->7043 7052 2f880c2 CreateProcessA 7042->7052 7044 2f87fff 7043->7044 7045 2f87809 21 API calls 7044->7045 7044->7052 7046 2f8804d 7045->7046 7047 2f8ef1e lstrlenA 7046->7047 7046->7052 7048 2f8809e 7047->7048 7049 2f8ef1e lstrlenA 7048->7049 7050 2f880af 7049->7050 7051 2f87a95 24 API calls 7050->7051 7051->7052 7052->6477 7052->6478 7054 2f87db7 2 API calls 7053->7054 7055 2f87eb8 7054->7055 7056 2f8f04e 4 API calls 7055->7056 7057 2f87ece DeleteFileA 7056->7057 7057->6489 7059 2f8dd05 6 API calls 7058->7059 7060 2f8e31d 7059->7060 7151 2f8e177 7060->7151 7062 2f8e326 7062->6450 7064 2f831f3 7063->7064 7066 2f831ec 7063->7066 7065 2f8ebcc 4 API calls 7064->7065 7079 2f831fc 7065->7079 7066->6489 7067 2f83459 7070 2f8f04e 4 API calls 7067->7070 7068 2f8349d 7069 2f8ec2e codecvt 4 API calls 7068->7069 7069->7066 7071 2f8345f 7070->7071 7072 2f830fa 4 API calls 7071->7072 7072->7066 7073 2f8ebcc GetProcessHeap HeapSize GetProcessHeap RtlAllocateHeap 7073->7079 7074 2f8344d 7075 2f8ec2e codecvt 4 API calls 7074->7075 7076 2f8344b 7075->7076 7076->7067 7076->7068 7078 2f83141 lstrcmpiA 7078->7079 7079->7066 7079->7073 7079->7074 7079->7076 7079->7078 7177 2f830fa GetTickCount 7079->7177 7081 2f830fa 4 API calls 7080->7081 7082 2f83c1a 7081->7082 7083 2f83ce6 7082->7083 7182 2f83a72 7082->7182 7083->6489 7086 2f83a72 9 API calls 7087 2f83c5e 7086->7087 7087->7083 7088 2f83a72 9 API calls 7087->7088 7089 2f8ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7087->7089 7088->7087 7089->7087 7091 2f83a10 7090->7091 7092 2f830fa 4 API calls 7091->7092 7093 2f83a1a 7092->7093 7093->6489 7095 2f8dd05 6 API calls 7094->7095 7096 2f8e7be 7095->7096 7096->6489 7098 2f8c07e wsprintfA 7097->7098 7099 2f8c105 7097->7099 7191 2f8bfce GetTickCount wsprintfA 7098->7191 7099->6489 7101 2f8c0ef 7192 2f8bfce GetTickCount wsprintfA 7101->7192 7104 2f86f88 LookupAccountNameA 7103->7104 7105 2f87047 7103->7105 7107 2f86fcb 7104->7107 7108 2f87025 7104->7108 7105->6489 7110 2f86fdb ConvertSidToStringSidA 7107->7110 7193 2f86edd 7108->7193 7110->7108 7112 2f86ff1 7110->7112 7113 2f87013 LocalFree 7112->7113 7113->7108 7115 2f8dd05 6 API calls 7114->7115 7116 2f8e85c 7115->7116 7117 2f8dd84 lstrcmpiA 7116->7117 7118 2f8e867 7117->7118 7119 2f8e885 lstrcpyA 7118->7119 7204 2f824a5 7118->7204 7207 2f8dd69 7119->7207 7125 2f87db7 2 API calls 7124->7125 7126 2f87de1 7125->7126 7127 2f87e16 7126->7127 7128 2f8f04e 4 API calls 7126->7128 7127->6489 7129 2f87df2 7128->7129 7129->7127 7130 2f8f04e 4 API calls 7129->7130 7130->7127 7132 2f8f33b 7131->7132 7139 2f8ca1d 7131->7139 7133 2f8f347 htons socket 7132->7133 7134 2f8f382 ioctlsocket 7133->7134 7135 2f8f374 closesocket 7133->7135 7136 2f8f3aa connect select 7134->7136 7137 2f8f39d 7134->7137 7135->7139 7136->7139 7140 2f8f3f2 __WSAFDIsSet 7136->7140 7138 2f8f39f closesocket 7137->7138 7138->7139 7139->6408 7139->6986 7140->7138 7141 2f8f403 ioctlsocket 7140->7141 7143 2f8f26d setsockopt setsockopt setsockopt setsockopt setsockopt 7141->7143 7143->7139 7145 2f8dd84 lstrcmpiA 7144->7145 7146 2f8c58e 7145->7146 7146->6993 7146->6999 7146->7001 7148 2f87dc8 InterlockedExchange 7147->7148 7149 2f87dc0 Sleep 7148->7149 7150 2f87dd4 7148->7150 7149->7148 7150->7034 7150->7039 7152 2f8e184 7151->7152 7153 2f8e2e4 7152->7153 7154 2f8e223 7152->7154 7167 2f8dfe2 7152->7167 7153->7062 7154->7153 7156 2f8dfe2 8 API calls 7154->7156 7160 2f8e23c 7156->7160 7157 2f8e1be 7157->7154 7158 2f8dbcf 3 API calls 7157->7158 7161 2f8e1d6 7158->7161 7159 2f8e21a CloseHandle 7159->7154 7160->7153 7171 2f8e095 RegCreateKeyExA 7160->7171 7161->7154 7161->7159 7162 2f8e1f9 WriteFile 7161->7162 7162->7159 7163 2f8e213 7162->7163 7163->7159 7165 2f8e2a3 7165->7153 7166 2f8e095 4 API calls 7165->7166 7166->7153 7168 2f8dffc 7167->7168 7170 2f8e024 7167->7170 7169 2f8db2e 8 API calls 7168->7169 7168->7170 7169->7170 7170->7157 7172 2f8e172 7171->7172 7174 2f8e0c0 7171->7174 7172->7165 7173 2f8e13d 7175 2f8e14e RegDeleteValueA RegCloseKey 7173->7175 7174->7173 7176 2f8e115 RegSetValueExA 7174->7176 7175->7172 7176->7173 7176->7174 7178 2f83122 InterlockedExchange 7177->7178 7179 2f8312e 7178->7179 7180 2f8310f GetTickCount 7178->7180 7179->7079 7180->7179 7181 2f8311a Sleep 7180->7181 7181->7178 7183 2f8f04e 4 API calls 7182->7183 7184 2f83a83 7183->7184 7188 2f83bc0 7184->7188 7189 2f83b66 lstrlenA 7184->7189 7190 2f83ac1 7184->7190 7185 2f8ec2e GetProcessHeap HeapSize GetProcessHeap RtlFreeHeap codecvt 7185->7188 7186 2f83be6 7187 2f8ec2e codecvt 4 API calls 7186->7187 7187->7190 7188->7185 7188->7186 7189->7184 7189->7190 7190->7083 7190->7086 7191->7101 7192->7099 7194 2f86f55 wsprintfA 7193->7194 7195 2f86eef AllocateAndInitializeSid 7193->7195 7194->7105 7196 2f86f1c CheckTokenMembership 7195->7196 7197 2f86f44 7195->7197 7198 2f86f3b FreeSid 7196->7198 7199 2f86f2e 7196->7199 7197->7194 7201 2f86e36 GetUserNameW 7197->7201 7198->7197 7199->7198 7202 2f86e5f LookupAccountNameW 7201->7202 7203 2f86e97 7201->7203 7202->7203 7203->7194 7205 2f82419 4 API calls 7204->7205 7206 2f824b6 7205->7206 7206->7119 7208 2f8dd79 lstrlenA 7207->7208 7208->6489 7210 2f8eb21 7209->7210 7211 2f8eb17 7209->7211 7210->6535 7212 2f8eae4 2 API calls 7211->7212 7212->7210 7214 2f869b9 WriteFile 7213->7214 7216 2f86a3c 7214->7216 7217 2f869ff 7214->7217 7216->6530 7216->6531 7217->7216 7218 2f86a10 WriteFile 7217->7218 7218->7216 7218->7217 7220 2f83edc 7219->7220 7221 2f83ee2 7219->7221 7222 2f86dc2 6 API calls 7220->7222 7221->6546 7222->7221 7224 2f8400b CreateFileA 7223->7224 7225 2f8402c GetLastError 7224->7225 7226 2f84052 7224->7226 7225->7226 7227 2f84037 7225->7227 7226->6549 7227->7226 7228 2f84041 Sleep 7227->7228 7228->7224 7228->7226 7230 2f83f7c 7229->7230 7231 2f83f4e GetLastError 7229->7231 7233 2f83f8c ReadFile 7230->7233 7231->7230 7232 2f83f5b WaitForSingleObject GetOverlappedResult 7231->7232 7232->7230 7234 2f83fc2 GetLastError 7233->7234 7236 2f83ff0 7233->7236 7235 2f83fcf WaitForSingleObject GetOverlappedResult 7234->7235 7234->7236 7235->7236 7236->6554 7236->6555 7238 2f81924 GetVersionExA 7237->7238 7238->6594 7240 2f8f0ed 7239->7240 7241 2f8f0f1 7239->7241 7240->6626 7242 2f8f119 7241->7242 7243 2f8f0fa lstrlenA SysAllocStringByteLen 7241->7243 7244 2f8f11c MultiByteToWideChar 7242->7244 7243->7244 7245 2f8f117 7243->7245 7244->7245 7245->6626 7247 2f81820 17 API calls 7246->7247 7248 2f818f2 7247->7248 7249 2f818f9 7248->7249 7263 2f81280 7248->7263 7249->6621 7251 2f81908 7251->6621 7275 2f81000 7252->7275 7254 2f81839 7255 2f8183d 7254->7255 7256 2f81851 GetCurrentProcess 7254->7256 7255->6612 7257 2f81864 7256->7257 7257->6612 7261 2f89308 7258->7261 7262 2f8920e 7258->7262 7259 2f892f1 Sleep 7259->7262 7260 2f892bf ShellExecuteA 7260->7261 7260->7262 7261->6621 7262->7259 7262->7260 7262->7261 7264 2f812e1 7263->7264 7265 2f816f9 GetLastError 7264->7265 7269 2f813a8 7264->7269 7266 2f81699 7265->7266 7266->7251 7267 2f81570 lstrlenW 7267->7269 7268 2f815be GetStartupInfoW 7268->7269 7269->7266 7269->7267 7269->7268 7269->7269 7270 2f815ff CreateProcessWithLogonW 7269->7270 7274 2f81668 CloseHandle 7269->7274 7271 2f816bf GetLastError 7270->7271 7272 2f8163f WaitForSingleObject 7270->7272 7271->7266 7272->7269 7273 2f81659 CloseHandle 7272->7273 7273->7269 7274->7269 7276 2f8100d LoadLibraryA 7275->7276 7283 2f81023 7275->7283 7277 2f81021 7276->7277 7276->7283 7277->7254 7278 2f810b5 GetProcAddress 7279 2f8127b 7278->7279 7280 2f810d1 GetProcAddress 7278->7280 7279->7254 7280->7279 7281 2f810f0 GetProcAddress 7280->7281 7281->7279 7282 2f81110 GetProcAddress 7281->7282 7282->7279 7284 2f81130 GetProcAddress 7282->7284 7283->7278 7295 2f810ae 7283->7295 7284->7279 7285 2f8114f GetProcAddress 7284->7285 7285->7279 7286 2f8116f GetProcAddress 7285->7286 7286->7279 7287 2f8118f GetProcAddress 7286->7287 7287->7279 7288 2f811ae GetProcAddress 7287->7288 7288->7279 7289 2f811ce GetProcAddress 7288->7289 7289->7279 7290 2f811ee GetProcAddress 7289->7290 7290->7279 7291 2f81209 GetProcAddress 7290->7291 7291->7279 7292 2f81225 GetProcAddress 7291->7292 7292->7279 7293 2f81241 GetProcAddress 7292->7293 7293->7279 7294 2f8125c GetProcAddress 7293->7294 7294->7279 7295->7254 7297 2f8908d 7296->7297 7298 2f890e2 wsprintfA 7297->7298 7299 2f8ee2a 7298->7299 7300 2f890fd CreateFileA 7299->7300 7301 2f8911a lstrlenA WriteFile CloseHandle 7300->7301 7302 2f8913f 7300->7302 7301->7302 7302->6649 7302->6650 7304 2f8ee2a 7303->7304 7305 2f89794 CreateProcessA 7304->7305 7306 2f897bb 7305->7306 7307 2f897c2 7305->7307 7306->6661 7308 2f897d4 GetThreadContext 7307->7308 7309 2f89801 7308->7309 7310 2f897f5 7308->7310 7317 2f8637c 7309->7317 7311 2f897f6 TerminateProcess 7310->7311 7311->7306 7313 2f89816 7313->7311 7314 2f8981e WriteProcessMemory 7313->7314 7314->7310 7315 2f8983b SetThreadContext 7314->7315 7315->7310 7316 2f89858 ResumeThread 7315->7316 7316->7306 7318 2f8638a GetModuleHandleA VirtualAlloc 7317->7318 7319 2f86386 7317->7319 7320 2f863b6 7318->7320 7324 2f863f5 7318->7324 7319->7313 7321 2f863be VirtualAllocEx 7320->7321 7322 2f863d6 7321->7322 7321->7324 7323 2f863df WriteProcessMemory 7322->7323 7323->7324 7324->7313 7326 2f88791 7325->7326 7327 2f8879f 7325->7327 7328 2f8f04e 4 API calls 7326->7328 7329 2f887bc 7327->7329 7330 2f8f04e 4 API calls 7327->7330 7328->7327 7331 2f8e819 11 API calls 7329->7331 7330->7329 7332 2f887d7 7331->7332 7335 2f88803 7332->7335 7480 2f826b2 gethostbyaddr 7332->7480 7341 2f8e819 11 API calls 7335->7341 7342 2f888a0 Sleep 7335->7342 7343 2f826b2 2 API calls 7335->7343 7344 2f8f04e LoadLibraryA GetProcAddress SystemTimeToFileTime GetSystemTimeAsFileTime 7335->7344 7346 2f8e8a1 30 API calls 7335->7346 7377 2f88cee 7335->7377 7385 2f8c4d6 7335->7385 7388 2f8c4e2 7335->7388 7391 2f82011 7335->7391 7426 2f88328 7335->7426 7336 2f887eb 7336->7335 7338 2f8e8a1 30 API calls 7336->7338 7338->7335 7341->7335 7342->7335 7343->7335 7344->7335 7346->7335 7348 2f8407d 7347->7348 7349 2f84084 7347->7349 7350 2f83ecd 6 API calls 7349->7350 7351 2f8408f 7350->7351 7352 2f84000 3 API calls 7351->7352 7353 2f84095 7352->7353 7354 2f84130 7353->7354 7355 2f840c0 7353->7355 7356 2f83ecd 6 API calls 7354->7356 7360 2f83f18 4 API calls 7355->7360 7357 2f84159 CreateNamedPipeA 7356->7357 7358 2f84188 ConnectNamedPipe 7357->7358 7359 2f84167 Sleep 7357->7359 7363 2f84195 GetLastError 7358->7363 7373 2f841ab 7358->7373 7359->7354 7361 2f84176 CloseHandle 7359->7361 7362 2f840da 7360->7362 7361->7358 7364 2f83f8c 4 API calls 7362->7364 7365 2f8425e DisconnectNamedPipe 7363->7365 7363->7373 7366 2f840ec 7364->7366 7365->7358 7367 2f84127 CloseHandle 7366->7367 7369 2f84101 7366->7369 7367->7354 7368 2f83f18 WriteFile GetLastError WaitForSingleObject GetOverlappedResult 7368->7373 7370 2f83f18 4 API calls 7369->7370 7371 2f8411c ExitProcess 7370->7371 7372 2f83f8c ReadFile GetLastError WaitForSingleObject GetOverlappedResult 7372->7373 7373->7358 7373->7365 7373->7368 7373->7372 7374 2f8426a CloseHandle CloseHandle 7373->7374 7375 2f8e318 23 API calls 7374->7375 7376 2f8427b 7375->7376 7376->7376 7378 2f88dae 7377->7378 7379 2f88d02 GetTickCount 7377->7379 7378->7335 7379->7378 7381 2f88d19 7379->7381 7380 2f88da1 GetTickCount 7380->7378 7381->7380 7384 2f88d89 7381->7384 7485 2f8a677 7381->7485 7488 2f8a688 7381->7488 7384->7380 7496 2f8c2dc 7385->7496 7389 2f8c2dc 142 API calls 7388->7389 7390 2f8c4ec 7389->7390 7390->7335 7392 2f82020 7391->7392 7393 2f8202e 7391->7393 7394 2f8f04e 4 API calls 7392->7394 7395 2f8204b 7393->7395 7397 2f8f04e 4 API calls 7393->7397 7394->7393 7396 2f8206e GetTickCount 7395->7396 7398 2f8f04e 4 API calls 7395->7398 7399 2f820db GetTickCount 7396->7399 7408 2f82090 7396->7408 7397->7395 7401 2f82068 7398->7401 7400 2f82132 GetTickCount GetTickCount 7399->7400 7410 2f820e7 7399->7410 7404 2f8f04e 4 API calls 7400->7404 7401->7396 7402 2f820d4 GetTickCount 7402->7399 7403 2f8212b GetTickCount 7403->7400 7405 2f82159 7404->7405 7409 2f8e854 13 API calls 7405->7409 7425 2f821b4 7405->7425 7406 2f82684 2 API calls 7406->7408 7408->7402 7408->7406 7415 2f820ce 7408->7415 7836 2f81978 7408->7836 7412 2f8218e 7409->7412 7410->7403 7417 2f81978 15 API calls 7410->7417 7418 2f82125 7410->7418 7826 2f82ef8 7410->7826 7411 2f8f04e 4 API calls 7414 2f821d1 7411->7414 7416 2f8e819 11 API calls 7412->7416 7419 2f821f2 7414->7419 7421 2f8ea84 30 API calls 7414->7421 7415->7402 7420 2f8219c 7416->7420 7417->7410 7418->7403 7419->7335 7420->7425 7841 2f81c5f 7420->7841 7422 2f821ec 7421->7422 7423 2f8f04e 4 API calls 7422->7423 7423->7419 7425->7411 7427 2f87dd6 6 API calls 7426->7427 7428 2f8833c 7427->7428 7429 2f86ec3 2 API calls 7428->7429 7457 2f88340 7428->7457 7430 2f8834f 7429->7430 7431 2f8835c 7430->7431 7433 2f8846b 7430->7433 7432 2f873ff 17 API calls 7431->7432 7454 2f88373 7432->7454 7437 2f884a7 RegOpenKeyExA 7433->7437 7450 2f88450 7433->7450 7434 2f885df 7436 2f88626 GetTempPathA 7434->7436 7447 2f88768 7434->7447 7458 2f88671 7434->7458 7435 2f8675c 21 API calls 7435->7434 7448 2f88638 7436->7448 7439 2f884c0 RegQueryValueExA 7437->7439 7440 2f8852f 7437->7440 7442 2f884dd 7439->7442 7443 2f88521 RegCloseKey 7439->7443 7445 2f88564 RegOpenKeyExA 7440->7445 7461 2f885a5 7440->7461 7441 2f886ad 7444 2f88762 7441->7444 7446 2f87e2f 6 API calls 7441->7446 7442->7443 7451 2f8ebcc 4 API calls 7442->7451 7443->7440 7444->7447 7449 2f88573 RegSetValueExA RegCloseKey 7445->7449 7445->7461 7462 2f886bb 7446->7462 7453 2f8ec2e codecvt 4 API calls 7447->7453 7447->7457 7448->7458 7449->7461 7450->7434 7450->7435 7456 2f884f0 7451->7456 7452 2f8875b DeleteFileA 7452->7444 7453->7457 7454->7450 7454->7457 7459 2f883ea RegOpenKeyExA 7454->7459 7456->7443 7460 2f884f8 RegQueryValueExA 7456->7460 7457->7335 7913 2f86ba7 IsBadCodePtr 7458->7913 7459->7450 7463 2f883fd RegQueryValueExA 7459->7463 7460->7443 7464 2f88515 7460->7464 7461->7450 7465 2f8ec2e codecvt 4 API calls 7461->7465 7462->7452 7466 2f886e0 lstrcpyA lstrlenA 7462->7466 7467 2f8842d RegSetValueExA 7463->7467 7468 2f8841e 7463->7468 7469 2f8ec2e codecvt 4 API calls 7464->7469 7465->7450 7470 2f87fcf 64 API calls 7466->7470 7471 2f88447 RegCloseKey 7467->7471 7468->7467 7468->7471 7472 2f8851d 7469->7472 7473 2f88719 CreateProcessA 7470->7473 7471->7450 7472->7443 7474 2f8873d CloseHandle CloseHandle 7473->7474 7475 2f8874f 7473->7475 7474->7447 7476 2f87ee6 64 API calls 7475->7476 7477 2f88754 7476->7477 7478 2f87ead 6 API calls 7477->7478 7479 2f8875a 7478->7479 7479->7452 7481 2f826fb 7480->7481 7482 2f826cd 7480->7482 7481->7336 7483 2f826de 7482->7483 7484 2f826e1 inet_ntoa 7482->7484 7483->7336 7484->7483 7491 2f8a63d 7485->7491 7487 2f8a685 7487->7381 7489 2f8a63d GetTickCount 7488->7489 7490 2f8a696 7489->7490 7490->7381 7492 2f8a64d 7491->7492 7493 2f8a645 7491->7493 7494 2f8a65e GetTickCount 7492->7494 7495 2f8a66e 7492->7495 7493->7487 7494->7495 7495->7487 7513 2f8a4c7 GetTickCount 7496->7513 7499 2f8c47a 7504 2f8c4ab InterlockedIncrement CreateThread 7499->7504 7505 2f8c4d2 7499->7505 7500 2f8c300 GetTickCount 7502 2f8c337 7500->7502 7501 2f8c326 7501->7502 7503 2f8c32b GetTickCount 7501->7503 7502->7499 7507 2f8c363 GetTickCount 7502->7507 7503->7502 7504->7505 7506 2f8c4cb CloseHandle 7504->7506 7518 2f8b535 7504->7518 7505->7335 7506->7505 7507->7499 7508 2f8c373 7507->7508 7509 2f8c378 GetTickCount 7508->7509 7510 2f8c37f 7508->7510 7509->7510 7511 2f8c43b GetTickCount 7510->7511 7512 2f8c45e 7511->7512 7512->7499 7514 2f8a4f7 InterlockedExchange 7513->7514 7515 2f8a500 7514->7515 7516 2f8a4e4 GetTickCount 7514->7516 7515->7499 7515->7500 7515->7501 7516->7515 7517 2f8a4ef Sleep 7516->7517 7517->7514 7519 2f8b566 7518->7519 7520 2f8ebcc 4 API calls 7519->7520 7521 2f8b587 7520->7521 7522 2f8ebcc 4 API calls 7521->7522 7572 2f8b590 7522->7572 7523 2f8bdcd InterlockedDecrement 7524 2f8bde2 7523->7524 7526 2f8ec2e codecvt 4 API calls 7524->7526 7527 2f8bdea 7526->7527 7529 2f8ec2e codecvt 4 API calls 7527->7529 7528 2f8bdb7 Sleep 7528->7572 7530 2f8bdf2 7529->7530 7532 2f8be05 7530->7532 7533 2f8ec2e codecvt 4 API calls 7530->7533 7531 2f8bdcc 7531->7523 7533->7532 7534 2f8ebed 8 API calls 7534->7572 7537 2f8b6b6 lstrlenA 7537->7572 7538 2f830b5 2 API calls 7538->7572 7539 2f8e819 11 API calls 7539->7572 7540 2f8b6ed lstrcpyA 7593 2f85ce1 7540->7593 7543 2f8b71f lstrcmpA 7544 2f8b731 lstrlenA 7543->7544 7543->7572 7544->7572 7545 2f8b772 GetTickCount 7545->7572 7546 2f8bd49 InterlockedIncrement 7687 2f8a628 7546->7687 7549 2f8b7ce InterlockedIncrement 7603 2f8acd7 7549->7603 7550 2f838f0 6 API calls 7550->7572 7551 2f8bc5b InterlockedIncrement 7551->7572 7554 2f8b912 GetTickCount 7554->7572 7555 2f8b826 InterlockedIncrement 7555->7545 7556 2f8bcdc closesocket 7556->7572 7557 2f8b932 GetTickCount 7558 2f8bc6d InterlockedIncrement 7557->7558 7557->7572 7558->7572 7560 2f8bba6 InterlockedIncrement 7560->7572 7563 2f8a7c1 22 API calls 7563->7572 7564 2f8bc4c closesocket 7564->7572 7566 2f8ba71 wsprintfA 7621 2f8a7c1 7566->7621 7567 2f8ab81 lstrcpynA InterlockedIncrement 7567->7572 7569 2f85ce1 22 API calls 7569->7572 7571 2f8ef1e lstrlenA 7571->7572 7572->7523 7572->7528 7572->7531 7572->7534 7572->7537 7572->7538 7572->7539 7572->7540 7572->7543 7572->7544 7572->7545 7572->7546 7572->7549 7572->7550 7572->7551 7572->7554 7572->7555 7572->7556 7572->7557 7572->7560 7572->7563 7572->7564 7572->7566 7572->7567 7572->7569 7572->7571 7573 2f85ded 12 API calls 7572->7573 7574 2f8a688 GetTickCount 7572->7574 7575 2f83e10 7572->7575 7578 2f83e4f 7572->7578 7581 2f8384f 7572->7581 7601 2f8a7a3 inet_ntoa 7572->7601 7608 2f8abee 7572->7608 7620 2f81feb GetTickCount 7572->7620 7641 2f83cfb 7572->7641 7644 2f8b3c5 7572->7644 7675 2f8ab81 7572->7675 7573->7572 7574->7572 7576 2f830fa 4 API calls 7575->7576 7577 2f83e1d 7576->7577 7577->7572 7579 2f830fa 4 API calls 7578->7579 7580 2f83e5c 7579->7580 7580->7572 7582 2f830fa 4 API calls 7581->7582 7583 2f83863 7582->7583 7584 2f838b9 7583->7584 7585 2f83889 7583->7585 7592 2f838b2 7583->7592 7696 2f835f9 7584->7696 7690 2f83718 7585->7690 7590 2f83718 6 API calls 7590->7592 7591 2f835f9 6 API calls 7591->7592 7592->7572 7594 2f85cec 7593->7594 7595 2f85cf4 7593->7595 7702 2f84bd1 GetTickCount 7594->7702 7597 2f84bd1 4 API calls 7595->7597 7598 2f85d02 7597->7598 7707 2f85472 7598->7707 7602 2f8a7b9 7601->7602 7602->7572 7604 2f8f315 14 API calls 7603->7604 7605 2f8aceb 7604->7605 7606 2f8acff 7605->7606 7607 2f8f315 14 API calls 7605->7607 7606->7572 7607->7606 7609 2f8abfb 7608->7609 7612 2f8ac65 7609->7612 7770 2f82f22 7609->7770 7611 2f8f315 14 API calls 7611->7612 7612->7611 7613 2f8ac8a 7612->7613 7614 2f8ac6f 7612->7614 7613->7572 7616 2f8ab81 2 API calls 7614->7616 7615 2f8ac23 7615->7612 7617 2f82684 2 API calls 7615->7617 7618 2f8ac81 7616->7618 7617->7615 7778 2f838f0 7618->7778 7620->7572 7622 2f8a87d lstrlenA send 7621->7622 7623 2f8a7df 7621->7623 7624 2f8a899 7622->7624 7625 2f8a8bf 7622->7625 7623->7622 7630 2f8a7fa wsprintfA 7623->7630 7631 2f8a80a 7623->7631 7633 2f8a8f2 7623->7633 7626 2f8a8a5 wsprintfA 7624->7626 7640 2f8a89e 7624->7640 7627 2f8a8c4 send 7625->7627 7625->7633 7626->7640 7629 2f8a8d8 wsprintfA 7627->7629 7627->7633 7628 2f8a978 recv 7628->7633 7634 2f8a982 7628->7634 7629->7640 7630->7631 7631->7622 7632 2f8a9b0 wsprintfA 7632->7640 7633->7628 7633->7632 7633->7634 7635 2f830b5 2 API calls 7634->7635 7634->7640 7636 2f8ab05 7635->7636 7637 2f8e819 11 API calls 7636->7637 7638 2f8ab17 7637->7638 7639 2f8a7a3 inet_ntoa 7638->7639 7639->7640 7640->7572 7642 2f830fa 4 API calls 7641->7642 7643 2f83d0b 7642->7643 7643->7572 7645 2f85ce1 22 API calls 7644->7645 7646 2f8b3e6 7645->7646 7647 2f85ce1 22 API calls 7646->7647 7648 2f8b404 7647->7648 7649 2f8b440 7648->7649 7650 2f8ef7c 3 API calls 7648->7650 7651 2f8ef7c 3 API calls 7649->7651 7652 2f8b42b 7650->7652 7653 2f8b458 wsprintfA 7651->7653 7654 2f8ef7c 3 API calls 7652->7654 7655 2f8ef7c 3 API calls 7653->7655 7654->7649 7656 2f8b480 7655->7656 7657 2f8ef7c 3 API calls 7656->7657 7658 2f8b493 7657->7658 7659 2f8ef7c 3 API calls 7658->7659 7660 2f8b4bb 7659->7660 7794 2f8ad89 GetLocalTime SystemTimeToFileTime 7660->7794 7664 2f8b4cc 7665 2f8ef7c 3 API calls 7664->7665 7666 2f8b4dd 7665->7666 7667 2f8b211 7 API calls 7666->7667 7668 2f8b4ec 7667->7668 7669 2f8ef7c 3 API calls 7668->7669 7670 2f8b4fd 7669->7670 7671 2f8b211 7 API calls 7670->7671 7672 2f8b509 7671->7672 7673 2f8ef7c 3 API calls 7672->7673 7674 2f8b51a 7673->7674 7674->7572 7676 2f8abe9 GetTickCount 7675->7676 7678 2f8ab8c 7675->7678 7680 2f8a51d 7676->7680 7677 2f8aba8 lstrcpynA 7677->7678 7678->7676 7678->7677 7679 2f8abe1 InterlockedIncrement 7678->7679 7679->7678 7681 2f8a4c7 4 API calls 7680->7681 7682 2f8a52c 7681->7682 7683 2f8a542 GetTickCount 7682->7683 7685 2f8a539 GetTickCount 7682->7685 7683->7685 7686 2f8a56c 7685->7686 7686->7572 7688 2f8a4c7 4 API calls 7687->7688 7689 2f8a633 7688->7689 7689->7572 7691 2f8f04e 4 API calls 7690->7691 7693 2f8372a 7691->7693 7692 2f83847 7692->7590 7692->7592 7693->7692 7694 2f837b3 GetCurrentThreadId 7693->7694 7694->7693 7695 2f837c8 GetCurrentThreadId 7694->7695 7695->7693 7697 2f8f04e 4 API calls 7696->7697 7698 2f8360c 7697->7698 7699 2f836da GetCurrentThreadId 7698->7699 7700 2f836f1 7698->7700 7699->7700 7701 2f836e5 GetCurrentThreadId 7699->7701 7700->7591 7700->7592 7701->7700 7703 2f84bff InterlockedExchange 7702->7703 7704 2f84c08 7703->7704 7705 2f84bec GetTickCount 7703->7705 7704->7595 7705->7704 7706 2f84bf7 Sleep 7705->7706 7706->7703 7726 2f84763 7707->7726 7709 2f85b58 7736 2f84699 7709->7736 7712 2f84763 lstrlenA 7713 2f85b6e 7712->7713 7757 2f84f9f 7713->7757 7715 2f85b79 7715->7572 7716 2f84ae6 8 API calls 7724 2f8548a 7716->7724 7718 2f85549 lstrlenA 7718->7724 7720 2f8558d lstrcpynA 7720->7724 7721 2f85a9f lstrcpyA 7721->7724 7722 2f85935 lstrcpynA 7722->7724 7723 2f85472 13 API calls 7723->7724 7724->7709 7724->7716 7724->7720 7724->7721 7724->7722 7724->7723 7725 2f858e7 lstrcpyA 7724->7725 7730 2f84ae6 7724->7730 7734 2f8ef7c lstrlenA lstrlenA lstrlenA 7724->7734 7725->7724 7728 2f8477a 7726->7728 7727 2f84859 7727->7724 7728->7727 7729 2f8480d lstrlenA 7728->7729 7729->7728 7731 2f84af3 7730->7731 7733 2f84b03 7730->7733 7732 2f8ebed 8 API calls 7731->7732 7732->7733 7733->7718 7735 2f8efb4 7734->7735 7735->7724 7762 2f845b3 7736->7762 7739 2f845b3 7 API calls 7740 2f846c6 7739->7740 7741 2f845b3 7 API calls 7740->7741 7742 2f846d8 7741->7742 7743 2f845b3 7 API calls 7742->7743 7744 2f846ea 7743->7744 7745 2f845b3 7 API calls 7744->7745 7746 2f846ff 7745->7746 7747 2f845b3 7 API calls 7746->7747 7748 2f84711 7747->7748 7749 2f845b3 7 API calls 7748->7749 7750 2f84723 7749->7750 7751 2f8ef7c 3 API calls 7750->7751 7752 2f84735 7751->7752 7753 2f8ef7c 3 API calls 7752->7753 7754 2f8474a 7753->7754 7755 2f8ef7c 3 API calls 7754->7755 7756 2f8475c 7755->7756 7756->7712 7758 2f84fac 7757->7758 7759 2f84fb0 7757->7759 7758->7715 7760 2f84ffd 7759->7760 7761 2f84fd5 IsBadCodePtr 7759->7761 7760->7715 7761->7759 7763 2f845c8 7762->7763 7764 2f845c1 7762->7764 7766 2f8ebcc 4 API calls 7763->7766 7767 2f845e1 7763->7767 7765 2f8ebcc 4 API calls 7764->7765 7765->7763 7766->7767 7768 2f84691 7767->7768 7769 2f8ef7c 3 API calls 7767->7769 7768->7739 7769->7767 7785 2f82d21 GetModuleHandleA 7770->7785 7773 2f82f44 7773->7615 7774 2f82fcf GetProcessHeap HeapFree 7774->7773 7775 2f82f85 7775->7774 7775->7775 7776 2f82f4f 7777 2f82f6b GetProcessHeap HeapFree 7776->7777 7777->7773 7779 2f83900 7778->7779 7781 2f83980 7778->7781 7780 2f830fa 4 API calls 7779->7780 7784 2f8390a 7780->7784 7781->7613 7782 2f8391b GetCurrentThreadId 7782->7784 7783 2f83939 GetCurrentThreadId 7783->7784 7784->7781 7784->7782 7784->7783 7786 2f82d5b GetProcAddress 7785->7786 7787 2f82d46 LoadLibraryA 7785->7787 7788 2f82d54 7786->7788 7789 2f82d6b DnsQuery_A 7786->7789 7787->7786 7787->7788 7788->7773 7788->7775 7788->7776 7789->7788 7790 2f82d7d 7789->7790 7790->7788 7791 2f82d97 GetProcessHeap HeapAlloc 7790->7791 7791->7788 7793 2f82dac 7791->7793 7792 2f82db5 lstrcpynA 7792->7793 7793->7790 7793->7792 7795 2f8adbf 7794->7795 7819 2f8ad08 gethostname 7795->7819 7798 2f830b5 2 API calls 7799 2f8add3 7798->7799 7800 2f8a7a3 inet_ntoa 7799->7800 7807 2f8ade4 7799->7807 7800->7807 7801 2f8ae85 wsprintfA 7802 2f8ef7c 3 API calls 7801->7802 7804 2f8aebb 7802->7804 7803 2f8ae36 wsprintfA wsprintfA 7805 2f8ef7c 3 API calls 7803->7805 7806 2f8ef7c 3 API calls 7804->7806 7805->7807 7808 2f8aed2 7806->7808 7807->7801 7807->7803 7809 2f8b211 7808->7809 7810 2f8b2bb FileTimeToLocalFileTime FileTimeToSystemTime 7809->7810 7811 2f8b2af GetLocalTime 7809->7811 7812 2f8b2d2 7810->7812 7811->7812 7813 2f8b2d9 SystemTimeToFileTime 7812->7813 7814 2f8b31c GetTimeZoneInformation 7812->7814 7815 2f8b2ec 7813->7815 7817 2f8b33a wsprintfA 7814->7817 7816 2f8b312 FileTimeToSystemTime 7815->7816 7816->7814 7817->7664 7820 2f8ad71 7819->7820 7825 2f8ad26 lstrlenA 7819->7825 7822 2f8ad79 lstrcpyA 7820->7822 7823 2f8ad85 7820->7823 7822->7823 7823->7798 7824 2f8ad68 lstrlenA 7824->7820 7825->7820 7825->7824 7827 2f82d21 7 API calls 7826->7827 7828 2f82f01 7827->7828 7829 2f82f14 7828->7829 7830 2f82f06 7828->7830 7832 2f82684 2 API calls 7829->7832 7849 2f82df2 GetModuleHandleA 7830->7849 7834 2f82f1d 7832->7834 7834->7410 7835 2f82f1f 7835->7410 7837 2f8f428 14 API calls 7836->7837 7838 2f8198a 7837->7838 7839 2f81998 7838->7839 7840 2f81990 closesocket 7838->7840 7839->7408 7840->7839 7845 2f81c80 7841->7845 7842 2f81d1c 7842->7842 7846 2f81d47 wsprintfA 7842->7846 7843 2f81cc2 wsprintfA 7844 2f82684 2 API calls 7843->7844 7844->7845 7845->7842 7845->7843 7847 2f81d79 7845->7847 7848 2f82684 2 API calls 7846->7848 7847->7425 7848->7847 7850 2f82e0b 7849->7850 7851 2f82e10 LoadLibraryA 7849->7851 7850->7851 7852 2f82e17 7850->7852 7851->7852 7853 2f82ef1 7852->7853 7854 2f82e28 GetProcAddress 7852->7854 7853->7829 7853->7835 7854->7853 7855 2f82e3e GetProcessHeap HeapAlloc 7854->7855 7857 2f82e62 7855->7857 7856 2f82ede GetProcessHeap HeapFree 7856->7853 7857->7853 7857->7856 7858 2f82e7f htons inet_addr 7857->7858 7859 2f82ea5 gethostbyname 7857->7859 7861 2f82ceb 7857->7861 7858->7857 7858->7859 7859->7857 7862 2f82cf2 7861->7862 7864 2f82d1c 7862->7864 7865 2f82d0e Sleep 7862->7865 7866 2f82a62 GetProcessHeap HeapAlloc 7862->7866 7864->7857 7865->7862 7865->7864 7867 2f82a99 socket 7866->7867 7868 2f82a92 7866->7868 7869 2f82cd3 GetProcessHeap HeapFree 7867->7869 7870 2f82ab4 7867->7870 7868->7862 7869->7868 7870->7869 7884 2f82abd 7870->7884 7871 2f82adb htons 7886 2f826ff 7871->7886 7873 2f82b04 select 7873->7884 7874 2f82ca4 7875 2f82cb3 GetProcessHeap HeapFree closesocket 7874->7875 7875->7868 7876 2f82b3f recv 7876->7884 7877 2f82b66 htons 7877->7874 7877->7884 7878 2f82b87 htons 7878->7874 7878->7884 7881 2f82bf3 GetProcessHeap HeapAlloc 7881->7884 7882 2f82c17 htons 7901 2f82871 7882->7901 7884->7871 7884->7873 7884->7874 7884->7875 7884->7876 7884->7877 7884->7878 7884->7881 7884->7882 7885 2f82c4d GetProcessHeap HeapFree 7884->7885 7893 2f82923 7884->7893 7905 2f82904 7884->7905 7885->7884 7887 2f8271d 7886->7887 7888 2f82717 7886->7888 7890 2f8272b GetTickCount htons 7887->7890 7889 2f8ebcc 4 API calls 7888->7889 7889->7887 7891 2f827cc htons htons sendto 7890->7891 7892 2f8278a 7890->7892 7891->7884 7892->7891 7894 2f82944 7893->7894 7897 2f8293d 7893->7897 7909 2f82816 htons 7894->7909 7896 2f82950 7896->7897 7898 2f82871 htons 7896->7898 7899 2f829bd htons htons htons 7896->7899 7897->7884 7898->7896 7899->7897 7900 2f829f6 GetProcessHeap HeapAlloc 7899->7900 7900->7896 7900->7897 7902 2f828e3 7901->7902 7903 2f82889 7901->7903 7902->7884 7903->7902 7904 2f828c3 htons 7903->7904 7904->7902 7904->7903 7906 2f82908 7905->7906 7907 2f82921 7905->7907 7908 2f82909 GetProcessHeap HeapFree 7906->7908 7907->7884 7908->7907 7908->7908 7910 2f8286b 7909->7910 7911 2f82836 7909->7911 7910->7896 7911->7910 7912 2f8285c htons 7911->7912 7912->7910 7912->7911 7914 2f86bbc 7913->7914 7915 2f86bc0 7913->7915 7914->7441 7916 2f8ebcc 4 API calls 7915->7916 7918 2f86bd4 7915->7918 7917 2f86be4 7916->7917 7917->7918 7919 2f86bfc 7917->7919 7920 2f86c07 CreateFileA 7917->7920 7918->7441 7921 2f8ec2e codecvt 4 API calls 7919->7921 7922 2f86c2a 7920->7922 7923 2f86c34 WriteFile 7920->7923 7921->7918 7924 2f8ec2e codecvt 4 API calls 7922->7924 7925 2f86c49 CloseHandle DeleteFileA 7923->7925 7926 2f86c5a CloseHandle 7923->7926 7924->7918 7925->7922 7927 2f8ec2e codecvt 4 API calls 7926->7927 7927->7918 7943 2f84960 7944 2f8496d 7943->7944 7946 2f8497d 7943->7946 7945 2f8ebed 8 API calls 7944->7945 7945->7946 7947 2f84861 IsBadWritePtr 7948 2f84876 7947->7948 7949 2f89961 RegisterServiceCtrlHandlerA 7950 2f8997d 7949->7950 7951 2f899cb 7949->7951 7959 2f89892 7950->7959 7953 2f8999a 7954 2f899ba 7953->7954 7955 2f89892 SetServiceStatus 7953->7955 7954->7951 7957 2f89892 SetServiceStatus 7954->7957 7956 2f899aa 7955->7956 7956->7954 7958 2f898f2 41 API calls 7956->7958 7957->7951 7958->7954 7960 2f898c2 SetServiceStatus 7959->7960 7960->7953 8116 2f85e21 8117 2f85e29 8116->8117 8118 2f85e36 8116->8118 8120 2f850dc 8117->8120 8121 2f84bd1 4 API calls 8120->8121 8122 2f850f2 8121->8122 8123 2f84ae6 8 API calls 8122->8123 8129 2f850ff 8123->8129 8124 2f85130 8126 2f84ae6 8 API calls 8124->8126 8125 2f84ae6 8 API calls 8127 2f85110 lstrcmpA 8125->8127 8128 2f85138 8126->8128 8127->8124 8127->8129 8131 2f8513e 8128->8131 8132 2f8516e 8128->8132 8133 2f84ae6 8 API calls 8128->8133 8129->8124 8129->8125 8130 2f84ae6 8 API calls 8129->8130 8130->8129 8131->8118 8132->8131 8134 2f84ae6 8 API calls 8132->8134 8135 2f8515e 8133->8135 8136 2f851b6 8134->8136 8135->8132 8138 2f84ae6 8 API calls 8135->8138 8163 2f84a3d 8136->8163 8138->8132 8140 2f84ae6 8 API calls 8141 2f851c7 8140->8141 8142 2f84ae6 8 API calls 8141->8142 8143 2f851d7 8142->8143 8144 2f84ae6 8 API calls 8143->8144 8145 2f851e7 8144->8145 8145->8131 8146 2f84ae6 8 API calls 8145->8146 8147 2f85219 8146->8147 8148 2f84ae6 8 API calls 8147->8148 8149 2f85227 8148->8149 8150 2f84ae6 8 API calls 8149->8150 8151 2f8524f lstrcpyA 8150->8151 8152 2f84ae6 8 API calls 8151->8152 8154 2f85263 8152->8154 8153 2f84ae6 8 API calls 8155 2f85315 8153->8155 8154->8153 8156 2f84ae6 8 API calls 8155->8156 8157 2f85323 8156->8157 8158 2f84ae6 8 API calls 8157->8158 8160 2f85331 8158->8160 8159 2f84ae6 8 API calls 8159->8160 8160->8131 8160->8159 8161 2f84ae6 8 API calls 8160->8161 8162 2f85351 lstrcmpA 8161->8162 8162->8131 8162->8160 8164 2f84a4a 8163->8164 8165 2f84a53 8163->8165 8166 2f8ebed 8 API calls 8164->8166 8167 2f84a78 8165->8167 8170 2f8ebed 8 API calls 8165->8170 8166->8165 8168 2f84a8e 8167->8168 8169 2f84aa3 8167->8169 8171 2f84a9b 8168->8171 8172 2f8ec2e codecvt 4 API calls 8168->8172 8169->8171 8173 2f8ebed 8 API calls 8169->8173 8170->8167 8171->8140 8172->8171 8173->8171 8174 2f835a5 8175 2f830fa 4 API calls 8174->8175 8176 2f835b3 8175->8176 8180 2f835ea 8176->8180 8181 2f8355d 8176->8181 8178 2f835da 8179 2f8355d 4 API calls 8178->8179 8178->8180 8179->8180 8182 2f8f04e 4 API calls 8181->8182 8183 2f8356a 8182->8183 8183->8178 8184 2f85099 8185 2f84bd1 4 API calls 8184->8185 8186 2f850a2 8185->8186 7966 2f8195b 7967 2f8196b 7966->7967 7968 2f81971 7966->7968 7969 2f8ec2e codecvt 4 API calls 7967->7969 7969->7968 7970 2f88c51 7971 2f88c86 7970->7971 7973 2f88c5d 7970->7973 7972 2f88c8b lstrcmpA 7971->7972 7983 2f88c7b 7971->7983 7974 2f88c9e 7972->7974 7972->7983 7975 2f88c7d 7973->7975 7976 2f88c6e 7973->7976 7977 2f88cad 7974->7977 7980 2f8ec2e codecvt 4 API calls 7974->7980 7992 2f88bb3 7975->7992 7984 2f88be7 7976->7984 7982 2f8ebcc 4 API calls 7977->7982 7977->7983 7980->7977 7982->7983 7985 2f88c2a 7984->7985 7986 2f88bf2 7984->7986 7985->7983 7987 2f88bb3 6 API calls 7986->7987 7988 2f88bf8 7987->7988 7996 2f86410 7988->7996 7990 2f88c01 7990->7985 8011 2f86246 7990->8011 7993 2f88be4 7992->7993 7994 2f88bbc 7992->7994 7994->7993 7995 2f86246 6 API calls 7994->7995 7995->7993 7997 2f8641e 7996->7997 7998 2f86421 7996->7998 7997->7990 7999 2f8643a 7998->7999 8000 2f8643e VirtualAlloc 7998->8000 7999->7990 8001 2f8645b VirtualAlloc 8000->8001 8002 2f86472 8000->8002 8001->8002 8010 2f864fb 8001->8010 8003 2f8ebcc 4 API calls 8002->8003 8004 2f86479 8003->8004 8004->8010 8021 2f86069 8004->8021 8007 2f864da 8009 2f86246 6 API calls 8007->8009 8007->8010 8009->8010 8010->7990 8013 2f86252 8011->8013 8020 2f862b3 8011->8020 8012 2f8628f 8017 2f8ec2e codecvt 4 API calls 8012->8017 8013->8012 8016 2f86281 FreeLibrary 8013->8016 8019 2f86297 8013->8019 8014 2f862ad 8018 2f8ec2e codecvt 4 API calls 8014->8018 8015 2f862a0 VirtualFree 8015->8014 8016->8013 8017->8019 8018->8020 8019->8014 8019->8015 8020->7985 8022 2f86090 IsBadReadPtr 8021->8022 8024 2f86089 8021->8024 8022->8024 8027 2f860aa 8022->8027 8023 2f860c0 LoadLibraryA 8023->8024 8023->8027 8024->8007 8031 2f85f3f 8024->8031 8025 2f8ebcc 4 API calls 8025->8027 8026 2f8ebed 8 API calls 8026->8027 8027->8023 8027->8024 8027->8025 8027->8026 8028 2f86191 IsBadReadPtr 8027->8028 8029 2f86141 GetProcAddress 8027->8029 8030 2f86155 GetProcAddress 8027->8030 8028->8024 8028->8027 8029->8027 8030->8027 8032 2f85fe6 8031->8032 8034 2f85f61 8031->8034 8032->8007 8033 2f85fbf VirtualProtect 8033->8032 8033->8034 8034->8032 8034->8033 8187 2f86511 wsprintfA IsBadReadPtr 8188 2f8656a htonl htonl wsprintfA wsprintfA 8187->8188 8189 2f8674e 8187->8189 8194 2f865f3 8188->8194 8190 2f8e318 23 API calls 8189->8190 8191 2f86753 ExitProcess 8190->8191 8192 2f8668a GetCurrentProcess StackWalk64 8193 2f866a0 wsprintfA 8192->8193 8192->8194 8196 2f866ba 8193->8196 8194->8192 8194->8193 8195 2f86652 wsprintfA 8194->8195 8195->8194 8197 2f86712 wsprintfA 8196->8197 8198 2f866da wsprintfA 8196->8198 8199 2f866ed wsprintfA 8196->8199 8200 2f8e8a1 30 API calls 8197->8200 8198->8199 8199->8196 8201 2f86739 8200->8201 8202 2f8e318 23 API calls 8201->8202 8203 2f86741 8202->8203 8035 2f843d2 8036 2f843e0 8035->8036 8037 2f81940 4 API calls 8036->8037 8038 2f843ef 8036->8038 8037->8038 8204 2f84e92 GetTickCount 8205 2f84ec0 InterlockedExchange 8204->8205 8206 2f84ec9 8205->8206 8207 2f84ead GetTickCount 8205->8207 8207->8206 8208 2f84eb8 Sleep 8207->8208 8208->8205 8039 2f84ed3 8044 2f84c9a 8039->8044 8045 2f84cd8 8044->8045 8047 2f84ca9 8044->8047 8046 2f8ec2e codecvt 4 API calls 8046->8045 8047->8046 8048 2f85453 8053 2f8543a 8048->8053 8056 2f85048 8053->8056 8057 2f84bd1 4 API calls 8056->8057 8058 2f85056 8057->8058 8059 2f8ec2e codecvt 4 API calls 8058->8059 8060 2f8508b 8058->8060 8059->8060 8209 2f85d93 IsBadWritePtr 8210 2f85ddc 8209->8210 8211 2f85da8 8209->8211 8211->8210 8212 2f85389 12 API calls 8211->8212 8212->8210 8213 2f88314 8214 2f8675c 21 API calls 8213->8214 8215 2f88324 8214->8215 8061 2f8e749 8062 2f8dd05 6 API calls 8061->8062 8063 2f8e751 8062->8063 8064 2f8e781 lstrcmpA 8063->8064 8065 2f8e799 8063->8065 8064->8063 8070 2f85e4d 8071 2f85048 8 API calls 8070->8071 8072 2f85e55 8071->8072 8073 2f85e64 8072->8073 8074 2f81940 4 API calls 8072->8074 8074->8073 8229 2f85e0d 8230 2f850dc 17 API calls 8229->8230 8231 2f85e20 8230->8231 8232 2f84c0d 8233 2f84ae6 8 API calls 8232->8233 8234 2f84c17 8233->8234 8235 2f8f483 WSAStartup 8236 2f85b84 IsBadWritePtr 8237 2f85b99 8236->8237 8238 2f85b9d 8236->8238 8239 2f84bd1 4 API calls 8238->8239 8240 2f85bcc 8239->8240 8241 2f85472 18 API calls 8240->8241 8242 2f85be5 8241->8242 8243 2f8f304 8246 2f8f26d setsockopt setsockopt setsockopt setsockopt setsockopt 8243->8246 8245 2f8f312 8246->8245 8247 2f85c05 IsBadWritePtr 8248 2f85c24 IsBadWritePtr 8247->8248 8255 2f85ca6 8247->8255 8249 2f85c32 8248->8249 8248->8255 8250 2f85c82 8249->8250 8251 2f84bd1 4 API calls 8249->8251 8252 2f84bd1 4 API calls 8250->8252 8251->8250 8253 2f85c90 8252->8253 8254 2f85472 18 API calls 8253->8254 8254->8255

                                                                        Executed Functions

                                                                        Function 02F8C913 Relevance: 113.4, APIs: 45, Strings: 19, Instructions: 1397filestringprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • closesocket.WS2_32(?), ref: 02F8CA4E
                                                                        • closesocket.WS2_32(?), ref: 02F8CB63
                                                                        • GetTempPathA.KERNEL32(00000120,?), ref: 02F8CC28
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02F8CCB4
                                                                        • WriteFile.KERNEL32(02F8A4B3,?,-000000E8,?,00000000), ref: 02F8CCDC
                                                                        • CloseHandle.KERNEL32(02F8A4B3), ref: 02F8CCED
                                                                        • wsprintfA.USER32 ref: 02F8CD21
                                                                        • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02F8CD77
                                                                        • WaitForSingleObject.KERNEL32(?,0000EA60), ref: 02F8CD89
                                                                        • CloseHandle.KERNEL32(?), ref: 02F8CD98
                                                                        • CloseHandle.KERNEL32(?), ref: 02F8CD9D
                                                                        • DeleteFileA.KERNEL32(?), ref: 02F8CDC4
                                                                        • CloseHandle.KERNEL32(02F8A4B3), ref: 02F8CDCC
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02F8CFB1
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02F8CFEF
                                                                        • GetSystemDirectoryA.KERNEL32(?,00000100), ref: 02F8D033
                                                                        • lstrcatA.KERNEL32(?,04700108), ref: 02F8D10C
                                                                        • SetFileAttributesA.KERNEL32(?,00000080), ref: 02F8D155
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 02F8D171
                                                                        • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000), ref: 02F8D195
                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F8D19C
                                                                        • SetFileAttributesA.KERNEL32(?,00000002), ref: 02F8D1C8
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02F8D231
                                                                        • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 02F8D27C
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02F8D2AB
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02F8D2C7
                                                                        • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02F8D2EB
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02F8D2F2
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02F8D326
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,00000100), ref: 02F8D372
                                                                        • lstrcatA.KERNEL32(?,04700108,?,?,?,?,?,?,?,00000100), ref: 02F8D3BD
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,?,?,?,?,?,?,00000100), ref: 02F8D3EC
                                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,00000100), ref: 02F8D408
                                                                        • WriteFile.KERNEL32(00000000,0470012C,?,?,00000000,?,?,?,?,?,?,?,00000100), ref: 02F8D428
                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,00000100), ref: 02F8D42F
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,?,?,?,?,?,?,00000100), ref: 02F8D45B
                                                                        • CreateProcessA.KERNEL32(?,02F90264,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 02F8D4DE
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02F8D4F4
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02F8D4FC
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000100), ref: 02F8D513
                                                                        • closesocket.WS2_32(?), ref: 02F8D56C
                                                                        • Sleep.KERNEL32(000003E8), ref: 02F8D577
                                                                        • ExitProcess.KERNEL32 ref: 02F8D583
                                                                        • wsprintfA.USER32 ref: 02F8D81F
                                                                          • Part of subcall function 02F8C65C: send.WS2_32(00000000,?,00000000), ref: 02F8C74B
                                                                        • closesocket.WS2_32(?), ref: 02F8DAD5
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseHandle$AttributesCreate$Writeclosesocket$EnvironmentProcessVariablelstrcat$DeleteDirectorySystemwsprintf$ExitObjectPathSingleSleepTempWaitsend
                                                                        • String ID: .dat$.sys$4$@$C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$\$\$drivers\$except_info$flags_upd$lid_file_upd$local_time$localcfg$srv_time$time_cfg$work_srv$wtm_c$wtm_r$wtm_w
                                                                        • API String ID: 562065436-1169304746
                                                                        • Opcode ID: 9f07289533b268396342f12cda8c3a9efa7860b7db67eed64cb1b14a4faf68c5
                                                                        • Instruction ID: 07371efc50ef4e254a3d1c2e12891c95d04c24fadcfee7f8b8277bc78b1c107b
                                                                        • Opcode Fuzzy Hash: 9f07289533b268396342f12cda8c3a9efa7860b7db67eed64cb1b14a4faf68c5
                                                                        • Instruction Fuzzy Hash: 77B28172D40209AFFB25BBA4DC85FEAFBB9EF04784F14046AE705A6190DB309955CF60
                                                                        Function 02F89A6B Relevance: 100.5, APIs: 48, Strings: 9, Instructions: 799stringsleepregistryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 02F89A7F
                                                                        • SetErrorMode.KERNELBASE(00000003), ref: 02F89A83
                                                                        • SetUnhandledExceptionFilter.KERNEL32(02F86511), ref: 02F89A8A
                                                                          • Part of subcall function 02F8EC54: GetSystemTimeAsFileTime.KERNEL32(?), ref: 02F8EC5E
                                                                          • Part of subcall function 02F8EC54: GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02F8EC72
                                                                          • Part of subcall function 02F8EC54: GetTickCount.KERNEL32 ref: 02F8EC78
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,0000012C), ref: 02F89AB3
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02F89ABA
                                                                        • GetCommandLineA.KERNEL32 ref: 02F89AFD
                                                                        • lstrlenA.KERNEL32(?), ref: 02F89B99
                                                                        • ExitProcess.KERNEL32 ref: 02F89C06
                                                                        • GetTempPathA.KERNEL32(000001F4,?), ref: 02F89CAC
                                                                        • lstrcpyA.KERNEL32(?,00000000), ref: 02F89D7A
                                                                        • lstrcatA.KERNEL32(?,?), ref: 02F89D8B
                                                                        • lstrcatA.KERNEL32(?,02F9070C), ref: 02F89D9D
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02F89DED
                                                                        • DeleteFileA.KERNEL32(00000022), ref: 02F89E38
                                                                        • GetEnvironmentVariableA.KERNEL32(00000000,?,?,?,?,000001F4), ref: 02F89E6F
                                                                        • lstrcpyA.KERNEL32(?,00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02F89EC8
                                                                        • lstrlenA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,?,000001F4), ref: 02F89ED5
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000103,?), ref: 02F89F3B
                                                                        • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000022,?,?,?,00000000,00000103,?), ref: 02F89F5E
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000103,?), ref: 02F89F6A
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103), ref: 02F89FAD
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02F89FB4
                                                                        • GetDriveTypeA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02F89FFE
                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 02F8A038
                                                                        • lstrcatA.KERNEL32(00000022,02F90A34), ref: 02F8A05E
                                                                        • lstrcatA.KERNEL32(00000022,00000022), ref: 02F8A072
                                                                        • lstrcatA.KERNEL32(00000022,02F90A34), ref: 02F8A08D
                                                                        • wsprintfA.USER32 ref: 02F8A0B6
                                                                        • lstrcatA.KERNEL32(00000022,00000000), ref: 02F8A0DE
                                                                        • lstrcatA.KERNEL32(00000022,?), ref: 02F8A0FD
                                                                        • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 02F8A120
                                                                        • DeleteFileA.KERNEL32(00000022,?,?,?,?,?,?,?,?,?,?,?,00000000,00000103,?), ref: 02F8A131
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000022,0000012C), ref: 02F8A174
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02F8A17B
                                                                        • GetDriveTypeA.KERNEL32(00000022), ref: 02F8A1B6
                                                                        • GetCommandLineA.KERNEL32 ref: 02F8A1E5
                                                                          • Part of subcall function 02F899D2: lstrcpyA.KERNEL32(?,?,00000100,02F922F8,00000000,?,02F89E9D,?,00000022,?,?,?,?,?,?,?), ref: 02F899DF
                                                                          • Part of subcall function 02F899D2: lstrcatA.KERNEL32(00000022,00000000,?,?,02F89E9D,?,00000022,?,?,?,?,?,?,?,000001F4), ref: 02F89A3C
                                                                          • Part of subcall function 02F899D2: lstrcatA.KERNEL32(?,00000022,?,?,?,?,?,02F89E9D,?,00000022,?,?,?), ref: 02F89A52
                                                                        • lstrlenA.KERNEL32(?), ref: 02F8A288
                                                                        • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 02F8A3B7
                                                                        • GetLastError.KERNEL32 ref: 02F8A3ED
                                                                        • Sleep.KERNEL32(000003E8), ref: 02F8A400
                                                                        • DeleteFileA.KERNELBASE(02F933D8), ref: 02F8A407
                                                                        • CreateThread.KERNELBASE(00000000,00000000,02F8405E,00000000,00000000,00000000), ref: 02F8A42C
                                                                        • WSAStartup.WS2_32(00001010,?), ref: 02F8A43A
                                                                        • CreateThread.KERNELBASE(00000000,00000000,02F8877E,00000000,00000000,00000000), ref: 02F8A469
                                                                        • Sleep.KERNELBASE(00000BB8), ref: 02F8A48A
                                                                        • GetTickCount.KERNEL32 ref: 02F8A49F
                                                                        • GetTickCount.KERNEL32 ref: 02F8A4B7
                                                                        • Sleep.KERNELBASE(00001A90), ref: 02F8A4C3
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcat$File$Module$CountCreateDeleteErrorHandleNameSleepTicklstrcpylstrlen$CommandDriveLineModeProcessThreadTimeType$AttributesCloseCtrlDispatcherEnvironmentExceptionExitFilterInformationLastOpenPathServiceStartStartupSystemTempUnhandledValueVariableVolumewsprintf
                                                                        • String ID: "$"$"$%X%08X$C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$D$P$\$rpfcsqnj
                                                                        • API String ID: 2089075347-992914603
                                                                        • Opcode ID: 2339989a2fb1f6e8522a036e1e460af464519931808acec8d822838ac037cf48
                                                                        • Instruction ID: 06602d2e9960b8f82df157a8e27a178727ea28e0c123003f607c4e6f39a033d4
                                                                        • Opcode Fuzzy Hash: 2339989a2fb1f6e8522a036e1e460af464519931808acec8d822838ac037cf48
                                                                        • Instruction Fuzzy Hash: F1527872D4025DAFEF11ABA0CC49EEEF7BDEB04384F1444AAF705A6140EB719A548F51
                                                                        Function 02F8199C Relevance: 35.1, APIs: 14, Strings: 6, Instructions: 106memorylibraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 905 2f8199c-2f819cc inet_addr LoadLibraryA 906 2f819ce-2f819d0 905->906 907 2f819d5-2f819fe GetProcAddress * 3 905->907 908 2f81abf-2f81ac2 906->908 909 2f81ab3-2f81ab6 FreeLibrary 907->909 910 2f81a04-2f81a06 907->910 912 2f81abc 909->912 910->909 911 2f81a0c-2f81a0e 910->911 911->909 913 2f81a14-2f81a28 GetBestInterface GetProcessHeap 911->913 914 2f81abe 912->914 913->912 915 2f81a2e-2f81a40 HeapAlloc 913->915 914->908 915->912 916 2f81a42-2f81a50 GetAdaptersInfo 915->916 917 2f81a62-2f81a67 916->917 918 2f81a52-2f81a60 HeapReAlloc 916->918 919 2f81a69-2f81a73 GetAdaptersInfo 917->919 920 2f81aa1-2f81aad FreeLibrary 917->920 918->917 919->920 922 2f81a75 919->922 920->912 921 2f81aaf-2f81ab1 920->921 921->914 923 2f81a77-2f81a80 922->923 924 2f81a8a-2f81a91 923->924 925 2f81a82-2f81a86 923->925 927 2f81a93 924->927 928 2f81a96-2f81a9b HeapFree 924->928 925->923 926 2f81a88 925->926 926->928 927->928 928->920
                                                                        APIs
                                                                        • inet_addr.WS2_32(123.45.67.89), ref: 02F819B1
                                                                        • LoadLibraryA.KERNELBASE(Iphlpapi.dll,?,?,?,?,00000001,02F81E9E), ref: 02F819BF
                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersInfo), ref: 02F819E2
                                                                        • GetProcAddress.KERNEL32(00000000,GetIfEntry), ref: 02F819ED
                                                                        • GetProcAddress.KERNEL32(?,GetBestInterface), ref: 02F819F9
                                                                        • GetBestInterface.IPHLPAPI(?,?,?,?,?,?,00000001,02F81E9E), ref: 02F81A1B
                                                                        • GetProcessHeap.KERNEL32(?,?,?,?,00000001,02F81E9E), ref: 02F81A1D
                                                                        • HeapAlloc.KERNEL32(00000000,00000000,00000288,?,?,?,?,00000001,02F81E9E), ref: 02F81A36
                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,02F81E9E,?,?,?,?,00000001,02F81E9E), ref: 02F81A4A
                                                                        • HeapReAlloc.KERNEL32(?,00000000,00000000,02F81E9E,?,?,?,?,00000001,02F81E9E), ref: 02F81A5A
                                                                        • GetAdaptersInfo.IPHLPAPI(00000000,02F81E9E,?,?,?,?,00000001,02F81E9E), ref: 02F81A6E
                                                                        • HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,00000001,02F81E9E), ref: 02F81A9B
                                                                        • FreeLibrary.KERNEL32(?,?,?,?,?,00000001,02F81E9E), ref: 02F81AA4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressProc$AdaptersAllocFreeInfoLibrary$BestInterfaceLoadProcessinet_addr
                                                                        • String ID: 123.45.67.89$GetAdaptersInfo$GetBestInterface$GetIfEntry$Iphlpapi.dll$localcfg
                                                                        • API String ID: 293628436-270533642
                                                                        • Opcode ID: e02e80ab44d740d01ad1c1487bd98f4be51c73c76c3f1acfd61758656b963344
                                                                        • Instruction ID: 6a299eeced50e36d231a823288d46bd693f1bb43f4ce4c4cd2621655bc0f2c27
                                                                        • Opcode Fuzzy Hash: e02e80ab44d740d01ad1c1487bd98f4be51c73c76c3f1acfd61758656b963344
                                                                        • Instruction Fuzzy Hash: 26315436D40119AFDF11AFE4DC898BFFBB9EF45685B14067DE605E2110DB304941CB60
                                                                        Function 02F87A95 Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 269registrymemoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 696 2f87a95-2f87ac2 RegOpenKeyExA 697 2f87acb-2f87ae7 GetUserNameA 696->697 698 2f87ac4-2f87ac6 696->698 699 2f87aed-2f87b1e LookupAccountNameA 697->699 700 2f87da7-2f87db3 RegCloseKey 697->700 701 2f87db4-2f87db6 698->701 699->700 702 2f87b24-2f87b43 RegGetKeySecurity 699->702 700->701 702->700 703 2f87b49-2f87b61 GetSecurityDescriptorOwner 702->703 704 2f87bb8-2f87bd6 GetSecurityDescriptorDacl 703->704 705 2f87b63-2f87b72 EqualSid 703->705 707 2f87bdc-2f87be1 704->707 708 2f87da6 704->708 705->704 706 2f87b74-2f87b88 LocalAlloc 705->706 706->704 709 2f87b8a-2f87b94 InitializeSecurityDescriptor 706->709 707->708 710 2f87be7-2f87bf2 707->710 708->700 711 2f87bb1-2f87bb2 LocalFree 709->711 712 2f87b96-2f87ba4 SetSecurityDescriptorOwner 709->712 710->708 713 2f87bf8-2f87c08 GetAce 710->713 711->704 712->711 714 2f87ba6-2f87bab RegSetKeySecurity 712->714 715 2f87c0e-2f87c1b 713->715 716 2f87cc6 713->716 714->711 718 2f87c1d-2f87c2f EqualSid 715->718 719 2f87c4f-2f87c52 715->719 717 2f87cc9-2f87cd3 716->717 717->713 722 2f87cd9-2f87cdc 717->722 723 2f87c31-2f87c34 718->723 724 2f87c36-2f87c38 718->724 720 2f87c5f-2f87c71 EqualSid 719->720 721 2f87c54-2f87c5e 719->721 726 2f87c73-2f87c84 720->726 727 2f87c86 720->727 721->720 722->708 728 2f87ce2-2f87ce8 722->728 723->718 723->724 724->719 725 2f87c3a-2f87c4d DeleteAce 724->725 725->717 731 2f87c8b-2f87c8e 726->731 727->731 729 2f87d5a-2f87d6e LocalAlloc 728->729 730 2f87cea-2f87cf0 728->730 729->708 735 2f87d70-2f87d7a InitializeSecurityDescriptor 729->735 730->729 732 2f87cf2-2f87d0d RegOpenKeyExA 730->732 733 2f87c9d-2f87c9f 731->733 734 2f87c90-2f87c96 731->734 732->729 736 2f87d0f-2f87d16 732->736 737 2f87ca1-2f87ca5 733->737 738 2f87ca7-2f87cc3 733->738 734->733 739 2f87d7c-2f87d8a SetSecurityDescriptorDacl 735->739 740 2f87d9f-2f87da0 LocalFree 735->740 741 2f87d19-2f87d1e 736->741 737->716 737->738 738->716 739->740 742 2f87d8c-2f87d9a RegSetKeySecurity 739->742 740->708 741->741 743 2f87d20-2f87d52 call 2f82544 RegSetValueExA 741->743 742->740 744 2f87d9c 742->744 743->729 747 2f87d54 743->747 744->740 747->729
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(000000E4,00000022,00000000,000E0100,00000000,00000000), ref: 02F87ABA
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02F87ADF
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,02F9070C,?,?,?), ref: 02F87B16
                                                                        • RegGetKeySecurity.ADVAPI32(00000000,00000005,?,?), ref: 02F87B3B
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,00000022,80000002), ref: 02F87B59
                                                                        • EqualSid.ADVAPI32(?,00000022), ref: 02F87B6A
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02F87B7E
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02F87B8C
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02F87B9C
                                                                        • RegSetKeySecurity.KERNELBASE(00000000,00000001,00000000), ref: 02F87BAB
                                                                        • LocalFree.KERNEL32(00000000), ref: 02F87BB2
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,02F87FC9,?,00000000), ref: 02F87BCE
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$LocalNameOwner$AccountAllocDaclEqualFreeInitializeLookupOpenUser
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$D
                                                                        • API String ID: 2976863881-1637623080
                                                                        • Opcode ID: fd3c8a5ac2691e371f3945ebc5ee5f4cdeb9d1943c6723b035c13b219bb1a5fd
                                                                        • Instruction ID: 8fb67570ad9f2e893d6c55c6817b9f4049b659828a9a3cc396295b97c158c8a6
                                                                        • Opcode Fuzzy Hash: fd3c8a5ac2691e371f3945ebc5ee5f4cdeb9d1943c6723b035c13b219bb1a5fd
                                                                        • Instruction Fuzzy Hash: 1CA15F76D4021DABEF11AFA0CC88FEEFBB9FB45784F144469E606E2150EB318655CB60
                                                                        Function 02F87809 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 226memoryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 748 2f87809-2f87837 GetUserNameA 749 2f8783d-2f8786e LookupAccountNameA 748->749 750 2f87a8e-2f87a94 748->750 749->750 751 2f87874-2f878a2 GetLengthSid GetFileSecurityA 749->751 751->750 752 2f878a8-2f878c3 GetSecurityDescriptorOwner 751->752 753 2f8791d-2f8793b GetSecurityDescriptorDacl 752->753 754 2f878c5-2f878da EqualSid 752->754 755 2f87a8d 753->755 756 2f87941-2f87946 753->756 754->753 757 2f878dc-2f878ed LocalAlloc 754->757 755->750 756->755 758 2f8794c-2f87955 756->758 757->753 759 2f878ef-2f878f9 InitializeSecurityDescriptor 757->759 758->755 760 2f8795b-2f8796b GetAce 758->760 761 2f878fb-2f87909 SetSecurityDescriptorOwner 759->761 762 2f87916-2f87917 LocalFree 759->762 763 2f87a2a 760->763 764 2f87971-2f8797e 760->764 761->762 765 2f8790b-2f87910 SetFileSecurityA 761->765 762->753 768 2f87a2d-2f87a37 763->768 766 2f879ae-2f879b1 764->766 767 2f87980-2f87992 EqualSid 764->767 765->762 772 2f879be-2f879d0 EqualSid 766->772 773 2f879b3-2f879bd 766->773 769 2f87999-2f8799b 767->769 770 2f87994-2f87997 767->770 768->760 771 2f87a3d-2f87a41 768->771 769->766 774 2f8799d-2f879ac DeleteAce 769->774 770->767 770->769 771->755 775 2f87a43-2f87a54 LocalAlloc 771->775 776 2f879d2-2f879e3 772->776 777 2f879e5 772->777 773->772 774->768 775->755 778 2f87a56-2f87a60 InitializeSecurityDescriptor 775->778 779 2f879ea-2f879ed 776->779 777->779 782 2f87a62-2f87a71 SetSecurityDescriptorDacl 778->782 783 2f87a86-2f87a87 LocalFree 778->783 780 2f879f8-2f879fb 779->780 781 2f879ef-2f879f5 779->781 784 2f879fd-2f87a01 780->784 785 2f87a03-2f87a0e 780->785 781->780 782->783 786 2f87a73-2f87a81 SetFileSecurityA 782->786 783->755 784->763 784->785 787 2f87a19-2f87a24 785->787 788 2f87a10-2f87a17 785->788 786->783 789 2f87a83 786->789 790 2f87a27 787->790 788->790 789->783 790->763
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,?), ref: 02F8782F
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 02F87866
                                                                        • GetLengthSid.ADVAPI32(?), ref: 02F87878
                                                                        • GetFileSecurityA.ADVAPI32(?,00000005,?,00000400,?), ref: 02F8789A
                                                                        • GetSecurityDescriptorOwner.ADVAPI32(?,02F87F63,?), ref: 02F878B8
                                                                        • EqualSid.ADVAPI32(?,02F87F63), ref: 02F878D2
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02F878E3
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02F878F1
                                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000), ref: 02F87901
                                                                        • SetFileSecurityA.ADVAPI32(?,00000001,00000000), ref: 02F87910
                                                                        • LocalFree.KERNEL32(00000000), ref: 02F87917
                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 02F87933
                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 02F87963
                                                                        • EqualSid.ADVAPI32(?,02F87F63), ref: 02F8798A
                                                                        • DeleteAce.ADVAPI32(?,00000000), ref: 02F879A3
                                                                        • EqualSid.ADVAPI32(?,02F87F63), ref: 02F879C5
                                                                        • LocalAlloc.KERNEL32(00000040,00000014), ref: 02F87A4A
                                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 02F87A58
                                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,?,00000000), ref: 02F87A69
                                                                        • SetFileSecurityA.ADVAPI32(?,00000004,00000000), ref: 02F87A79
                                                                        • LocalFree.KERNEL32(00000000), ref: 02F87A87
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Security$Descriptor$Local$EqualFile$AllocDaclFreeInitializeNameOwner$AccountDeleteLengthLookupUser
                                                                        • String ID: D
                                                                        • API String ID: 3722657555-2746444292
                                                                        • Opcode ID: ef658d4c16e01330efa2f5f04488f27bb85ac112891b536341edf3be3b205a39
                                                                        • Instruction ID: e13959131db4381e6699d805775e50ab767db31f5e4d626c683d9ec7be15f223
                                                                        • Opcode Fuzzy Hash: ef658d4c16e01330efa2f5f04488f27bb85ac112891b536341edf3be3b205a39
                                                                        • Instruction Fuzzy Hash: 53813C76E0011DABDB21EFA4CD44FEEFBB8AF08784F244569E615E2150DB349651CF60
                                                                        Function 02F88328 Relevance: 35.4, APIs: 18, Strings: 2, Instructions: 361registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 791 2f88328-2f8833e call 2f87dd6 794 2f88348-2f88356 call 2f86ec3 791->794 795 2f88340-2f88343 791->795 799 2f8846b-2f88474 794->799 800 2f8835c-2f88378 call 2f873ff 794->800 796 2f8877b-2f8877d 795->796 801 2f8847a-2f88480 799->801 802 2f885c2-2f885ce 799->802 812 2f8837e-2f88384 800->812 813 2f88464-2f88466 800->813 801->802 804 2f88486-2f884ba call 2f82544 RegOpenKeyExA 801->804 806 2f885d0-2f885da call 2f8675c 802->806 807 2f88615-2f88620 802->807 821 2f884c0-2f884db RegQueryValueExA 804->821 822 2f88543-2f88571 call 2f82544 RegOpenKeyExA 804->822 814 2f885df-2f885eb 806->814 810 2f88626-2f8864c GetTempPathA call 2f88274 call 2f8eca5 807->810 811 2f886a7-2f886b0 call 2f86ba7 807->811 852 2f8864e-2f8866f call 2f8eca5 810->852 853 2f88671-2f886a4 call 2f82544 call 2f8ef00 call 2f8ee2a 810->853 830 2f88762 811->830 831 2f886b6-2f886bd call 2f87e2f 811->831 812->813 818 2f8838a-2f8838d 812->818 819 2f88779-2f8877a 813->819 814->807 820 2f885ed-2f885ef 814->820 818->813 825 2f88393-2f88399 818->825 819->796 820->807 826 2f885f1-2f885fa 820->826 828 2f884dd-2f884e1 821->828 829 2f88521-2f8852d RegCloseKey 821->829 846 2f88573-2f8857b 822->846 847 2f885a5-2f885b7 call 2f8ee2a 822->847 833 2f8839c-2f883a1 825->833 826->807 834 2f885fc-2f8860f call 2f824c2 826->834 828->829 836 2f884e3-2f884e6 828->836 829->822 840 2f8852f-2f88541 call 2f8eed1 829->840 838 2f88768-2f8876b 830->838 862 2f8875b-2f8875c DeleteFileA 831->862 863 2f886c3-2f8873b call 2f8ee2a * 2 lstrcpyA lstrlenA call 2f87fcf CreateProcessA 831->863 833->833 841 2f883a3-2f883af 833->841 834->807 834->838 836->829 848 2f884e8-2f884f6 call 2f8ebcc 836->848 850 2f8876d-2f88775 call 2f8ec2e 838->850 851 2f88776-2f88778 838->851 840->822 840->847 843 2f883b1 841->843 844 2f883b3-2f883ba 841->844 843->844 856 2f88450-2f8845f call 2f8ee2a 844->856 857 2f883c0-2f883fb call 2f82544 RegOpenKeyExA 844->857 859 2f8857e-2f88583 846->859 847->802 878 2f885b9-2f885c1 call 2f8ec2e 847->878 848->829 877 2f884f8-2f88513 RegQueryValueExA 848->877 850->851 851->819 852->853 853->811 856->802 857->856 883 2f883fd-2f8841c RegQueryValueExA 857->883 859->859 868 2f88585-2f8859f RegSetValueExA RegCloseKey 859->868 862->830 899 2f8873d-2f8874d CloseHandle * 2 863->899 900 2f8874f-2f8875a call 2f87ee6 call 2f87ead 863->900 868->847 877->829 884 2f88515-2f8851e call 2f8ec2e 877->884 878->802 888 2f8842d-2f88441 RegSetValueExA 883->888 889 2f8841e-2f88421 883->889 884->829 895 2f88447-2f8844a RegCloseKey 888->895 889->888 894 2f88423-2f88426 889->894 894->888 898 2f88428-2f8842b 894->898 895->856 898->888 898->895 899->838 900->862
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,?,?,00000000,00000103,02F90750,?,?,00000000,localcfg,00000000), ref: 02F883F3
                                                                        • RegQueryValueExA.KERNELBASE(02F90750,?,00000000,?,02F88893,?,?,?,00000000,00000103,02F90750,?,?,00000000,localcfg,00000000), ref: 02F88414
                                                                        • RegSetValueExA.KERNELBASE(02F90750,?,00000000,00000004,02F88893,00000004,?,?,00000000,00000103,02F90750,?,?,00000000,localcfg,00000000), ref: 02F88441
                                                                        • RegCloseKey.ADVAPI32(02F90750,?,?,00000000,00000103,02F90750,?,?,00000000,localcfg,00000000), ref: 02F8844A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseOpenQuery
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe$localcfg
                                                                        • API String ID: 237177642-125568393
                                                                        • Opcode ID: 12573d20461403a8037ba58365f1181070a3ce0bb5aca93810795aa1ce27ee86
                                                                        • Instruction ID: f5527489aef7fe375418a5470e13ba204c2db34a578990dd88ab4b9ad1d9098a
                                                                        • Opcode Fuzzy Hash: 12573d20461403a8037ba58365f1181070a3ce0bb5aca93810795aa1ce27ee86
                                                                        • Instruction Fuzzy Hash: DBC19FB2D8010DBEEB11BBA49C85EEEFBBDAB043C4F540469F701A6140EB305A94CF61
                                                                        Function 02F81D96 Relevance: 30.0, APIs: 6, Strings: 11, Instructions: 205libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        APIs
                                                                        • GetVersionExA.KERNEL32 ref: 02F81DC6
                                                                        • GetSystemInfo.KERNELBASE(?), ref: 02F81DE8
                                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 02F81E03
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02F81E0A
                                                                        • GetCurrentProcess.KERNEL32(?), ref: 02F81E1B
                                                                        • GetTickCount.KERNEL32 ref: 02F81FC9
                                                                          • Part of subcall function 02F81BDF: GetComputerNameA.KERNEL32(?,0000000F), ref: 02F81C15
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressComputerCountCurrentHandleInfoModuleNameProcProcessSystemTickVersion
                                                                        • String ID: IsWow64Process$born_date$flags_upd$hi_id$kernel32$lid_file_upd$loader_id$localcfg$net_type$start_srv$work_srv
                                                                        • API String ID: 4207808166-1381319158
                                                                        • Opcode ID: 8daf9e7d6b63bbd9e69b7e2b87479c12f93cddd9b4e9e851fe59e0438cd3834c
                                                                        • Instruction ID: 69add1567760a253e2acb38fd4d5064a4adc69a4d2e7348a92c0704e979a5071
                                                                        • Opcode Fuzzy Hash: 8daf9e7d6b63bbd9e69b7e2b87479c12f93cddd9b4e9e851fe59e0438cd3834c
                                                                        • Instruction Fuzzy Hash: 08517FB19043446FF730BB758C85F2BFAECEB44B88F040A1DF68A82242DB75A505CB61
                                                                        Function 02F873FF Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 345registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 999 2f873ff-2f87419 1000 2f8741b 999->1000 1001 2f8741d-2f87422 999->1001 1000->1001 1002 2f87424 1001->1002 1003 2f87426-2f8742b 1001->1003 1002->1003 1004 2f8742d 1003->1004 1005 2f87430-2f87435 1003->1005 1004->1005 1006 2f8743a-2f87481 call 2f86dc2 call 2f82544 RegOpenKeyExA 1005->1006 1007 2f87437 1005->1007 1012 2f877f9-2f877fe call 2f8ee2a 1006->1012 1013 2f87487-2f8749d call 2f8ee2a 1006->1013 1007->1006 1019 2f87801 1012->1019 1018 2f87703-2f8770e RegEnumKeyA 1013->1018 1020 2f874a2-2f874b1 call 2f86cad 1018->1020 1021 2f87714-2f8771d RegCloseKey 1018->1021 1022 2f87804-2f87808 1019->1022 1025 2f876ed-2f87700 1020->1025 1026 2f874b7-2f874cc call 2f8f1a5 1020->1026 1021->1019 1025->1018 1026->1025 1029 2f874d2-2f874f8 RegOpenKeyExA 1026->1029 1030 2f874fe-2f87530 call 2f82544 RegQueryValueExA 1029->1030 1031 2f87727-2f8772a 1029->1031 1030->1031 1039 2f87536-2f8753c 1030->1039 1033 2f8772c-2f87740 call 2f8ef00 1031->1033 1034 2f87755-2f87764 call 2f8ee2a 1031->1034 1042 2f8774b-2f8774e 1033->1042 1043 2f87742-2f87745 RegCloseKey 1033->1043 1044 2f876df-2f876e2 1034->1044 1041 2f8753f-2f87544 1039->1041 1041->1041 1045 2f87546-2f8754b 1041->1045 1046 2f877ec-2f877f7 RegCloseKey 1042->1046 1043->1042 1044->1025 1047 2f876e4-2f876e7 RegCloseKey 1044->1047 1045->1034 1048 2f87551-2f8756b call 2f8ee95 1045->1048 1046->1022 1047->1025 1048->1034 1051 2f87571-2f87593 call 2f82544 call 2f8ee95 1048->1051 1056 2f87599-2f875a0 1051->1056 1057 2f87753 1051->1057 1058 2f875c8-2f875d7 call 2f8ed03 1056->1058 1059 2f875a2-2f875c6 call 2f8ef00 call 2f8ed03 1056->1059 1057->1034 1064 2f875d8-2f875da 1058->1064 1059->1064 1066 2f875dc 1064->1066 1067 2f875df-2f87623 call 2f8ee95 call 2f82544 call 2f8ee95 call 2f8ee2a 1064->1067 1066->1067 1077 2f87626-2f8762b 1067->1077 1077->1077 1078 2f8762d-2f87634 1077->1078 1079 2f87637-2f8763c 1078->1079 1079->1079 1080 2f8763e-2f87642 1079->1080 1081 2f8765c-2f87673 call 2f8ed23 1080->1081 1082 2f87644-2f87656 call 2f8ed77 1080->1082 1088 2f87680 1081->1088 1089 2f87675-2f8767e 1081->1089 1082->1081 1087 2f87769-2f8777c call 2f8ef00 1082->1087 1094 2f877e3-2f877e6 RegCloseKey 1087->1094 1091 2f87683-2f8768e call 2f86cad 1088->1091 1089->1091 1096 2f87722-2f87725 1091->1096 1097 2f87694-2f876bf call 2f8f1a5 call 2f86c96 1091->1097 1094->1046 1098 2f876dd 1096->1098 1103 2f876d8 1097->1103 1104 2f876c1-2f876c7 1097->1104 1098->1044 1103->1098 1104->1103 1105 2f876c9-2f876d2 1104->1105 1105->1103 1106 2f8777e-2f87797 GetFileAttributesExA 1105->1106 1107 2f87799 1106->1107 1108 2f8779a-2f8779f 1106->1108 1107->1108 1109 2f877a1 1108->1109 1110 2f877a3-2f877a8 1108->1110 1109->1110 1111 2f877aa-2f877c0 call 2f8ee08 1110->1111 1112 2f877c4-2f877c8 1110->1112 1111->1112 1113 2f877ca-2f877d6 call 2f8ef00 1112->1113 1114 2f877d7-2f877dc 1112->1114 1113->1114 1118 2f877de 1114->1118 1119 2f877e0-2f877e2 1114->1119 1118->1119 1119->1094
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000002,00000000,00020119,00000000,?,74DF0F10,00000000), ref: 02F87472
                                                                        • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000101,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F874F0
                                                                        • RegQueryValueExA.KERNELBASE(?,00000000,?,00000000,?,?,00000104,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F87528
                                                                        • ___ascii_stricmp.LIBCMT ref: 02F8764D
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F876E7
                                                                        • RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000104), ref: 02F87706
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F87717
                                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F87745
                                                                        • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,74DF0F10,00000000), ref: 02F877EF
                                                                          • Part of subcall function 02F8F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02F922F8,000000C8,02F87150,?), ref: 02F8F1AD
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02F8778F
                                                                        • RegCloseKey.KERNELBASE(?), ref: 02F877E6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$Open$AttributesEnumFileQueryValue___ascii_stricmplstrlen
                                                                        • String ID: "
                                                                        • API String ID: 3433985886-123907689
                                                                        • Opcode ID: 73266523f95b3a36ba7f8dc6d29236eadb301c767af173ff79f8add1438a9ecb
                                                                        • Instruction ID: e8d80fa41d8ef1dd4bec4fdcaf6705c1effe6895c7b9250ec808a036f5890242
                                                                        • Opcode Fuzzy Hash: 73266523f95b3a36ba7f8dc6d29236eadb301c767af173ff79f8add1438a9ecb
                                                                        • Instruction Fuzzy Hash: A5C1A276D04209ABEB11BBA4DC45FEEFBB9EF45790F2404A5E604E6190EB31DA44CF60
                                                                        Function 02F8675C Relevance: 19.7, APIs: 13, Instructions: 199fileCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1121 2f8675c-2f86778 1122 2f8677a-2f8677e SetFileAttributesA 1121->1122 1123 2f86784-2f867a2 CreateFileA 1121->1123 1122->1123 1124 2f867a4-2f867b2 CreateFileA 1123->1124 1125 2f867b5-2f867b8 1123->1125 1124->1125 1126 2f867ba-2f867bf SetFileAttributesA 1125->1126 1127 2f867c5-2f867c9 1125->1127 1126->1127 1128 2f867cf-2f867df GetFileSize 1127->1128 1129 2f86977-2f86986 1127->1129 1130 2f8696b 1128->1130 1131 2f867e5-2f867e7 1128->1131 1132 2f8696e-2f86971 FindCloseChangeNotification 1130->1132 1131->1130 1133 2f867ed-2f8680b ReadFile 1131->1133 1132->1129 1133->1130 1134 2f86811-2f86824 SetFilePointer 1133->1134 1134->1130 1135 2f8682a-2f86842 ReadFile 1134->1135 1135->1130 1136 2f86848-2f86861 SetFilePointer 1135->1136 1136->1130 1137 2f86867-2f86876 1136->1137 1138 2f86878-2f8688f ReadFile 1137->1138 1139 2f868d5-2f868df 1137->1139 1140 2f86891-2f8689e 1138->1140 1141 2f868d2 1138->1141 1139->1132 1142 2f868e5-2f868eb 1139->1142 1143 2f868a0-2f868b5 1140->1143 1144 2f868b7-2f868ba 1140->1144 1141->1139 1145 2f868ed 1142->1145 1146 2f868f0-2f868fe call 2f8ebcc 1142->1146 1147 2f868bd-2f868c3 1143->1147 1144->1147 1145->1146 1146->1130 1153 2f86900-2f8690b SetFilePointer 1146->1153 1149 2f868c8-2f868ce 1147->1149 1150 2f868c5 1147->1150 1149->1138 1152 2f868d0 1149->1152 1150->1149 1152->1139 1154 2f8695a-2f86969 call 2f8ec2e 1153->1154 1155 2f8690d-2f86920 ReadFile 1153->1155 1154->1132 1155->1154 1156 2f86922-2f86958 1155->1156 1156->1132
                                                                        APIs
                                                                        • SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 02F8677E
                                                                        • CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 02F8679A
                                                                        • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 02F867B0
                                                                        • SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 02F867BF
                                                                        • GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 02F867D3
                                                                        • ReadFile.KERNELBASE(000000FF,?,00000040,02F88244,00000000,?,74DF0F10,00000000), ref: 02F86807
                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F8681F
                                                                        • ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 02F8683E
                                                                        • SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F8685C
                                                                        • ReadFile.KERNEL32(000000FF,?,00000028,02F88244,00000000,?,74DF0F10,00000000), ref: 02F8688B
                                                                        • SetFilePointer.KERNELBASE(000000FF,00000000,00000000,00000000,?,74DF0F10,00000000), ref: 02F86906
                                                                        • ReadFile.KERNEL32(000000FF,?,00000000,02F88244,00000000,?,74DF0F10,00000000), ref: 02F8691C
                                                                        • FindCloseChangeNotification.KERNELBASE(000000FF,?,74DF0F10,00000000), ref: 02F86971
                                                                          • Part of subcall function 02F8EC2E: GetProcessHeap.KERNEL32(00000000,02F8EA27,00000000,02F8EA27,00000000), ref: 02F8EC41
                                                                          • Part of subcall function 02F8EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02F8EC48
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$Read$Pointer$AttributesCreateHeap$ChangeCloseFindFreeNotificationProcessSize
                                                                        • String ID:
                                                                        • API String ID: 1400801100-0
                                                                        • Opcode ID: 11c445954a84456a3dae8a28fe08ad4ab4c2d1945ea090cc20b664c4e9406437
                                                                        • Instruction ID: 1c0f1323a832c11765c03f7320a2484b454835705b021626caad705961aadfce
                                                                        • Opcode Fuzzy Hash: 11c445954a84456a3dae8a28fe08ad4ab4c2d1945ea090cc20b664c4e9406437
                                                                        • Instruction Fuzzy Hash: BD71E471D0021DEFDB159FA4CC84AEEBBB9EF04394F10456AE615E6190E7309E92DF60
                                                                        Function 02F8F315 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 103networkCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1159 2f8f315-2f8f332 1160 2f8f33b-2f8f372 call 2f8ee2a htons socket 1159->1160 1161 2f8f334-2f8f336 1159->1161 1165 2f8f382-2f8f39b ioctlsocket 1160->1165 1166 2f8f374-2f8f37d closesocket 1160->1166 1162 2f8f424-2f8f427 1161->1162 1167 2f8f3aa-2f8f3f0 connect select 1165->1167 1168 2f8f39d 1165->1168 1166->1162 1170 2f8f421 1167->1170 1171 2f8f3f2-2f8f401 __WSAFDIsSet 1167->1171 1169 2f8f39f-2f8f3a8 closesocket 1168->1169 1172 2f8f423 1169->1172 1170->1172 1171->1169 1173 2f8f403-2f8f416 ioctlsocket call 2f8f26d 1171->1173 1172->1162 1175 2f8f41b-2f8f41f 1173->1175 1175->1172
                                                                        APIs
                                                                        • htons.WS2_32(02F8CA1D), ref: 02F8F34D
                                                                        • socket.WS2_32(00000002,00000001,00000000), ref: 02F8F367
                                                                        • closesocket.WS2_32(00000000), ref: 02F8F375
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: closesockethtonssocket
                                                                        • String ID: time_cfg
                                                                        • API String ID: 311057483-2401304539
                                                                        • Opcode ID: 37810353c5d6fcbcbe5a365450f834e0f8fffe6833c669d74ce90a78e2c82be4
                                                                        • Instruction ID: ccaad3329fa353ff3ea1efdf2176f6449519b096eb2f6d5c555a73db5279207f
                                                                        • Opcode Fuzzy Hash: 37810353c5d6fcbcbe5a365450f834e0f8fffe6833c669d74ce90a78e2c82be4
                                                                        • Instruction Fuzzy Hash: B6317E7294011DAFDB10EFA5DC859EEBBBCFF88390F104666FA15D3140E7309A518BA0
                                                                        Function 02F8405E Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1176 2f8405e-2f8407b CreateEventA 1177 2f8407d-2f84081 1176->1177 1178 2f84084-2f840a8 call 2f83ecd call 2f84000 1176->1178 1183 2f840ae-2f840be call 2f8ee2a 1178->1183 1184 2f84130-2f8413e call 2f8ee2a 1178->1184 1183->1184 1190 2f840c0-2f840f1 call 2f8eca5 call 2f83f18 call 2f83f8c 1183->1190 1189 2f8413f-2f84165 call 2f83ecd CreateNamedPipeA 1184->1189 1195 2f84188-2f84193 ConnectNamedPipe 1189->1195 1196 2f84167-2f84174 Sleep 1189->1196 1208 2f840f3-2f840ff 1190->1208 1209 2f84127-2f8412a CloseHandle 1190->1209 1200 2f841ab-2f841c0 call 2f83f8c 1195->1200 1201 2f84195-2f841a5 GetLastError 1195->1201 1196->1189 1198 2f84176-2f84182 CloseHandle 1196->1198 1198->1195 1200->1195 1207 2f841c2-2f841f2 call 2f83f18 call 2f83f8c 1200->1207 1201->1200 1203 2f8425e-2f84265 DisconnectNamedPipe 1201->1203 1203->1195 1207->1203 1217 2f841f4-2f84200 1207->1217 1208->1209 1211 2f84101-2f84121 call 2f83f18 ExitProcess 1208->1211 1209->1184 1217->1203 1218 2f84202-2f84215 call 2f83f8c 1217->1218 1218->1203 1221 2f84217-2f8421b 1218->1221 1221->1203 1222 2f8421d-2f84230 call 2f83f8c 1221->1222 1222->1203 1225 2f84232-2f84236 1222->1225 1225->1195 1226 2f8423c-2f84251 call 2f83f18 1225->1226 1229 2f8426a-2f84276 CloseHandle * 2 call 2f8e318 1226->1229 1230 2f84253-2f84259 1226->1230 1232 2f8427b 1229->1232 1230->1195 1232->1232
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000), ref: 02F84070
                                                                        • ExitProcess.KERNEL32 ref: 02F84121
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEventExitProcess
                                                                        • String ID:
                                                                        • API String ID: 2404124870-0
                                                                        • Opcode ID: d7b76470ed1f0aff9de5658d96c9ab5775a1c5fc96eb97137e6f8450376eca2a
                                                                        • Instruction ID: a42f84ccc14537e88406a83fe7fadc13e17c8cb3c187a191f9058724b7dfa7d4
                                                                        • Opcode Fuzzy Hash: d7b76470ed1f0aff9de5658d96c9ab5775a1c5fc96eb97137e6f8450376eca2a
                                                                        • Instruction Fuzzy Hash: B95182B1E40219BAEB21BBA08C45FBFFA7DEF11B94F000055F714B6190E7358A05DBA1
                                                                        Function 02F82D21 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 85memorylibrarystringCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1233 2f82d21-2f82d44 GetModuleHandleA 1234 2f82d5b-2f82d69 GetProcAddress 1233->1234 1235 2f82d46-2f82d52 LoadLibraryA 1233->1235 1236 2f82d54-2f82d56 1234->1236 1237 2f82d6b-2f82d7b DnsQuery_A 1234->1237 1235->1234 1235->1236 1238 2f82dee-2f82df1 1236->1238 1237->1236 1239 2f82d7d-2f82d88 1237->1239 1240 2f82d8a-2f82d8b 1239->1240 1241 2f82deb 1239->1241 1242 2f82d90-2f82d95 1240->1242 1241->1238 1243 2f82de2-2f82de8 1242->1243 1244 2f82d97-2f82daa GetProcessHeap HeapAlloc 1242->1244 1243->1242 1245 2f82dea 1243->1245 1244->1245 1246 2f82dac-2f82dd9 call 2f8ee2a lstrcpynA 1244->1246 1245->1241 1249 2f82ddb-2f82dde 1246->1249 1250 2f82de0 1246->1250 1249->1243 1250->1243
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02F82F01,?,02F820FF,02F92000), ref: 02F82D3A
                                                                        • LoadLibraryA.KERNEL32(?), ref: 02F82D4A
                                                                        • GetProcAddress.KERNEL32(00000000,DnsQuery_A), ref: 02F82D61
                                                                        • DnsQuery_A.DNSAPI(00000000,0000000F,00000000,00000000,?,00000000), ref: 02F82D77
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108,000DBBA0), ref: 02F82D99
                                                                        • HeapAlloc.KERNEL32(00000000), ref: 02F82DA0
                                                                        • lstrcpynA.KERNEL32(00000008,?,000000FF), ref: 02F82DCB
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$AddressAllocHandleLibraryLoadModuleProcProcessQuery_lstrcpyn
                                                                        • String ID: DnsQuery_A$dnsapi.dll
                                                                        • API String ID: 233223969-3847274415
                                                                        • Opcode ID: 2dc5c9387273c6a8da5a057adaa51cae5d36c85f3bc2cc6dcd74cd81d5d796ad
                                                                        • Instruction ID: 1793a5b2353d83abac22c2be5f57811953382fed46d40d412b30e25a4f0af177
                                                                        • Opcode Fuzzy Hash: 2dc5c9387273c6a8da5a057adaa51cae5d36c85f3bc2cc6dcd74cd81d5d796ad
                                                                        • Instruction Fuzzy Hash: 2F216276D40269ABDB21AF55DC44AAEFFB8FF08B90F104416FE06E7110E770A9958BD0
                                                                        Function 02F880C9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 146registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1251 2f880c9-2f880ed call 2f86ec3 1254 2f880f9-2f88115 call 2f8704c 1251->1254 1255 2f880ef call 2f87ee6 1251->1255 1260 2f88225-2f8822b 1254->1260 1261 2f8811b-2f88121 1254->1261 1259 2f880f4 1255->1259 1259->1260 1262 2f8826c-2f88273 1260->1262 1263 2f8822d-2f88233 1260->1263 1261->1260 1264 2f88127-2f8812a 1261->1264 1263->1262 1265 2f88235-2f8823f call 2f8675c 1263->1265 1264->1260 1266 2f88130-2f88167 call 2f82544 RegOpenKeyExA 1264->1266 1269 2f88244-2f8824b 1265->1269 1272 2f8816d-2f8818b RegQueryValueExA 1266->1272 1273 2f88216-2f88222 call 2f8ee2a 1266->1273 1269->1262 1271 2f8824d-2f88269 call 2f824c2 call 2f8ec2e 1269->1271 1271->1262 1275 2f8818d-2f88191 1272->1275 1276 2f881f7-2f881fe 1272->1276 1273->1260 1275->1276 1281 2f88193-2f88196 1275->1281 1279 2f8820d-2f88210 RegCloseKey 1276->1279 1280 2f88200-2f88206 call 2f8ec2e 1276->1280 1279->1273 1289 2f8820c 1280->1289 1281->1276 1285 2f88198-2f881a8 call 2f8ebcc 1281->1285 1285->1279 1291 2f881aa-2f881c2 RegQueryValueExA 1285->1291 1289->1279 1291->1276 1292 2f881c4-2f881ca 1291->1292 1293 2f881cd-2f881d2 1292->1293 1293->1293 1294 2f881d4-2f881e5 call 2f8ebcc 1293->1294 1294->1279 1297 2f881e7-2f881f5 call 2f8ef00 1294->1297 1297->1289
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F8815F
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,02F8A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F88187
                                                                        • RegQueryValueExA.ADVAPI32(?,?,00000000,00000001,00000000,02F8A45F,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F881BE
                                                                        • RegCloseKey.ADVAPI32(?,?,?,00000000,00000101,?,?,?,?,74DF0F10,00000000), ref: 02F88210
                                                                          • Part of subcall function 02F8675C: SetFileAttributesA.KERNEL32(?,00000080,?,74DF0F10,00000000), ref: 02F8677E
                                                                          • Part of subcall function 02F8675C: CreateFileA.KERNELBASE(?,80000000,00000003,00000000,00000003,00000080,00000000,?,74DF0F10,00000000), ref: 02F8679A
                                                                          • Part of subcall function 02F8675C: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000004,00000000,?,74DF0F10,00000000), ref: 02F867B0
                                                                          • Part of subcall function 02F8675C: SetFileAttributesA.KERNEL32(?,00000002,?,74DF0F10,00000000), ref: 02F867BF
                                                                          • Part of subcall function 02F8675C: GetFileSize.KERNEL32(000000FF,00000000,?,74DF0F10,00000000), ref: 02F867D3
                                                                          • Part of subcall function 02F8675C: ReadFile.KERNELBASE(000000FF,?,00000040,02F88244,00000000,?,74DF0F10,00000000), ref: 02F86807
                                                                          • Part of subcall function 02F8675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F8681F
                                                                          • Part of subcall function 02F8675C: ReadFile.KERNELBASE(000000FF,?,000000F8,?,00000000,?,74DF0F10,00000000), ref: 02F8683E
                                                                          • Part of subcall function 02F8675C: SetFilePointer.KERNELBASE(000000FF,?,00000000,00000000,?,74DF0F10,00000000), ref: 02F8685C
                                                                          • Part of subcall function 02F8EC2E: GetProcessHeap.KERNEL32(00000000,02F8EA27,00000000,02F8EA27,00000000), ref: 02F8EC41
                                                                          • Part of subcall function 02F8EC2E: RtlFreeHeap.NTDLL(00000000), ref: 02F8EC48
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$AttributesCreateHeapPointerQueryReadValue$CloseFreeOpenProcessSize
                                                                        • String ID: C:\Windows\SysWOW64\rpfcsqnj\ybuffopp.exe
                                                                        • API String ID: 124786226-3712984543
                                                                        • Opcode ID: fabb5d897e3f2d893423c7451fcadb75c53627275484fba9e9e2989eaeaf0218
                                                                        • Instruction ID: 85c7848fc9f447376e125b6c5bea7481d1bc94e26fc25fea85207f177ab5217f
                                                                        • Opcode Fuzzy Hash: fabb5d897e3f2d893423c7451fcadb75c53627275484fba9e9e2989eaeaf0218
                                                                        • Instruction Fuzzy Hash: 0E415EB2D4110DBFEB11FBA49D80EBEF7AD9B047D4F54486AEB05A2100EB709A54CB61
                                                                        Function 02F81AC3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74libraryloaderCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1300 2f81ac3-2f81adc LoadLibraryA 1301 2f81b6b-2f81b70 1300->1301 1302 2f81ae2-2f81af3 GetProcAddress 1300->1302 1303 2f81b6a 1302->1303 1304 2f81af5-2f81b01 1302->1304 1303->1301 1305 2f81b1c-2f81b27 GetAdaptersAddresses 1304->1305 1306 2f81b29-2f81b2b 1305->1306 1307 2f81b03-2f81b12 call 2f8ebed 1305->1307 1308 2f81b5b-2f81b5e 1306->1308 1309 2f81b2d-2f81b32 1306->1309 1307->1306 1315 2f81b14-2f81b1b 1307->1315 1311 2f81b69 1308->1311 1313 2f81b60-2f81b68 call 2f8ec2e 1308->1313 1309->1311 1312 2f81b34-2f81b3b 1309->1312 1311->1303 1316 2f81b3d-2f81b52 1312->1316 1317 2f81b54-2f81b59 1312->1317 1313->1311 1315->1305 1316->1316 1316->1317 1317->1308 1317->1312
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02F81AD4
                                                                        • GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02F81AE9
                                                                        • GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02F81B20
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AdaptersAddressAddressesLibraryLoadProc
                                                                        • String ID: GetAdaptersAddresses$Iphlpapi.dll
                                                                        • API String ID: 3646706440-1087626847
                                                                        • Opcode ID: ce2e1f11b20c2437d40e2afcaaf84f76364f3e44ba1c5a21d105d8a8ae332863
                                                                        • Instruction ID: 8c9d502070db745f77a28f9258461fbe9327430fad56bd47d173803c4ee4b5c8
                                                                        • Opcode Fuzzy Hash: ce2e1f11b20c2437d40e2afcaaf84f76364f3e44ba1c5a21d105d8a8ae332863
                                                                        • Instruction Fuzzy Hash: 7611DA72E01138BFDB11ABA9DC848EFFBB9EB44B90F144259E209A3100E7304A41CB94
                                                                        Function 02F8E3CA Relevance: 7.6, APIs: 5, Instructions: 136registryCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1320 2f8e3ca-2f8e3ee RegOpenKeyExA 1321 2f8e528-2f8e52d 1320->1321 1322 2f8e3f4-2f8e3fb 1320->1322 1323 2f8e3fe-2f8e403 1322->1323 1323->1323 1324 2f8e405-2f8e40f 1323->1324 1325 2f8e411-2f8e413 1324->1325 1326 2f8e414-2f8e452 call 2f8ee08 call 2f8f1ed RegQueryValueExA 1324->1326 1325->1326 1331 2f8e458-2f8e486 call 2f8f1ed RegQueryValueExA 1326->1331 1332 2f8e51d-2f8e527 RegCloseKey 1326->1332 1335 2f8e488-2f8e48a 1331->1335 1332->1321 1335->1332 1336 2f8e490-2f8e4a1 call 2f8db2e 1335->1336 1336->1332 1339 2f8e4a3-2f8e4a6 1336->1339 1340 2f8e4a9-2f8e4d3 call 2f8f1ed RegQueryValueExA 1339->1340 1343 2f8e4e8-2f8e4ea 1340->1343 1344 2f8e4d5-2f8e4da 1340->1344 1343->1332 1345 2f8e4ec-2f8e516 call 2f82544 call 2f8e332 1343->1345 1344->1343 1346 2f8e4dc-2f8e4e6 1344->1346 1345->1332 1346->1340 1346->1343
                                                                        APIs
                                                                        • RegOpenKeyExA.KERNELBASE(80000001,02F8E5F2,00000000,00020119,02F8E5F2,02F922F8), ref: 02F8E3E6
                                                                        • RegQueryValueExA.ADVAPI32(02F8E5F2,?,00000000,?,00000000,80000001,?,?,?,?,000000C8,000000E4), ref: 02F8E44E
                                                                        • RegQueryValueExA.ADVAPI32(02F8E5F2,?,00000000,?,00000000,80000001,?,?,?,?,?,?,?,000000C8,000000E4), ref: 02F8E482
                                                                        • RegQueryValueExA.ADVAPI32(02F8E5F2,?,00000000,?,80000001,?), ref: 02F8E4CF
                                                                        • RegCloseKey.ADVAPI32(02F8E5F2,?,?,?,?,000000C8,000000E4), ref: 02F8E520
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: QueryValue$CloseOpen
                                                                        • String ID:
                                                                        • API String ID: 1586453840-0
                                                                        • Opcode ID: 6db281d3b8511a4d3bd90606b9421fe7531652970753fb6ac540858b6eb3d0f2
                                                                        • Instruction ID: cd2d3d71f07cf80a1a56e7f511401a11fbab6c92fedeb365100f4729a5b1e01d
                                                                        • Opcode Fuzzy Hash: 6db281d3b8511a4d3bd90606b9421fe7531652970753fb6ac540858b6eb3d0f2
                                                                        • Instruction Fuzzy Hash: 1E4105B2D0021DAFEF11AFE4DC80DEEFBB9EB08384F544566FA10E6150E3319A158B60
                                                                        Function 02F8F26D Relevance: 7.6, APIs: 5, Instructions: 63COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1351 2f8f26d-2f8f303 setsockopt * 5
                                                                        APIs
                                                                        • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000000,00000004), ref: 02F8F2A0
                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001005,00000004,00000004), ref: 02F8F2C0
                                                                        • setsockopt.WS2_32(00000004,0000FFFF,00001006,00000004,00000004), ref: 02F8F2DD
                                                                        • setsockopt.WS2_32(?,00000006,00000001,?,00000004), ref: 02F8F2EC
                                                                        • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 02F8F2FD
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: setsockopt
                                                                        • String ID:
                                                                        • API String ID: 3981526788-0
                                                                        • Opcode ID: 0b2ef3ee0485c14fcabbb869271b0bf379a2692fe45d93c4c79055204371f7dc
                                                                        • Instruction ID: 53c69cc67d24ee81c71dcdc22305cb1953a55371a5d0ed6163fda5c1bee6b2a5
                                                                        • Opcode Fuzzy Hash: 0b2ef3ee0485c14fcabbb869271b0bf379a2692fe45d93c4c79055204371f7dc
                                                                        • Instruction Fuzzy Hash: FA11FBB1A40248BAEB11DF94CD41FAE7FBCEB44751F004066BB04EA1D0E6B19A44CB94
                                                                        Function 02F81BDF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1352 2f81bdf-2f81c04 call 2f81ac3 1354 2f81c09-2f81c0b 1352->1354 1355 2f81c5a-2f81c5e 1354->1355 1356 2f81c0d-2f81c1d GetComputerNameA 1354->1356 1357 2f81c1f-2f81c24 1356->1357 1358 2f81c45-2f81c57 GetVolumeInformationA 1356->1358 1357->1358 1359 2f81c26-2f81c3b 1357->1359 1358->1355 1359->1359 1360 2f81c3d-2f81c3f 1359->1360 1360->1358 1361 2f81c41-2f81c43 1360->1361 1361->1355
                                                                        APIs
                                                                          • Part of subcall function 02F81AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02F81AD4
                                                                          • Part of subcall function 02F81AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02F81AE9
                                                                          • Part of subcall function 02F81AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02F81B20
                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 02F81C15
                                                                        • GetVolumeInformationA.KERNEL32(00000000,00000000,00000004,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000001), ref: 02F81C51
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                        • String ID: hi_id$localcfg
                                                                        • API String ID: 2794401326-2393279970
                                                                        • Opcode ID: 0573afa75497ec9fd8f5f0b1e4e17ee8bd42f301163f2b0371fb562628f7f73c
                                                                        • Instruction ID: 9d06c16096b10f4ff0d656e1b97b85190a8b3035dbc87bd076701152823b65ee
                                                                        • Opcode Fuzzy Hash: 0573afa75497ec9fd8f5f0b1e4e17ee8bd42f301163f2b0371fb562628f7f73c
                                                                        • Instruction Fuzzy Hash: C70180B6E0011CBBEB10EAE8CCC59EFFBBCAB45689F100579E706E2100D6309E4596A0
                                                                        Function 02F81B71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F81AC3: LoadLibraryA.KERNEL32(Iphlpapi.dll,00000000,localcfg,?,hi_id,?,?,?,?,00000001), ref: 02F81AD4
                                                                          • Part of subcall function 02F81AC3: GetProcAddress.KERNEL32(00000000,GetAdaptersAddresses), ref: 02F81AE9
                                                                          • Part of subcall function 02F81AC3: GetAdaptersAddresses.IPHLPAPI(00000002,00000000,00000000,00000000,?,?,?,?,?,?,00000001), ref: 02F81B20
                                                                        • GetComputerNameA.KERNEL32(?,0000000F), ref: 02F81BA3
                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,02F81EFD,00000000,00000000,00000000,00000000), ref: 02F81BB8
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AdaptersAddressAddressesComputerInformationLibraryLoadNameProcVolume
                                                                        • String ID: localcfg
                                                                        • API String ID: 2794401326-1857712256
                                                                        • Opcode ID: 12642dae80b4aa8a1911f63bccb2f2a736f57bb165c3a2a40956049fca639c9b
                                                                        • Instruction ID: 7a6a29603193d2e69f65a69cea78637c2fc87cd767f45c7179460c94e6571271
                                                                        • Opcode Fuzzy Hash: 12642dae80b4aa8a1911f63bccb2f2a736f57bb165c3a2a40956049fca639c9b
                                                                        • Instruction Fuzzy Hash: 80014FB7D0010CBFE701ABE9CC819EFFBBDAB48694F150565AB05E7150D5705E058AA0
                                                                        Function 02F82684 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • inet_addr.WS2_32(00000001), ref: 02F82693
                                                                        • gethostbyname.WS2_32(00000001), ref: 02F8269F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbynameinet_addr
                                                                        • String ID: time_cfg
                                                                        • API String ID: 1594361348-2401304539
                                                                        • Opcode ID: eab4a9a401b8cef4771461f1bb8a8a978a89007792b992f346d4e760bfcc8a1e
                                                                        • Instruction ID: c57a992a387c4bac5f1be676fcd6c4d1c56762fc6db1ebae188352ebe1f26523
                                                                        • Opcode Fuzzy Hash: eab4a9a401b8cef4771461f1bb8a8a978a89007792b992f346d4e760bfcc8a1e
                                                                        • Instruction Fuzzy Hash: ECE01230E145519FDB50AB28F444BD9F7E5EF462B0F054585F954D7190DB30EC819B94
                                                                        Function 02F8E52E Relevance: 4.6, APIs: 3, Instructions: 111fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F8DD05: GetTickCount.KERNEL32 ref: 02F8DD0F
                                                                          • Part of subcall function 02F8DD05: InterlockedExchange.KERNEL32(02F936B4,00000001), ref: 02F8DD44
                                                                          • Part of subcall function 02F8DD05: GetCurrentThreadId.KERNEL32 ref: 02F8DD53
                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,74DF0F10,?,00000000,?,02F8A445), ref: 02F8E558
                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,74DF0F10,?,00000000,?,02F8A445), ref: 02F8E583
                                                                        • CloseHandle.KERNEL32(00000000,?,74DF0F10,?,00000000,?,02F8A445), ref: 02F8E5B2
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCountCurrentExchangeHandleInterlockedReadSizeThreadTick
                                                                        • String ID:
                                                                        • API String ID: 3683885500-0
                                                                        • Opcode ID: 0d5753cc6bde0285099862d008275b3ab6186e92cb43702d0b797f0eebe0df87
                                                                        • Instruction ID: ed1fe5abedbf14f0659e9bb9eb41a9b7da5a8057b9c642d28c59ce0761f2ca75
                                                                        • Opcode Fuzzy Hash: 0d5753cc6bde0285099862d008275b3ab6186e92cb43702d0b797f0eebe0df87
                                                                        • Instruction Fuzzy Hash: FB21A3B2A803057AF6217A219C45FABFA5DDF55BD0F000558BF0EA52D2EA51E9208AF1
                                                                        Function 02F8877E Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 100sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Sleep.KERNELBASE(000003E8), ref: 02F888A5
                                                                          • Part of subcall function 02F8F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02F8E342,00000000,75A8EA50,80000001,00000000,02F8E513,?,00000000,00000000,?,000000E4), ref: 02F8F089
                                                                          • Part of subcall function 02F8F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02F8E342,00000000,75A8EA50,80000001,00000000,02F8E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02F8F093
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$FileSystem$Sleep
                                                                        • String ID: localcfg$rresolv
                                                                        • API String ID: 1561729337-486471987
                                                                        • Opcode ID: ed330f2b009f59cfba90439b27b0c843ed3378112687d01609d6418ccdfee33c
                                                                        • Instruction ID: e32445d790690b832d8f14ee478b2812e4b1933e79aa961ba8a62f361158b90e
                                                                        • Opcode Fuzzy Hash: ed330f2b009f59cfba90439b27b0c843ed3378112687d01609d6418ccdfee33c
                                                                        • Instruction Fuzzy Hash: C021D932A883087EF724F7646C46F6EF69A9B51BE8FD00419FF04950C1EFA1558089B2
                                                                        Function 02F84000 Relevance: 4.5, APIs: 3, Instructions: 35sleepfileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNELBASE(40000080,C0000000,00000003,00000000,00000003,40000080,00000000,00000001,02F922F8,02F842B6,00000000,00000001,02F922F8,00000000,?,02F898FD), ref: 02F84021
                                                                        • GetLastError.KERNEL32(?,02F898FD,00000001,00000100,02F922F8,02F8A3C7), ref: 02F8402C
                                                                        • Sleep.KERNEL32(000001F4,?,02F898FD,00000001,00000100,02F922F8,02F8A3C7), ref: 02F84046
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateErrorFileLastSleep
                                                                        • String ID:
                                                                        • API String ID: 408151869-0
                                                                        • Opcode ID: fe1ec3ffdb609ba62e33f6dc10ad3ed900625682a0ed2f83c8319d22142bae24
                                                                        • Instruction ID: 45bb2d8efb8c1bdf35da17244bf4de6232645a3d8b0dc1bd0486304a12c1eb5f
                                                                        • Opcode Fuzzy Hash: fe1ec3ffdb609ba62e33f6dc10ad3ed900625682a0ed2f83c8319d22142bae24
                                                                        • Instruction Fuzzy Hash: BBF0A732A402066AD7312B34AC49B1BB265EB81FA8F264B28F3B5F20E0CB3044859B14
                                                                        Function 02F8DB67 Relevance: 4.5, APIs: 3, Instructions: 32filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetEnvironmentVariableA.KERNEL32(02F8DC19,?,00000104), ref: 02F8DB7F
                                                                        • lstrcpyA.KERNEL32(?,02F928F8), ref: 02F8DBA4
                                                                        • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000080,00000000), ref: 02F8DBC2
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CreateEnvironmentFileVariablelstrcpy
                                                                        • String ID:
                                                                        • API String ID: 2536392590-0
                                                                        • Opcode ID: f3a99f93d0cb669d74f83faedfe69bc4ee5840c8c4da822703b196f18713725d
                                                                        • Instruction ID: d8a9f69ec783a35b260c08bd263a833be2de121daa868f8b3ff9b92cf435482c
                                                                        • Opcode Fuzzy Hash: f3a99f93d0cb669d74f83faedfe69bc4ee5840c8c4da822703b196f18713725d
                                                                        • Instruction Fuzzy Hash: 9FF09070940209ABEF119F64DC49FD97B69AF00788F104594BB51A40D0D7F2D555CB10
                                                                        Function 02F8EC54 Relevance: 4.5, APIs: 3, Instructions: 24timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 02F8EC5E
                                                                        • GetVolumeInformationA.KERNELBASE(00000000,00000000,00000004,?,00000000,00000000,00000000,00000000), ref: 02F8EC72
                                                                        • GetTickCount.KERNEL32 ref: 02F8EC78
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$CountFileInformationSystemTickVolume
                                                                        • String ID:
                                                                        • API String ID: 1209300637-0
                                                                        • Opcode ID: 01f8710828d59f54fb9f1cbf70e41445e85458059cb66f2e11de851e676576c8
                                                                        • Instruction ID: ce284028a93f04760c1737e58d9ee1fbdf2fde8357ac6c6d02d26bd4d6e4cb87
                                                                        • Opcode Fuzzy Hash: 01f8710828d59f54fb9f1cbf70e41445e85458059cb66f2e11de851e676576c8
                                                                        • Instruction Fuzzy Hash: D1E09AF5C50108BFE705ABB0DC4AE6BB7BCEB08754F500A55BA11D6090DA709A148B60
                                                                        Function 02F830B5 Relevance: 3.0, APIs: 2, Instructions: 29networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostname.WS2_32(?,00000080), ref: 02F830D8
                                                                        • gethostbyname.WS2_32(?), ref: 02F830E2
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbynamegethostname
                                                                        • String ID:
                                                                        • API String ID: 3961807697-0
                                                                        • Opcode ID: 858e96215ae5733331576581f5ad166e38e6ce3463afb7fad23428bf3dc3a7e0
                                                                        • Instruction ID: 198f9656f8941b3ee3618df61187cdfbed1c304ee5f068b78e63a259bbefccd5
                                                                        • Opcode Fuzzy Hash: 858e96215ae5733331576581f5ad166e38e6ce3463afb7fad23428bf3dc3a7e0
                                                                        • Instruction Fuzzy Hash: 79E06D72D0011DABCB10ABA8EC89F9AB7ACBB04248F080461F905E3290EA34E5048BA0
                                                                        Function 02F8EC2E Relevance: 3.0, APIs: 2, Instructions: 14memoryCOMMONLIBRARYCODE
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F8EBA0: GetProcessHeap.KERNEL32(00000000,00000000,02F8EC0A,00000000,80000001,?,02F8DB55,7FFF0001), ref: 02F8EBAD
                                                                          • Part of subcall function 02F8EBA0: HeapSize.KERNEL32(00000000,?,02F8DB55,7FFF0001), ref: 02F8EBB4
                                                                        • GetProcessHeap.KERNEL32(00000000,02F8EA27,00000000,02F8EA27,00000000), ref: 02F8EC41
                                                                        • RtlFreeHeap.NTDLL(00000000), ref: 02F8EC48
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$Process$FreeSize
                                                                        • String ID:
                                                                        • API String ID: 1305341483-0
                                                                        • Opcode ID: 7ca5181055b88df9c30e218a12cc6b23b81838e196076ddbedd1abb1f9bf1ed4
                                                                        • Instruction ID: c0a0b9c14a9f9db06c2da4dd67babce11b659e3695552db13b31a3573ccdd682
                                                                        • Opcode Fuzzy Hash: 7ca5181055b88df9c30e218a12cc6b23b81838e196076ddbedd1abb1f9bf1ed4
                                                                        • Instruction Fuzzy Hash: 8FC01232D462346BD5513B50BC0DF9BFB589F46695F09080DF60566044CB6058808AE1
                                                                        Function 02F8EBCC Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,80000001,02F8EBFE,7FFF0001,?,02F8DB55,7FFF0001), ref: 02F8EBD3
                                                                        • RtlAllocateHeap.NTDLL(00000000,?,02F8DB55,7FFF0001), ref: 02F8EBDA
                                                                          • Part of subcall function 02F8EB74: GetProcessHeap.KERNEL32(00000000,00000000,02F8EC28,00000000,?,02F8DB55,7FFF0001), ref: 02F8EB81
                                                                          • Part of subcall function 02F8EB74: HeapSize.KERNEL32(00000000,?,02F8DB55,7FFF0001), ref: 02F8EB88
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$Process$AllocateSize
                                                                        • String ID:
                                                                        • API String ID: 2559512979-0
                                                                        • Opcode ID: 20c0afd023f5f787cc7868ffdf3b65be8c70ed9c6da6be788941880557071bd6
                                                                        • Instruction ID: 1e7359ee3fd6266a1cd6302d25d6ea365a6afb532f9fa0a296426317825a8138
                                                                        • Opcode Fuzzy Hash: 20c0afd023f5f787cc7868ffdf3b65be8c70ed9c6da6be788941880557071bd6
                                                                        • Instruction Fuzzy Hash: B8C0803254422067D60137E47C0CF9ABE94DF043E2F040408F605C1164CF3048908F95
                                                                        Function 02F8F43E Relevance: 1.5, APIs: 1, Instructions: 33networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • recv.WS2_32(000000C8,?,00000000,02F8CA44), ref: 02F8F476
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: recv
                                                                        • String ID:
                                                                        • API String ID: 1507349165-0
                                                                        • Opcode ID: 1b1b8f5e59bf028453398eb07ba3d9ca1eb0e7f7ce7403a14d77066db837d121
                                                                        • Instruction ID: c25fc6b7701aa99478f1850499e4df62710cd8b029aa716f0c593e63a6b43a99
                                                                        • Opcode Fuzzy Hash: 1b1b8f5e59bf028453398eb07ba3d9ca1eb0e7f7ce7403a14d77066db837d121
                                                                        • Instruction Fuzzy Hash: 1FF0127360155EAF9B11AE59DD84CAB7BAEFB892907440622FB14D7110D631D8218B60
                                                                        Function 02F81978 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • closesocket.WS2_32(00000000), ref: 02F81992
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: closesocket
                                                                        • String ID:
                                                                        • API String ID: 2781271927-0
                                                                        • Opcode ID: 1bbde9ed9b7fe731a64227946c4884e6a813b98397d2483f58918dcc126be824
                                                                        • Instruction ID: 6ec2e9d522fb674072066eab1975b68e89516370bb2c166d3d76564cf89091c0
                                                                        • Opcode Fuzzy Hash: 1bbde9ed9b7fe731a64227946c4884e6a813b98397d2483f58918dcc126be824
                                                                        • Instruction Fuzzy Hash: 87D012265486356A52113759BC0447FFB9CDF456E2751951BFD48C0150DB35C8428795
                                                                        Function 02F8DD84 Relevance: 1.3, APIs: 1, Instructions: 31stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcmpiA.KERNEL32(80000011,00000000), ref: 02F8DDB5
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmpi
                                                                        • String ID:
                                                                        • API String ID: 1586166983-0
                                                                        • Opcode ID: 89f9889e6c981487ae4e013733eeb3271893191c583252b3e7a941f60ca936f6
                                                                        • Instruction ID: 45bd115751a1839255fc6ed4b80b6a7b4a74d2f4a42809da45f1b0ea5297996b
                                                                        • Opcode Fuzzy Hash: 89f9889e6c981487ae4e013733eeb3271893191c583252b3e7a941f60ca936f6
                                                                        • Instruction Fuzzy Hash: 1BF08233A00202DBCB20EE349844656F3E4EF467E9F14483EE75AD22D0EB30D856CB11

                                                                        Non-executed Functions

                                                                        Function 02F8637C Relevance: 6.1, APIs: 4, Instructions: 67memoryinjectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,00000000,?,?,02F89816,EntryPoint), ref: 02F8638F
                                                                        • VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,02F89816,EntryPoint), ref: 02F863A9
                                                                        • VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000040), ref: 02F863CA
                                                                        • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 02F863EB
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AllocVirtual$HandleMemoryModuleProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 1965334864-0
                                                                        • Opcode ID: 40c01a4f020dc1512ca47a432d57eaae3c56e294026e1268fa4d4f546bad7e06
                                                                        • Instruction ID: d8158296489dee0e8c31c990c317e44ba98591a7676a102f9f54123504d55de9
                                                                        • Opcode Fuzzy Hash: 40c01a4f020dc1512ca47a432d57eaae3c56e294026e1268fa4d4f546bad7e06
                                                                        • Instruction Fuzzy Hash: D31191B2A00219BFEB219F65DC49F9B7BACEB047E4F014424FA14E6280DB71DC108AA0
                                                                        Function 02F81000 Relevance: 56.2, APIs: 16, Strings: 16, Instructions: 170libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,00000000,02F81839,02F89646), ref: 02F81012
                                                                        • GetProcAddress.KERNEL32(00000000,RtlExpandEnvironmentStrings_U), ref: 02F810C2
                                                                        • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 02F810E1
                                                                        • GetProcAddress.KERNEL32(00000000,NtTerminateProcess), ref: 02F81101
                                                                        • GetProcAddress.KERNEL32(00000000,RtlFreeSid), ref: 02F81121
                                                                        • GetProcAddress.KERNEL32(00000000,RtlInitUnicodeString), ref: 02F81140
                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationThread), ref: 02F81160
                                                                        • GetProcAddress.KERNEL32(00000000,NtSetInformationToken), ref: 02F81180
                                                                        • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 02F8119F
                                                                        • GetProcAddress.KERNEL32(00000000,NtClose), ref: 02F811BF
                                                                        • GetProcAddress.KERNEL32(00000000,NtOpenProcessToken), ref: 02F811DF
                                                                        • GetProcAddress.KERNEL32(00000000,NtDuplicateToken), ref: 02F811FE
                                                                        • GetProcAddress.KERNEL32(00000000,RtlAllocateAndInitializeSid), ref: 02F8121A
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressProc$LibraryLoad
                                                                        • String ID: NtClose$NtDuplicateToken$NtFilterToken$NtOpenProcessToken$NtQueryInformationToken$NtSetInformationThread$NtSetInformationToken$NtTerminateProcess$RtlAllocateAndInitializeSid$RtlExpandEnvironmentStrings_U$RtlFreeSid$RtlInitUnicodeString$RtlLengthSid$RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                        • API String ID: 2238633743-3228201535
                                                                        • Opcode ID: 58f9745d484c4bc13920e36ce2a26a0744b2e5063add65e41f524c018c2505d3
                                                                        • Instruction ID: 5e20bfbc89f8a7a0b9485f9cd267466d6c7d4ac40d8ebb51d32e896d5b192b76
                                                                        • Opcode Fuzzy Hash: 58f9745d484c4bc13920e36ce2a26a0744b2e5063add65e41f524c018c2505d3
                                                                        • Instruction Fuzzy Hash: 4C51C971D82606AEFB31ABACAC60753F2EA63487E4F040B66DA26D21D0D770C4D2CF51
                                                                        Function 02F8B211 Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 131timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(0003E800,?,0003E800,00000000), ref: 02F8B2B3
                                                                        • FileTimeToLocalFileTime.KERNEL32(00000000,00000000,?,0003E800,00000000), ref: 02F8B2C2
                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02F8B2D0
                                                                        • SystemTimeToFileTime.KERNEL32(0003E800,00000000), ref: 02F8B2E1
                                                                        • FileTimeToSystemTime.KERNEL32(00000000,0003E800), ref: 02F8B31A
                                                                        • GetTimeZoneInformation.KERNEL32(?), ref: 02F8B329
                                                                        • wsprintfA.USER32 ref: 02F8B3B7
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Time$File$System$Local$InformationZonewsprintf
                                                                        • String ID: %s, %u %s %u %.2u:%.2u:%.2u %s%.2u%.2u$Apr$Aug$Dec$Feb$Fri$Jan$Jul$Jun$Mar$May$Mon$Nov$Oct$Sat$Sep$Sun$Thu$Tue$Wed
                                                                        • API String ID: 766114626-2976066047
                                                                        • Opcode ID: 44472ceda2c82e27dcf0769c9decd97c1b25bac5cbf88d34cdaaa1692315a0d1
                                                                        • Instruction ID: 45eed18a52b0744350eef879f9018612bf9a24b3a289380c1dc38240af6611bf
                                                                        • Opcode Fuzzy Hash: 44472ceda2c82e27dcf0769c9decd97c1b25bac5cbf88d34cdaaa1692315a0d1
                                                                        • Instruction Fuzzy Hash: 295127B2E0021DAAEF15DFD4D9849EFFBB9AF48388F10446DE711B6150DB344A89CB90
                                                                        Function 02F86511 Relevance: 42.2, APIs: 14, Strings: 10, Instructions: 182COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Processhtonl$CurrentExitReadStackWalk64
                                                                        • String ID: %d=%p$_ax=%p_bx=%p_cx=%p_dx=%p_si=%p_di=%p_bp=%p_sp=%p$ver=%d date=%s %sc=%08x a=%p$ va=%08X%08X uef=%p$12:08:32$Jan 13 2018$except_info$localcfg$plgs:$ret=%pp1=%pp2=%pp3=%pp4=%p
                                                                        • API String ID: 2400214276-165278494
                                                                        • Opcode ID: 6b7e6309fa7027b648f0dea6d50fef70ae2883f504e831a26a52c91a497154ba
                                                                        • Instruction ID: 4a02b8be2480c0eca3c5d14852325d1f47bfe391894a5d6edcb1d0ae6ca1c3bd
                                                                        • Opcode Fuzzy Hash: 6b7e6309fa7027b648f0dea6d50fef70ae2883f504e831a26a52c91a497154ba
                                                                        • Instruction Fuzzy Hash: 37614B72A40208AFEF60AFA4DC45FEAB7F9FF08340F144469FA69D6161EB7199508F50
                                                                        Function 02F8A7C1 Relevance: 38.8, APIs: 8, Strings: 14, Instructions: 299networkstringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wsprintfA.USER32 ref: 02F8A7FB
                                                                        • lstrlenA.KERNEL32(?,00000000,00000000,00000001), ref: 02F8A87E
                                                                        • send.WS2_32(00000000,?,00000000,00000000), ref: 02F8A893
                                                                        • wsprintfA.USER32 ref: 02F8A8AF
                                                                        • send.WS2_32(00000000,.,00000005,00000000), ref: 02F8A8D2
                                                                        • wsprintfA.USER32 ref: 02F8A8E2
                                                                        • recv.WS2_32(00000000,?,000003F6,00000000), ref: 02F8A97C
                                                                        • wsprintfA.USER32 ref: 02F8A9B9
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$send$lstrlenrecv
                                                                        • String ID: .$AUTH LOGIN$ESMTP$Error sending command (sent = %d/%d)$Incorrect respons$Too big smtp respons (%d bytes)$Too small respons$data$ehlo %s$helo %s$localcfg$mail from:<%s>$quit$rcpt to:<%s>
                                                                        • API String ID: 3650048968-2394369944
                                                                        • Opcode ID: 97b328380978d1a1656619a2d6a3d0ccfc33a97bdef523cddbbba6aac5045d51
                                                                        • Instruction ID: ca34345b4dae70c9ff02229bd39c0eb0a5bbc2531988cacf12be1f22fd2edb39
                                                                        • Opcode Fuzzy Hash: 97b328380978d1a1656619a2d6a3d0ccfc33a97bdef523cddbbba6aac5045d51
                                                                        • Instruction Fuzzy Hash: BDA13D72E44309EAFF21BA54DC85FAEF76AEB007C8F140467FB01A6090DB319954CB55
                                                                        Function 02F81280 Relevance: 31.9, APIs: 9, Strings: 9, Instructions: 417stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ShellExecuteExW.SHELL32(?), ref: 02F8139A
                                                                        • lstrlenW.KERNEL32(-00000003), ref: 02F81571
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ExecuteShelllstrlen
                                                                        • String ID: $%systemroot%\system32\cmd.exe$<$@$D$PDu$uac$useless$wusa.exe
                                                                        • API String ID: 1628651668-179334549
                                                                        • Opcode ID: 13f67dd500f1915b7aaffe2de811f7bd6ec8511c560ddbc1593ddc5744454c80
                                                                        • Instruction ID: 207759b10d4b1c7071f3bd3d8673c9b41490a298815125f08d72fc74f568f90e
                                                                        • Opcode Fuzzy Hash: 13f67dd500f1915b7aaffe2de811f7bd6ec8511c560ddbc1593ddc5744454c80
                                                                        • Instruction Fuzzy Hash: 92F17CB5A083459FD720EF64C888B6BF7E5FB88384F004A2DFA9A87250D7749845CF52
                                                                        Function 02F82A62 Relevance: 27.2, APIs: 18, Instructions: 194networkmemoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetProcessHeap.KERNEL32(00000000,00001000,00000000,?,74DEF380), ref: 02F82A83
                                                                        • HeapAlloc.KERNEL32(00000000,?,74DEF380), ref: 02F82A86
                                                                        • socket.WS2_32(00000002,00000002,00000011), ref: 02F82AA0
                                                                        • htons.WS2_32(00000000), ref: 02F82ADB
                                                                        • select.WS2_32 ref: 02F82B28
                                                                        • recv.WS2_32(?,00000000,00001000,00000000), ref: 02F82B4A
                                                                        • htons.WS2_32(?), ref: 02F82B71
                                                                        • htons.WS2_32(?), ref: 02F82B8C
                                                                        • GetProcessHeap.KERNEL32(00000000,00000108), ref: 02F82BFB
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heaphtons$Process$Allocrecvselectsocket
                                                                        • String ID:
                                                                        • API String ID: 1639031587-0
                                                                        • Opcode ID: 462895248264568b36fd4fee18b59ea4a32207c875660186713154ac6878cf45
                                                                        • Instruction ID: decdd40180074d188a81abe01fb2f9308c2d89d589654800d0aa2e22ab36d611
                                                                        • Opcode Fuzzy Hash: 462895248264568b36fd4fee18b59ea4a32207c875660186713154ac6878cf45
                                                                        • Instruction Fuzzy Hash: 38619F729043499FD720AF65DC48B7AFBE8EB497E5F01080DFB4597140DBB4E8848BA1
                                                                        Function 02F8704C Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 332registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegOpenKeyExA.ADVAPI32(80000001,00000000,00000101,74DF0F10,?,74DF0F10,00000000), ref: 02F870C2
                                                                        • RegEnumValueA.ADVAPI32(74DF0F10,00000000,?,00000020,00000000,00000000,00000000,0000012C,?,74DF0F10,00000000), ref: 02F8719E
                                                                        • RegCloseKey.ADVAPI32(74DF0F10,?,74DF0F10,00000000), ref: 02F871B2
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F87208
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F87291
                                                                        • ___ascii_stricmp.LIBCMT ref: 02F872C2
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F872D0
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F87314
                                                                        • GetFileAttributesExA.KERNEL32(00000022,00000000,?), ref: 02F8738D
                                                                        • RegCloseKey.ADVAPI32(74DF0F10), ref: 02F873D8
                                                                          • Part of subcall function 02F8F1A5: lstrlenA.KERNEL32(000000C8,000000E4,02F922F8,000000C8,02F87150,?), ref: 02F8F1AD
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Close$AttributesEnumFileOpenValue___ascii_stricmplstrlen
                                                                        • String ID: $"
                                                                        • API String ID: 4293430545-3817095088
                                                                        • Opcode ID: 3eaec8adb655c52bc53c3bf313e8f2fd5760c0b8738430bddc55b123c1cf0aaf
                                                                        • Instruction ID: 26acb0eb10aa5bcd38e4747f76c421dcd23ec351f2ac12fc3a708c2c87eee9a3
                                                                        • Opcode Fuzzy Hash: 3eaec8adb655c52bc53c3bf313e8f2fd5760c0b8738430bddc55b123c1cf0aaf
                                                                        • Instruction Fuzzy Hash: 3EB19176D44209AEEF15BFA4DC45BEEF7B9AF04384F200466F601E6090EB719A84CF61
                                                                        Function 02F8AD89 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 121timeCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetLocalTime.KERNEL32(?), ref: 02F8AD98
                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 02F8ADA6
                                                                          • Part of subcall function 02F8AD08: gethostname.WS2_32(?,00000080), ref: 02F8AD1C
                                                                          • Part of subcall function 02F8AD08: lstrlenA.KERNEL32(00000000), ref: 02F8AD60
                                                                          • Part of subcall function 02F8AD08: lstrlenA.KERNEL32(00000000), ref: 02F8AD69
                                                                          • Part of subcall function 02F8AD08: lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02F8AD7F
                                                                          • Part of subcall function 02F830B5: gethostname.WS2_32(?,00000080), ref: 02F830D8
                                                                          • Part of subcall function 02F830B5: gethostbyname.WS2_32(?), ref: 02F830E2
                                                                        • wsprintfA.USER32 ref: 02F8AEA5
                                                                          • Part of subcall function 02F8A7A3: inet_ntoa.WS2_32(?), ref: 02F8A7A9
                                                                        • wsprintfA.USER32 ref: 02F8AE4F
                                                                        • wsprintfA.USER32 ref: 02F8AE5E
                                                                          • Part of subcall function 02F8EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02F8EF92
                                                                          • Part of subcall function 02F8EF7C: lstrlenA.KERNEL32(?), ref: 02F8EF99
                                                                          • Part of subcall function 02F8EF7C: lstrlenA.KERNEL32(00000000), ref: 02F8EFA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$Timewsprintf$gethostname$FileLocalSystemgethostbynameinet_ntoalstrcpy
                                                                        • String ID: %04x%08.8lx$%08.8lx$%08x@%s$%OUTLOOK_BND_$%OUTLOOK_HST$%OUTLOOK_MID$%s%d$----=_NextPart_%03d_%04X_%08.8lX.%08.8lX$127.0.0.1
                                                                        • API String ID: 3631595830-1816598006
                                                                        • Opcode ID: a15df4a2cc9ecfbc5f3fc2b2b4c27785d500cd8ce370e9198690e63a225ec73b
                                                                        • Instruction ID: 431913a0c18e92ea0d370250d1c602287596a798be97b459c96ba86459b59026
                                                                        • Opcode Fuzzy Hash: a15df4a2cc9ecfbc5f3fc2b2b4c27785d500cd8ce370e9198690e63a225ec73b
                                                                        • Instruction Fuzzy Hash: A741EDB390024CABEF25BFA0DC45EEE7BADFB48384F14441AFA1592151EA71D554CF50
                                                                        Function 02F82DF2 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97memorylibrarynetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(iphlpapi.dll,74DF23A0,?,000DBBA0,?,00000000,02F82F0F,?,02F820FF,02F92000), ref: 02F82E01
                                                                        • LoadLibraryA.KERNEL32(iphlpapi.dll,?,00000000,02F82F0F,?,02F820FF,02F92000), ref: 02F82E11
                                                                        • GetProcAddress.KERNEL32(00000000,GetNetworkParams), ref: 02F82E2E
                                                                        • GetProcessHeap.KERNEL32(00000000,00004000,?,00000000,02F82F0F,?,02F820FF,02F92000), ref: 02F82E4C
                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,02F82F0F,?,02F820FF,02F92000), ref: 02F82E4F
                                                                        • htons.WS2_32(00000035), ref: 02F82E88
                                                                        • inet_addr.WS2_32(?), ref: 02F82E93
                                                                        • gethostbyname.WS2_32(?), ref: 02F82EA6
                                                                        • GetProcessHeap.KERNEL32(00000000,?,?,00000000,02F82F0F,?,02F820FF,02F92000), ref: 02F82EE3
                                                                        • HeapFree.KERNEL32(00000000,?,00000000,02F82F0F,?,02F820FF,02F92000), ref: 02F82EE6
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$Process$AddressAllocFreeHandleLibraryLoadModuleProcgethostbynamehtonsinet_addr
                                                                        • String ID: GetNetworkParams$iphlpapi.dll
                                                                        • API String ID: 929413710-2099955842
                                                                        • Opcode ID: 80cf21b1e7cd94129a5320e97a9d7923fdcd6f0ef8a06bab61a226863574122f
                                                                        • Instruction ID: b80597c811e805eee2a493c3e9ae193dbff594d1544ecf07303b27baf460c4af
                                                                        • Opcode Fuzzy Hash: 80cf21b1e7cd94129a5320e97a9d7923fdcd6f0ef8a06bab61a226863574122f
                                                                        • Instruction Fuzzy Hash: 3731C433E40249ABDF11ABB89844B6EF7B8AF047E5F140559EE14E7290DF30E5518B58
                                                                        Function 02F89326 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 284registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetVersionExA.KERNEL32(?,?,02F89DD7,?,00000022,?,?,00000000,00000001), ref: 02F89340
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,?,02F89DD7,?,00000022,?,?,00000000,00000001), ref: 02F8936E
                                                                        • GetModuleFileNameA.KERNEL32(00000000,?,02F89DD7,?,00000022,?,?,00000000,00000001), ref: 02F89375
                                                                        • wsprintfA.USER32 ref: 02F893CE
                                                                        • wsprintfA.USER32 ref: 02F8940C
                                                                        • wsprintfA.USER32 ref: 02F8948D
                                                                        • RegOpenKeyExA.ADVAPI32(80000002,00000000,?,?,00000000,00000101,?), ref: 02F894F1
                                                                        • RegQueryValueExA.ADVAPI32(?,00000000,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02F89526
                                                                        • RegCloseKey.ADVAPI32(?,?,00000000,?,?,?,?,00000000,?,?,?,?,?,00000000,00000101,?), ref: 02F89571
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf$Module$CloseFileHandleNameOpenQueryValueVersion
                                                                        • String ID: runas
                                                                        • API String ID: 3696105349-4000483414
                                                                        • Opcode ID: 34e88dd2f516801f552f334fefe6b9cf2940272031be8fccf5625129fe1dda13
                                                                        • Instruction ID: 54bfc3a13fdfc4a08b2b42a27b5672dc922811e95a05e789be35bc9fa731d670
                                                                        • Opcode Fuzzy Hash: 34e88dd2f516801f552f334fefe6b9cf2940272031be8fccf5625129fe1dda13
                                                                        • Instruction Fuzzy Hash: 24A17FB294024CAFEB25AFA0CC45FEEBBADEB44780F10042AFB1596251D7B5D554CFA0
                                                                        Function 02F8B3C5 Relevance: 18.1, APIs: 1, Strings: 11, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • wsprintfA.USER32 ref: 02F8B467
                                                                          • Part of subcall function 02F8EF7C: lstrlenA.KERNEL32(-00000010,00000000,00000080,-00000004,-00000010), ref: 02F8EF92
                                                                          • Part of subcall function 02F8EF7C: lstrlenA.KERNEL32(?), ref: 02F8EF99
                                                                          • Part of subcall function 02F8EF7C: lstrlenA.KERNEL32(00000000), ref: 02F8EFA0
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$wsprintf
                                                                        • String ID: %DATE$%FROM_DOMAIN$%FROM_EMAIL$%FROM_USER$%M5DATE$%P5DATE$%TO_DOMAIN$%TO_EMAIL$%TO_HASH$%TO_USER$%s@%s
                                                                        • API String ID: 1220175532-2340906255
                                                                        • Opcode ID: d5a3a04b5cce19abb2f81837c82eb85c665e44696333190a3602cb382aa95741
                                                                        • Instruction ID: 858db358389dc77b5f89f6413e85b6663c114352ac910615bdf465f28de537a1
                                                                        • Opcode Fuzzy Hash: d5a3a04b5cce19abb2f81837c82eb85c665e44696333190a3602cb382aa95741
                                                                        • Instruction Fuzzy Hash: FD410CB25401197EFF01BAA4DCC1DBFBB6DEF496D8F140419FB05B2100DA75AA298BA1
                                                                        Function 02F82011 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 160COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F82078
                                                                        • GetTickCount.KERNEL32 ref: 02F820D4
                                                                        • GetTickCount.KERNEL32 ref: 02F820DB
                                                                        • GetTickCount.KERNEL32 ref: 02F8212B
                                                                        • GetTickCount.KERNEL32 ref: 02F82132
                                                                        • GetTickCount.KERNEL32 ref: 02F82142
                                                                          • Part of subcall function 02F8F04E: SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,02F8E342,00000000,75A8EA50,80000001,00000000,02F8E513,?,00000000,00000000,?,000000E4), ref: 02F8F089
                                                                          • Part of subcall function 02F8F04E: GetSystemTimeAsFileTime.KERNEL32(80000001,?,?,?,02F8E342,00000000,75A8EA50,80000001,00000000,02F8E513,?,00000000,00000000,?,000000E4,000000C8), ref: 02F8F093
                                                                          • Part of subcall function 02F8E854: lstrcpyA.KERNEL32(00000001,?,?,02F8D8DF,00000001,localcfg,except_info,00100000,02F90264), ref: 02F8E88B
                                                                          • Part of subcall function 02F8E854: lstrlenA.KERNEL32(00000001,?,02F8D8DF,00000001,localcfg,except_info,00100000,02F90264), ref: 02F8E899
                                                                          • Part of subcall function 02F81C5F: wsprintfA.USER32 ref: 02F81CE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$Time$FileSystem$lstrcpylstrlenwsprintf
                                                                        • String ID: localcfg$net_type$rbl_bl$rbl_ip
                                                                        • API String ID: 3976553417-1522128867
                                                                        • Opcode ID: 2ce43c99b4c9e4c9e15a55504f6dbd50a02c63e481e600e617970526d412d518
                                                                        • Instruction ID: 0d03890d81f99ec8626617cb46018c34adabe0c3ecad5f511cb2bde6140033ec
                                                                        • Opcode Fuzzy Hash: 2ce43c99b4c9e4c9e15a55504f6dbd50a02c63e481e600e617970526d412d518
                                                                        • Instruction Fuzzy Hash: E8512271E853896EF728FF35ED45B66FBD5AB00BC4F10091EEF0586190DBB0A1A8CA10
                                                                        Function 02F8C2DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 182threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F8A4C7: GetTickCount.KERNEL32 ref: 02F8A4D1
                                                                          • Part of subcall function 02F8A4C7: InterlockedExchange.KERNEL32(?,00000001), ref: 02F8A4FA
                                                                        • GetTickCount.KERNEL32 ref: 02F8C31F
                                                                        • GetTickCount.KERNEL32 ref: 02F8C32B
                                                                        • GetTickCount.KERNEL32 ref: 02F8C363
                                                                        • GetTickCount.KERNEL32 ref: 02F8C378
                                                                        • GetTickCount.KERNEL32 ref: 02F8C44D
                                                                        • InterlockedIncrement.KERNEL32(02F8C4E4), ref: 02F8C4AE
                                                                        • CreateThread.KERNEL32(00000000,00000000,02F8B535,00000000,?,02F8C4E0), ref: 02F8C4C1
                                                                        • CloseHandle.KERNEL32(00000000,?,02F8C4E0,02F93588,02F88810), ref: 02F8C4CC
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$Interlocked$CloseCreateExchangeHandleIncrementThread
                                                                        • String ID: localcfg
                                                                        • API String ID: 1553760989-1857712256
                                                                        • Opcode ID: 9c47c8f1d7228b2f6f81867e053239e60130fbd8068a73087c2e61a1726b82a0
                                                                        • Instruction ID: 02d9a13f19119488c218f60fc04f9bb610a0e171a06f34a6e923d3b3548000a6
                                                                        • Opcode Fuzzy Hash: 9c47c8f1d7228b2f6f81867e053239e60130fbd8068a73087c2e61a1726b82a0
                                                                        • Instruction Fuzzy Hash: 40515CB1A00B418FD728AF69C68452AFBE9FB48344B505D3ED28BC7A90D774F845CB24
                                                                        Function 02F8BE31 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 152stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02F8BE4F
                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02F8BE5B
                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02F8BE67
                                                                        • lstrcmpiA.KERNEL32(?,smtp_herr), ref: 02F8BF6A
                                                                        • lstrcmpiA.KERNEL32(?,smtp_ban), ref: 02F8BF7F
                                                                        • lstrcmpiA.KERNEL32(?,smtp_retr), ref: 02F8BF94
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmpi
                                                                        • String ID: smtp_ban$smtp_herr$smtp_retr
                                                                        • API String ID: 1586166983-1625972887
                                                                        • Opcode ID: 3ca7124215e297464fd0e693b88d8ec0a3cd6c0e48e07a7f21135ee680beccff
                                                                        • Instruction ID: 7f3582cea3342ece390fbffad09c39b39af5ef39644bb41b40747e85bdce5db7
                                                                        • Opcode Fuzzy Hash: 3ca7124215e297464fd0e693b88d8ec0a3cd6c0e48e07a7f21135ee680beccff
                                                                        • Instruction Fuzzy Hash: CC515272E0061AAFEF11ABA4D944B5EFBA9AF053CCF044469EA46DB211D730E945CF90
                                                                        Function 02F86A60 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,74DE8A60,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86A7D
                                                                        • GetDiskFreeSpaceA.KERNEL32(02F89E9D,02F89A60,?,?,?,02F922F8,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86ABB
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86B40
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86B4E
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86B5F
                                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86B6F
                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86B7D
                                                                        • DeleteFileA.KERNEL32(?,?,?,?,?,?,?,?,02F89A60,?,?,02F89E9D), ref: 02F86B80
                                                                        • GetLastError.KERNEL32(?,?,?,02F89A60,?,?,02F89E9D,?,?,?,?,?,02F89E9D,?,00000022,?), ref: 02F86B96
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseErrorHandleLast$File$CreateDeleteDiskFreeSpace
                                                                        • String ID:
                                                                        • API String ID: 3188212458-0
                                                                        • Opcode ID: cf0a9b07d5806b982926af7d5c3e7b82d68c1e41d14fd1af8e2e69b003b5d61a
                                                                        • Instruction ID: 637a7664fa269c93ee52cd06d825bd8963aaa638241ba11b33960cc34b827a39
                                                                        • Opcode Fuzzy Hash: cf0a9b07d5806b982926af7d5c3e7b82d68c1e41d14fd1af8e2e69b003b5d61a
                                                                        • Instruction Fuzzy Hash: 69319FB2E0014DBFDB01AFA48C44A9EFB7DEF44398F14486AE751E3251DB3095A58F61
                                                                        Function 02F86F5F Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 89COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetUserNameA.ADVAPI32(?,02F8D7C3), ref: 02F86F7A
                                                                        • LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,02F8D7C3), ref: 02F86FC1
                                                                        • ConvertSidToStringSidA.ADVAPI32(?,00000120), ref: 02F86FE8
                                                                        • LocalFree.KERNEL32(00000120), ref: 02F8701F
                                                                        • wsprintfA.USER32 ref: 02F87036
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Name$AccountConvertFreeLocalLookupStringUserwsprintf
                                                                        • String ID: /%d$|
                                                                        • API String ID: 676856371-4124749705
                                                                        • Opcode ID: 865dc5863f3a7e43d723f936943437e50b78ceedc18dcea22977aee42d7d6960
                                                                        • Instruction ID: acd1363264e69205b3ac730bbe717ab9f3d614941aedb7f6168fec7c88325e59
                                                                        • Opcode Fuzzy Hash: 865dc5863f3a7e43d723f936943437e50b78ceedc18dcea22977aee42d7d6960
                                                                        • Instruction Fuzzy Hash: 40311A76A00108AFDB01EFA8DC48BDABBBCEF04394F148156FA59DB100EB35D6088F94
                                                                        Function 02F86CC9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemWow64DirectoryA,02F922F8,000000E4,02F86DDC,000000C8), ref: 02F86CE7
                                                                        • GetProcAddress.KERNEL32(00000000), ref: 02F86CEE
                                                                        • GetSystemDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104), ref: 02F86D14
                                                                        • GetWindowsDirectoryA.KERNEL32(C:\Windows\SysWOW64\,00000104,?,00000000), ref: 02F86D2B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Directory$AddressHandleModuleProcSystemWindows
                                                                        • String ID: C:\Windows\SysWOW64\$GetSystemWow64DirectoryA$kernel32
                                                                        • API String ID: 1082366364-3395550214
                                                                        • Opcode ID: 4e56191c20a093e3747dae2e81344318ce6a57865f9bb953c9d3985771b21987
                                                                        • Instruction ID: dbf6d23e44e8644bc802409b351fce588e78fecc2859772ff6f2ed6b98825595
                                                                        • Opcode Fuzzy Hash: 4e56191c20a093e3747dae2e81344318ce6a57865f9bb953c9d3985771b21987
                                                                        • Instruction Fuzzy Hash: D221F663EC924879FB2177229CCCF67FE8D8B427C4F080448FF05D6181EB9595858AB5
                                                                        Function 02F8977C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82threadinjectionprocessCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateProcessA.KERNEL32(00000000,02F89947,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,02F922F8), ref: 02F897B1
                                                                        • GetThreadContext.KERNEL32(?,?,?,?,?,?,?,02F922F8), ref: 02F897EB
                                                                        • TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,02F922F8), ref: 02F897F9
                                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,02F922F8), ref: 02F89831
                                                                        • SetThreadContext.KERNEL32(?,00010002,?,?,?,?,?,?,?,?,?,02F922F8), ref: 02F8984E
                                                                        • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,02F922F8), ref: 02F8985B
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ProcessThread$Context$CreateMemoryResumeTerminateWrite
                                                                        • String ID: D
                                                                        • API String ID: 2981417381-2746444292
                                                                        • Opcode ID: 6b69fd307d46b40501819e145533994de026d2f70dd3c99ccb323d6b73958853
                                                                        • Instruction ID: 4c4c0b4a2a4d72394b8e8240f95381efbf0d1abe06f07355c4ad48ccb07c9963
                                                                        • Opcode Fuzzy Hash: 6b69fd307d46b40501819e145533994de026d2f70dd3c99ccb323d6b73958853
                                                                        • Instruction Fuzzy Hash: 39213D72D4111DBBEB21AFA1DC49FEFBB7CEF04694F400465BA19E1150EB709654CEA0
                                                                        Function 02F8E8A1 Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 172stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F8DD05: GetTickCount.KERNEL32 ref: 02F8DD0F
                                                                          • Part of subcall function 02F8DD05: InterlockedExchange.KERNEL32(02F936B4,00000001), ref: 02F8DD44
                                                                          • Part of subcall function 02F8DD05: GetCurrentThreadId.KERNEL32 ref: 02F8DD53
                                                                          • Part of subcall function 02F8DD84: lstrcmpiA.KERNEL32(80000011,00000000), ref: 02F8DDB5
                                                                        • lstrcpynA.KERNEL32(?,02F81E84,00000010,localcfg,?,flags_upd,?,?,?,?,?,02F8EAAA,?,?), ref: 02F8E8DE
                                                                        • lstrlenA.KERNEL32(?,localcfg,?,flags_upd,?,?,?,?,?,02F8EAAA,?,?,00000001,?,02F81E84,?), ref: 02F8E935
                                                                        • lstrlenA.KERNEL32(00000001,?,?,?,?,?,02F8EAAA,?,?,00000001,?,02F81E84,?,0000000A), ref: 02F8E93D
                                                                        • lstrlenA.KERNEL32(00000000,?,?,?,?,?,02F8EAAA,?,?,00000001,?,02F81E84,?), ref: 02F8E94F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$CountCurrentExchangeInterlockedThreadTicklstrcmpilstrcpyn
                                                                        • String ID: flags_upd$localcfg
                                                                        • API String ID: 204374128-3505511081
                                                                        • Opcode ID: b395180859477e34637be8ff0ac7e1e3381f255c12966fe24995530165ddf9d9
                                                                        • Instruction ID: e308fbb38c3340a0caa0a20acdf4b18a4d8cf7a67364f39cdbf960104039983f
                                                                        • Opcode Fuzzy Hash: b395180859477e34637be8ff0ac7e1e3381f255c12966fe24995530165ddf9d9
                                                                        • Instruction Fuzzy Hash: F9511D72D0020AAFCF11EFA8CD849AEFBF9BF48344F14456AE505A7250E775EA158F60
                                                                        Function 02F86BA7 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Code
                                                                        • String ID:
                                                                        • API String ID: 3609698214-0
                                                                        • Opcode ID: 8b5084e6c69c78513d40a09843e6c685d6d6dc3db52cf080410d22ca2f3dd313
                                                                        • Instruction ID: eea9439e6980b9e3e0453b147d6581b43804034ba08349c10073acb973566667
                                                                        • Opcode Fuzzy Hash: 8b5084e6c69c78513d40a09843e6c685d6d6dc3db52cf080410d22ca2f3dd313
                                                                        • Instruction Fuzzy Hash: 19218176A04119FFDB116B61ED48D9FFA6DDB067E5B104819F702E1050EB319A10D774
                                                                        Function 02F89064 Relevance: 9.1, APIs: 6, Instructions: 83filestringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTempPathA.KERNEL32(00000400,?,00000000,02F922F8), ref: 02F8907B
                                                                        • wsprintfA.USER32 ref: 02F890E9
                                                                        • CreateFileA.KERNEL32(02F922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02F8910E
                                                                        • lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02F89122
                                                                        • WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02F8912D
                                                                        • CloseHandle.KERNEL32(00000000), ref: 02F89134
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$CloseCreateHandlePathTempWritelstrlenwsprintf
                                                                        • String ID:
                                                                        • API String ID: 2439722600-0
                                                                        • Opcode ID: c480058017c0cb41a973902ee90adb7d54104bd262d0081f8915e74112c18c2f
                                                                        • Instruction ID: 5dfc1c3fb1c7ca538c73f5945ee8c47422a461c71f3762f53f8cf728fd752d05
                                                                        • Opcode Fuzzy Hash: c480058017c0cb41a973902ee90adb7d54104bd262d0081f8915e74112c18c2f
                                                                        • Instruction Fuzzy Hash: D91187F2B401187BF7257762DC09EAFB66FDFC5B80F008469BB0AA5150EA704A118A64
                                                                        Function 02F8DD05 Relevance: 9.0, APIs: 6, Instructions: 34threadsleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F8DD0F
                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F8DD20
                                                                        • GetTickCount.KERNEL32 ref: 02F8DD2E
                                                                        • Sleep.KERNEL32(00000000,?,74DF0F10,?,00000000,02F8E538,?,74DF0F10,?,00000000,?,02F8A445), ref: 02F8DD3B
                                                                        • InterlockedExchange.KERNEL32(02F936B4,00000001), ref: 02F8DD44
                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F8DD53
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountCurrentThreadTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 3819781495-0
                                                                        • Opcode ID: 171edbfd0592e2c2a44d438e4217ad17020ac10dfc0175e157a391d4318a1332
                                                                        • Instruction ID: eba318cf79f708b74f414a04c04a676b89024c90e1389ae6eaf50aa55a7728a7
                                                                        • Opcode Fuzzy Hash: 171edbfd0592e2c2a44d438e4217ad17020ac10dfc0175e157a391d4318a1332
                                                                        • Instruction Fuzzy Hash: 6AF0547398810C9BDB806B75A884F29F775EB457D1F000859E70AC2191DB205465CF62
                                                                        Function 02F8AD08 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55stringnetworkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostname.WS2_32(?,00000080), ref: 02F8AD1C
                                                                        • lstrlenA.KERNEL32(00000000), ref: 02F8AD60
                                                                        • lstrlenA.KERNEL32(00000000), ref: 02F8AD69
                                                                        • lstrcpyA.KERNEL32(00000000,LocalHost), ref: 02F8AD7F
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$gethostnamelstrcpy
                                                                        • String ID: LocalHost
                                                                        • API String ID: 3695455745-3154191806
                                                                        • Opcode ID: 1130be1717fae8a9cac19a8fcd45615588c62f1b41ca1a5efd5733f46c67f6d7
                                                                        • Instruction ID: 96be63927a6bedabdf982723893f9e5de7c2a44affc974794e8083c1f30d12fa
                                                                        • Opcode Fuzzy Hash: 1130be1717fae8a9cac19a8fcd45615588c62f1b41ca1a5efd5733f46c67f6d7
                                                                        • Instruction Fuzzy Hash: 12014523C841895DDF312A388844BB4FF66EB867CAF00105BEAC2CB111FF64808387A2
                                                                        Function 02F84BD1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F84BDD
                                                                        • GetTickCount.KERNEL32 ref: 02F84BEC
                                                                        • Sleep.KERNEL32(00000000,?,%FROM_EMAIL,02F85D02,00000000,?,02F8B85C,?,00000080,?,00000000,00000000,?,%FROM_EMAIL), ref: 02F84BF9
                                                                        • InterlockedExchange.KERNEL32(0342C0D0,00000001), ref: 02F84C02
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 2207858713-2903620461
                                                                        • Opcode ID: c5995815254db0c2e6498d3a0e7fdc4a6c5e62c21ffe0549f369cb047f05a9b5
                                                                        • Instruction ID: c843bf343933e381f48aca289162aab945472c1514fea00fe5ac598a38554b57
                                                                        • Opcode Fuzzy Hash: c5995815254db0c2e6498d3a0e7fdc4a6c5e62c21ffe0549f369cb047f05a9b5
                                                                        • Instruction Fuzzy Hash: 82E0CD3778121957CB1037B65C84F56F79CEB457E1F060476F709D2150CE56985141B1
                                                                        Function 02F84280 Relevance: 7.6, APIs: 5, Instructions: 124COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,02F898FD,00000001,00000100,02F922F8,02F8A3C7), ref: 02F84290
                                                                        • CloseHandle.KERNEL32(02F8A3C7), ref: 02F843AB
                                                                        • CloseHandle.KERNEL32(00000001), ref: 02F843AE
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CloseHandle$CreateEvent
                                                                        • String ID:
                                                                        • API String ID: 1371578007-0
                                                                        • Opcode ID: c7ee0743c493decf7e7f1fd0a085db7d487515eed5ea293f4aaf88a10d53f9ca
                                                                        • Instruction ID: 59be64b3548af179ca0ac0d32e0760c866976486c8f1c2bc2feda24b117185aa
                                                                        • Opcode Fuzzy Hash: c7ee0743c493decf7e7f1fd0a085db7d487515eed5ea293f4aaf88a10d53f9ca
                                                                        • Instruction Fuzzy Hash: 5B4188B2D0020ABADB21ABA1DD85FAFFBB9EF407A4F104555F614A2190DB348650DBA0
                                                                        Function 02F86069 Relevance: 7.6, APIs: 5, Instructions: 121libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • IsBadReadPtr.KERNEL32(?,00000014,00000000,?,00000000,?,02F864CF,00000000), ref: 02F8609C
                                                                        • LoadLibraryA.KERNEL32(?,?,02F864CF,00000000), ref: 02F860C3
                                                                        • GetProcAddress.KERNEL32(?,00000014), ref: 02F8614A
                                                                        • IsBadReadPtr.KERNEL32(-000000DC,00000014), ref: 02F8619E
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Read$AddressLibraryLoadProc
                                                                        • String ID:
                                                                        • API String ID: 2438460464-0
                                                                        • Opcode ID: 678a882449af3fd548612e50af8c8e502ae19b52d63711b2939d195d8e8b4355
                                                                        • Instruction ID: c51b1630cf7249dccdac4a51d1ac4921a3b77668b28d7386450723408b86e2c4
                                                                        • Opcode Fuzzy Hash: 678a882449af3fd548612e50af8c8e502ae19b52d63711b2939d195d8e8b4355
                                                                        • Instruction Fuzzy Hash: 9A414D72F00509AFEB14EF54C884B79F7B9EF04B98F148169EA15D7292DB30E954CB90
                                                                        Function 02F82923 Relevance: 7.6, APIs: 5, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4262d63785f0dbfa2282db2d229e43f41f386e3eea1dc4e27b23ef58347e9901
                                                                        • Instruction ID: 88ce00e4a0988b57f1dda77b1219bb87daeb6517e34ffba4935ffedfe3b38bf4
                                                                        • Opcode Fuzzy Hash: 4262d63785f0dbfa2282db2d229e43f41f386e3eea1dc4e27b23ef58347e9901
                                                                        • Instruction Fuzzy Hash: D431A072A00208ABDB20AFA9CC81BBEF7F4FF48781F104456EA04E6241E374E641CB54
                                                                        Function 02F826FF Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F8272E
                                                                        • htons.WS2_32(00000001), ref: 02F82752
                                                                        • htons.WS2_32(0000000F), ref: 02F827D5
                                                                        • htons.WS2_32(00000001), ref: 02F827E3
                                                                        • sendto.WS2_32(?,02F92BF8,00000009,00000000,00000010,00000010), ref: 02F82802
                                                                          • Part of subcall function 02F8EBCC: GetProcessHeap.KERNEL32(00000000,00000000,80000001,02F8EBFE,7FFF0001,?,02F8DB55,7FFF0001), ref: 02F8EBD3
                                                                          • Part of subcall function 02F8EBCC: RtlAllocateHeap.NTDLL(00000000,?,02F8DB55,7FFF0001), ref: 02F8EBDA
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: htons$Heap$AllocateCountProcessTicksendto
                                                                        • String ID:
                                                                        • API String ID: 1128258776-0
                                                                        • Opcode ID: 23359f1a2b51d0245bfa4987dd006fbbe55813947ebf74708b46f560ca181785
                                                                        • Instruction ID: fc14bb0e5663e93ae692fecdcd2f20391a697b6a811ac598a1c16adfdaed7228
                                                                        • Opcode Fuzzy Hash: 23359f1a2b51d0245bfa4987dd006fbbe55813947ebf74708b46f560ca181785
                                                                        • Instruction Fuzzy Hash: 75315B34A803CEAFD710AF76D880AA9F7A0EF19398B19445DED558B312D732E452CB50
                                                                        Function 02F89145 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleA.KERNEL32(00000000,?,00000104,00000100,02F922F8), ref: 02F8915F
                                                                        • GetModuleFileNameA.KERNEL32(00000000), ref: 02F89166
                                                                        • CharToOemA.USER32(?,?), ref: 02F89174
                                                                        • wsprintfA.USER32 ref: 02F891A9
                                                                          • Part of subcall function 02F89064: GetTempPathA.KERNEL32(00000400,?,00000000,02F922F8), ref: 02F8907B
                                                                          • Part of subcall function 02F89064: wsprintfA.USER32 ref: 02F890E9
                                                                          • Part of subcall function 02F89064: CreateFileA.KERNEL32(02F922F8,40000000,00000000,00000000,00000002,00000000,00000000), ref: 02F8910E
                                                                          • Part of subcall function 02F89064: lstrlenA.KERNEL32(00000000,00000100,00000000), ref: 02F89122
                                                                          • Part of subcall function 02F89064: WriteFile.KERNEL32(00000000,00000000,00000000), ref: 02F8912D
                                                                          • Part of subcall function 02F89064: CloseHandle.KERNEL32(00000000), ref: 02F89134
                                                                        • ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000000), ref: 02F891E1
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: File$HandleModulewsprintf$CharCloseCreateExecuteNamePathShellTempWritelstrlen
                                                                        • String ID:
                                                                        • API String ID: 3857584221-0
                                                                        • Opcode ID: 808ac88808e30a810002f5ae70dcef2b257585b55a646a7a858f4c22913c7451
                                                                        • Instruction ID: 8d196f2c0f1dd100e792ba032bad4be2a5fec0c3e960760278830dc869a1e059
                                                                        • Opcode Fuzzy Hash: 808ac88808e30a810002f5ae70dcef2b257585b55a646a7a858f4c22913c7451
                                                                        • Instruction Fuzzy Hash: CA0180F78401187BEA21A7619D49FEFB77CDB85B41F000096BB09E2040DAB096848F70
                                                                        Function 02F82419 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrlenA.KERNEL32(?,localcfg,?,00000000,?,?,02F82491,?,?,?,02F8E844,-00000030,?,?,?,00000001), ref: 02F82429
                                                                        • lstrlenA.KERNEL32(?,?,02F82491,?,?,?,02F8E844,-00000030,?,?,?,00000001,02F81E3D,00000001,localcfg,lid_file_upd), ref: 02F8243E
                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 02F82452
                                                                        • lstrlenA.KERNEL32(?,?,02F82491,?,?,?,02F8E844,-00000030,?,?,?,00000001,02F81E3D,00000001,localcfg,lid_file_upd), ref: 02F82467
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrlen$lstrcmpi
                                                                        • String ID: localcfg
                                                                        • API String ID: 1808961391-1857712256
                                                                        • Opcode ID: 6d543e9f7955b7f49c44ac3e8c89f9bd2bf6abaae981d06f2c75600ea4f45ed6
                                                                        • Instruction ID: f68713c04ed254cea40c77790455ac80ef47de5bc768f14b1476e0bcbe6b9406
                                                                        • Opcode Fuzzy Hash: 6d543e9f7955b7f49c44ac3e8c89f9bd2bf6abaae981d06f2c75600ea4f45ed6
                                                                        • Instruction Fuzzy Hash: 67011A32A0025CEFCF11EF69CD849DEBBA9EF44394B01C429ED5997211E330EE508AA0
                                                                        Function 02F81C5F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: wsprintf
                                                                        • String ID: %u.%u.%u.%u.%s$localcfg
                                                                        • API String ID: 2111968516-120809033
                                                                        • Opcode ID: 75b2718f8b25be4b4ac458eca6438f042227d36160a56fcb00beffbf41ef11e5
                                                                        • Instruction ID: fa768b0ab4c1e9ef78a210072fa1ae9bff8884d4f050c188b4f2bccc18008fc5
                                                                        • Opcode Fuzzy Hash: 75b2718f8b25be4b4ac458eca6438f042227d36160a56fcb00beffbf41ef11e5
                                                                        • Instruction Fuzzy Hash: 0B418A729042989FDF21EF798C44BEEBBE99F49350F240156FAA5D3141E634EA05CFA0
                                                                        Function 02F8E654 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F8DD05: GetTickCount.KERNEL32 ref: 02F8DD0F
                                                                          • Part of subcall function 02F8DD05: InterlockedExchange.KERNEL32(02F936B4,00000001), ref: 02F8DD44
                                                                          • Part of subcall function 02F8DD05: GetCurrentThreadId.KERNEL32 ref: 02F8DD53
                                                                        • lstrcmpA.KERNEL32(74DF0F18,00000000,?,74DF0F10,00000000,?,02F85EC1), ref: 02F8E693
                                                                        • lstrcpynA.KERNEL32(00000008,00000000,0000000F,?,74DF0F10,00000000,?,02F85EC1), ref: 02F8E6E9
                                                                        • lstrcmpA.KERNEL32(89ABCDEF,00000008,?,74DF0F10,00000000,?,02F85EC1), ref: 02F8E722
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: lstrcmp$CountCurrentExchangeInterlockedThreadTicklstrcpyn
                                                                        • String ID: 89ABCDEF
                                                                        • API String ID: 3343386518-71641322
                                                                        • Opcode ID: 2c27bbb2946ac2324a8acd7cdee371cbd89718e1edc2900ef43c42f8a24fb7ed
                                                                        • Instruction ID: a7f9930f78c6d50f7de865e1781715e0e16b63486cc5d9aadbbfe66231eb6ce4
                                                                        • Opcode Fuzzy Hash: 2c27bbb2946ac2324a8acd7cdee371cbd89718e1edc2900ef43c42f8a24fb7ed
                                                                        • Instruction Fuzzy Hash: B031AF32E00709EBDF31AF64D88476AB7E4AB01794F10482AFB5687551E770E884CF81
                                                                        Function 02F8E095 Relevance: 6.1, APIs: 4, Instructions: 92registryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • RegCreateKeyExA.ADVAPI32(80000001,02F8E2A3,00000000,00000000,00000000,00020106,00000000,02F8E2A3,00000000,000000E4), ref: 02F8E0B2
                                                                        • RegSetValueExA.ADVAPI32(02F8E2A3,?,00000000,00000003,80000001,000FF000,?,?,?,?,000000C8,02F922F8), ref: 02F8E127
                                                                        • RegDeleteValueA.ADVAPI32(02F8E2A3,?,?,?,?,?,000000C8,02F922F8), ref: 02F8E158
                                                                        • RegCloseKey.ADVAPI32(02F8E2A3,?,?,?,?,000000C8,02F922F8,?,?,?,?,?,?,?,?,02F8E2A3), ref: 02F8E161
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Value$CloseCreateDelete
                                                                        • String ID:
                                                                        • API String ID: 2667537340-0
                                                                        • Opcode ID: 9a1a220b306895a1590854d241caea1281f0b22ef3e727fc641ebd71f391253b
                                                                        • Instruction ID: 34f586fc5c4befabf4acbddc103895529a4881347e9bf40ef00d2ee0975e5134
                                                                        • Opcode Fuzzy Hash: 9a1a220b306895a1590854d241caea1281f0b22ef3e727fc641ebd71f391253b
                                                                        • Instruction Fuzzy Hash: 56212172E40219BBDF20AEA4DC89EEEBF79EF05B90F004065FA05A6150D6718A54DB90
                                                                        Function 02F83F8C Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadFile.KERNEL32(00000000,00000000,02F8A3C7,00000000,00000000,000007D0,00000001), ref: 02F83FB8
                                                                        • GetLastError.KERNEL32 ref: 02F83FC2
                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 02F83FD3
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F83FE6
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedReadResultSingleWait
                                                                        • String ID:
                                                                        • API String ID: 888215731-0
                                                                        • Opcode ID: 0faf2255eec0843a3f984e4cbeb7f4cf2dc7cd240248843a6ae22eeeadd53a2f
                                                                        • Instruction ID: 663594f297a7eaca56a99c1c5e16183eee3da50c26fce25b9c941aa9d51da2a4
                                                                        • Opcode Fuzzy Hash: 0faf2255eec0843a3f984e4cbeb7f4cf2dc7cd240248843a6ae22eeeadd53a2f
                                                                        • Instruction Fuzzy Hash: 9801E97291011AABDF11EF94D945BEEBB7CEF04795F004455FA12E2060DB70DA64CBB1
                                                                        Function 02F83F18 Relevance: 6.0, APIs: 4, Instructions: 46filesynchronizationCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteFile.KERNEL32(00000000,00000000,02F8A3C7,00000000,00000000,000007D0,00000001), ref: 02F83F44
                                                                        • GetLastError.KERNEL32 ref: 02F83F4E
                                                                        • WaitForSingleObject.KERNEL32(00000004,?), ref: 02F83F5F
                                                                        • GetOverlappedResult.KERNEL32(00000000,00000000,00000000,00000000), ref: 02F83F72
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: ErrorFileLastObjectOverlappedResultSingleWaitWrite
                                                                        • String ID:
                                                                        • API String ID: 3373104450-0
                                                                        • Opcode ID: 5d47be58eb9c38d9efb5daaa008bb4483b4303af09a9a3895cdfe7c068316568
                                                                        • Instruction ID: bbdf48bf74da4c6045b43d755c36f58fa4926cb910058bd73af955f3a6b6ad2f
                                                                        • Opcode Fuzzy Hash: 5d47be58eb9c38d9efb5daaa008bb4483b4303af09a9a3895cdfe7c068316568
                                                                        • Instruction Fuzzy Hash: FE01D372A11119ABDB05EF90D984BEEBBBCEF04795F104469FA01E2060D7349A249BA2
                                                                        Function 02F8A4C7 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F8A4D1
                                                                        • GetTickCount.KERNEL32 ref: 02F8A4E4
                                                                        • Sleep.KERNEL32(00000000,?,02F8C2E9,02F8C4E0,00000000,localcfg,?,02F8C4E0,02F93588,02F88810), ref: 02F8A4F1
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02F8A4FA
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 26e5e92318647f51f4c8fdceb3e7bfbfc6d2f6b52013b2ace0f0db678dd63878
                                                                        • Instruction ID: 583b8e762b1f9fe2093f2694055b4b29cbe7b5c98d48a796cee36cacf343f0cd
                                                                        • Opcode Fuzzy Hash: 26e5e92318647f51f4c8fdceb3e7bfbfc6d2f6b52013b2ace0f0db678dd63878
                                                                        • Instruction Fuzzy Hash: 19E0263364020857CE0027A5AD84F6AF388EB49BE1F010426FB04D3240CA1AA86181B2
                                                                        Function 02F84E92 Relevance: 6.0, APIs: 4, Instructions: 27sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F84E9E
                                                                        • GetTickCount.KERNEL32 ref: 02F84EAD
                                                                        • Sleep.KERNEL32(0000000A,?,00000001), ref: 02F84EBA
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02F84EC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 62237ee25088805aaa667ca2bf7689e9d7e9ea8a4519274d123723725084d800
                                                                        • Instruction ID: 7f8eb499616163f8c5813f0f676d9195bf28398aab7ff7c283bc391bc11d9e87
                                                                        • Opcode Fuzzy Hash: 62237ee25088805aaa667ca2bf7689e9d7e9ea8a4519274d123723725084d800
                                                                        • Instruction Fuzzy Hash: 67E0863374121957D71077B9AC84F57F6499B457E1F010935E709D2180DA56986245B1
                                                                        Function 02F830FA Relevance: 6.0, APIs: 4, Instructions: 23sleepCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetTickCount.KERNEL32 ref: 02F83103
                                                                        • GetTickCount.KERNEL32 ref: 02F8310F
                                                                        • Sleep.KERNEL32(00000000), ref: 02F8311C
                                                                        • InterlockedExchange.KERNEL32(?,00000001), ref: 02F83128
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick$ExchangeInterlockedSleep
                                                                        • String ID:
                                                                        • API String ID: 2207858713-0
                                                                        • Opcode ID: 1d77dc6898b834e7d2993fafb3cb0826dafde5d8bba0573c1631364340e19d58
                                                                        • Instruction ID: 3dd52e5550187971c42e93bb0b0b43dc922114f7ad56d7a400b6a890ef4ec708
                                                                        • Opcode Fuzzy Hash: 1d77dc6898b834e7d2993fafb3cb0826dafde5d8bba0573c1631364340e19d58
                                                                        • Instruction Fuzzy Hash: 60E0C232F40219ABEF007B75AD44B69FA5ADF84FE1F010879F305D20B0CA504C208A71
                                                                        Function 02F88CEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTick
                                                                        • String ID: localcfg
                                                                        • API String ID: 536389180-1857712256
                                                                        • Opcode ID: 286cf8b4a86f14e7fc0cae9a9b68505696e9e56a7c8866add34837a247340184
                                                                        • Instruction ID: 5de40a9824e8da7eda147b8070da1a907d2b63f44862d44c5b2368776ad82793
                                                                        • Opcode Fuzzy Hash: 286cf8b4a86f14e7fc0cae9a9b68505696e9e56a7c8866add34837a247340184
                                                                        • Instruction Fuzzy Hash: 9E21D233E1011DAFCB14AF64C891A5AFBBAEF203D4BA5059AD602D7101EB31E950CB50
                                                                        Function 02F8BFCE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Strings
                                                                        • Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl, xrefs: 02F8C057
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CountTickwsprintf
                                                                        • String ID: Type = %d: works = %d cur_thr = %d num_thr = %d integr = %d integr_nl = %d fCntrl = %d time_ok_filt = %d cntr = %d time_nl_filt = %d last_time_work = %d last_time_getem = %d last_time_calc = %d last_time_nl
                                                                        • API String ID: 2424974917-1012700906
                                                                        • Opcode ID: f588e25a443c124b32c12d8e14919f61ff6cc3660f7d562263284b64743ff1ab
                                                                        • Instruction ID: 2d6c333c48ddcaa7467e8be85b7da95569b32304269f9bc007e19678aeaaebab
                                                                        • Opcode Fuzzy Hash: f588e25a443c124b32c12d8e14919f61ff6cc3660f7d562263284b64743ff1ab
                                                                        • Instruction Fuzzy Hash: 7E119772500100FFDB429BA9CD44E567FA6FF88358B34819CF6188E126D633D863EB50
                                                                        Function 02F838F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F830FA: GetTickCount.KERNEL32 ref: 02F83103
                                                                          • Part of subcall function 02F830FA: InterlockedExchange.KERNEL32(?,00000001), ref: 02F83128
                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F83929
                                                                        • GetCurrentThreadId.KERNEL32 ref: 02F83939
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: CurrentThread$CountExchangeInterlockedTick
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 3716169038-2903620461
                                                                        • Opcode ID: 62668477f66c1fc705c690e73ae063ea79f1ef557d9807a01b50c5be8b7f8340
                                                                        • Instruction ID: 5ac2689987c1c74c2948394d86c9fd97dcc2f6b4920d8022bcf91dce86762e9e
                                                                        • Opcode Fuzzy Hash: 62668477f66c1fc705c690e73ae063ea79f1ef557d9807a01b50c5be8b7f8340
                                                                        • Instruction Fuzzy Hash: 08114C71940208EFDB20EF1AD481A5CF3F6FB04B95F10899EEE4597290C770AA80CFA0
                                                                        Function 02F8AB81 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • lstrcpynA.KERNEL32(?,?,0000003E,?,%FROM_EMAIL,00000000,?,02F8BD6F,?,?,0000000B,no locks and using MX is disabled,000000FF), ref: 02F8ABB9
                                                                        • InterlockedIncrement.KERNEL32(02F93640), ref: 02F8ABE1
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: IncrementInterlockedlstrcpyn
                                                                        • String ID: %FROM_EMAIL
                                                                        • API String ID: 224340156-2903620461
                                                                        • Opcode ID: b4c3fbf62b5bd121b0f98228a2eaac25a099cca2e464a774afefc924029dc26d
                                                                        • Instruction ID: ca0e69103389a0d46cf53fa145192594b51208e3f8a4a57ed9f0743b1d3ecf18
                                                                        • Opcode Fuzzy Hash: b4c3fbf62b5bd121b0f98228a2eaac25a099cca2e464a774afefc924029dc26d
                                                                        • Instruction Fuzzy Hash: 070171319083C4AFEB11DF18D885F96BBA6EF55394F15488AF68047213C771E594CB91
                                                                        Function 02F826B2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • gethostbyaddr.WS2_32(00000000,00000004,00000002), ref: 02F826C3
                                                                        • inet_ntoa.WS2_32(?), ref: 02F826E4
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: gethostbyaddrinet_ntoa
                                                                        • String ID: localcfg
                                                                        • API String ID: 2112563974-1857712256
                                                                        • Opcode ID: c6f6c8a5a4fc28f574fab682de51f61ec6756a74e6a0bc7b088f41d992b836f1
                                                                        • Instruction ID: f50e416f16aadd1642de86e609b6624cd0365efae51d8279a8675ed98ddff131
                                                                        • Opcode Fuzzy Hash: c6f6c8a5a4fc28f574fab682de51f61ec6756a74e6a0bc7b088f41d992b836f1
                                                                        • Instruction Fuzzy Hash: 8CF037776482097FEF007FA4EC05AAA779DDF05690F144465FF08DA090DB71E950DB98
                                                                        Function 02F8EAE4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13libraryloaderCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • LoadLibraryA.KERNEL32(ntdll.dll,02F8EB54,_alldiv,02F8F0B7,80000001,00000000,00989680,00000000,?,?,?,02F8E342,00000000,75A8EA50,80000001,00000000), ref: 02F8EAF2
                                                                        • GetProcAddress.KERNEL32(76E90000,00000000), ref: 02F8EB07
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: AddressLibraryLoadProc
                                                                        • String ID: ntdll.dll
                                                                        • API String ID: 2574300362-2227199552
                                                                        • Opcode ID: 9adae2df4db4727e1abb4f9119d58cbbd507e988321d2f321f1505afda45a670
                                                                        • Instruction ID: 33b6d558f3802fbcfc196de93e7438162016cf7b892aab9544218cab4eaed1d7
                                                                        • Opcode Fuzzy Hash: 9adae2df4db4727e1abb4f9119d58cbbd507e988321d2f321f1505afda45a670
                                                                        • Instruction Fuzzy Hash: 96D0C935E8030A9BEF125FA6AA0BE0AF6E8AB40BC1B404859B50AD1210EB30D464DF00
                                                                        Function 02F82F22 Relevance: 5.2, APIs: 4, Instructions: 157memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                          • Part of subcall function 02F82D21: GetModuleHandleA.KERNEL32(00000000,74DF23A0,?,00000000,02F82F01,?,02F820FF,02F92000), ref: 02F82D3A
                                                                          • Part of subcall function 02F82D21: LoadLibraryA.KERNEL32(?), ref: 02F82D4A
                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 02F82F73
                                                                        • HeapFree.KERNEL32(00000000), ref: 02F82F7A
                                                                        Memory Dump Source
                                                                        • Source File: 00000011.00000002.2948445261.0000000002F80000.00000040.00000400.00020000.00000000.sdmp, Offset: 02F80000, based on PE: true
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_17_2_2f80000_svchost.jbxd
                                                                        Yara matches
                                                                        Similarity
                                                                        • API ID: Heap$FreeHandleLibraryLoadModuleProcess
                                                                        • String ID:
                                                                        • API String ID: 1017166417-0
                                                                        • Opcode ID: d57eca0904f596b0eccb3979c5be22b92a11136d6893fcaf5dd7348d470416ae
                                                                        • Instruction ID: 931d2c9f298a807be253e0169f6d5b23981390717bd899f0d5f1315d2d1fe590
                                                                        • Opcode Fuzzy Hash: d57eca0904f596b0eccb3979c5be22b92a11136d6893fcaf5dd7348d470416ae
                                                                        • Instruction Fuzzy Hash: 3A51917290024A9FDF01AF64DC88AF9F7B5FF05744F1045A9ED96D7220E7329A19CB90